Policy scanning

What are the requirements for Policy scanning?

To ensure a successful policy scan please make sure the following requirement are fullfilled:

  • Policy scanning requires scanning profiles to be set up with credentials to access the assets.
  • You cannot mix Windows and Linux assets in a single scan.
  • You need separate policy scanning profiles for Linux and Windows systems.
  • Linux/Unix assets require Secure Shell (SSH) to be enabled and accessible (port 22 TCP).
  • Microsoft Windows assets require the WinRM 2.0 (Microsoft Windows Remote Management) to be enabled, port 5986 (HTTPS), and port 445 (SMB) to be accessible (access granted in firewall). To enable WinRM, you can issue the following command in the command prompt:
    winrm quickconfig
  • You can use the following Powershell script to open the required ports on the Windows machine: Holm_Firewall_SMB_WinRM.ps1
  • Microsoft Windows assets also require HTTPS Listener established using the thumbprint of a certificate for the remote system. Execute this script in PowerShell to configure the self-signed certificate and create the WinRM HTTPS listener:
    Holm_SelfSignedCertificate.ps1
  • For standalone target systems that are not included in a local domain, it is important to set this registry key: 
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\
    DWORD: LocalAccountTokenFilterPolicy = 1

 

Important information

Users can attempt to find an existing certificate thumbprint for the remote host using PowerShell. In the following commands, assume "HOSTNAME" is the DNS name of the remote Windows host:

PS C:\Windows\system32> Get-childItem cert:\LocalMachine\My\ | Select-String -pattern HOSTNAME

If a certificate exists on the system, you can issue the following `winrm` command to configure the HTTPS listener:

winrm quickconfig -transport:https -force

 

You can find more information about setting up your Policy profiles in this article:
How do I create a policy profile?