Authenticated scans across multiple domains

Last Updated on November 11, 2023 by Dave Farquhar

I helped a company troubleshoot its vulnerability scans recently. They had multiple Windows domains because of their line of business. This made scans difficult, but we found some solutions. Here are some tips for authenticated scans across multiple domains.

Scanning multiple domains in a single scan can cause account lockouts if the usernames and passwords don’t all match. Possible solutions include separating each domain into its own scan, using completely unique accounts to scan, syncing up the accounts so they have the same username and password, or using Cyber-Ark to match up credentials to machines.

Authentication is tricky

authenticated scans across multiple domains
Tenable’s tools make authenticated scans across multiple domains tricky, but none of its competitors completely get it right either.

Authentication can be tricky. My introduction to vulnerability management came when an errant Qualys scan locked out the user account my SIEM used to collect logs. No set of defaults works 100% of the time, and it’s easy to change one setting to make something break that may very well work fine in another environment.

I have more experience with multiple-domain scanning with Tenable than with Qualys, so my advice is more relevant to Tenable. But these practices won’t hurt any scanning tool, and can only help. Authentication is important, so it’s good to get it right.

Separate domains into their own scans

Creating a separate target group for each domain, with its own domain authentication record and its own scan, is probably the most certain way to clear up authentication issues. Then you know what account that group of assets should be using. It can be inconvenient because it means more scans to juggle, but I’ve had to separate assets out for worse reasons than this. For example, I once had to separate IBM AS/400s out into separate scans with a custom option profile with the SMB ports excluded to keep Qualys from misidentifying them as Windows machines.

Use separate usernames and passwords

Using the same username with different passwords across domains is a sure-fire way to end up locking out accounts. This is especially true with Tenable scanners, in my experience, but it can be problematic in other tools as well. To save yourself a bunch of heartache, use a different username in each domain, even if it’s vmscan1, vmscan2, vmscan3, and so on.

Use the exact same username and password in each domain

The other workaround is to use the exact same username and password in each domain. That way, if the tool picks the wrong credentials, it’s still right. This situation is less than ideal if only because it keeps you from being able to integrate your scanning tool with a password vault like Cyber-Ark. But if you’re stuck and need a solution in a hurry, this is probably the fastest, easiest solution to get a scan done. Just remember, this is the bubblegum-and-duct-tape solution, not the right solution.

Use Cyber-Ark, at least if you have Tenable

Last but not least, use Cyber-Ark. I don’t know for certain about other vulnerability scanners, but with Tenable’s scanners, when you integrate with Cyber-Ark, Cyber-Ark provides one and only one set of credentials for a given machine. So besides giving you extra security, Cyber-Ark allows you to ensure your scanner always uses valid credentials, no matter how many domains you have to authenticate against. This prevents locked accounts and gumming up logs with with authentication failures. Using a password vault is always a good practice, and some other password vault may provide similar capability. But I’ve personally had good experience with and recommend Cyber-Ark.

If you found this post informative or helpful, please share it!