Authenticated Network Scanning

How do I set up a custom domain user account for authenticated scans?

These steps can be used to set up a user account on the domain that can be used for authenticated scans to log in on target systems included in the scan.

1. Set up Domain Security Group

Create a new security group on your domain controller named "Holm Security Local Scan".

  • The Group Scope should be set to: Global
  • The Group Type should be set to: Security

Assign the user account that should be used to log in to the scanned target systems to this group.

2. Set up a Group Policy Object (GPO)

Create a new Group Policy Object (GPO) named "Holm Security Policy".

3. Configure policy

Add the group "Holm Security Local Scan" to "Holm Security Policy" and insert the local administrators to the group.

Please notice to be be aware that settings applied by the GPO can still exist after the GPO has been removed. Read more about this here (external link):
https://blogs.technet.microsoft.com/grouppolicy/2008/03/04/gp-policy-vs-preference-vs-gp-preferences/

Connect policy

  1. Edit the policy "Holm Security Policy".
  2. Open:
    Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  3. Select Add Group in the left pane on Restricted Groups.
  4. Browse and find the newly created "Holm Security Local Scan," and add it, press OK to close the dialog. Don't forget to click on Check Names.

Group membership

  1. Now select This group is member of and add the group "Administrators" (as well as all non-English names of administrators if they exist).
  2. Press OK to save and close dialog.

4. Configure user rights on the policy - deny log on locally

This step will make sure we have applied the correct user rights to the policy. 

  1. Edit the policy "Holm Security Policy".
  2. Open:
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  3. In the right pane, double click on Deny log on locally, and set the checkmark for Define these policy settings.
  4. Click on Add User or Group.
  5. Browse and find the newly created "Holm Security Local Scan," and add it, press OK to close the dialog. Don't forget to click on Check Names.

5. Configure user rights on the policy - deny log on through Remote Desktop Services

This step will make sure we have applied the correct user rights to the policy. 

  1. Edit the policy "Holm Security Policy". 
  2. Open:
    Computer Configuration\Polices\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  3. In the right pane, double click on Deny log on through Remote Desktop Services and set the checkbox Define these policy settings:
  4. Click on Add User or Group.
  5. Browse and find the newly created "Holm Security Local Scan" and add it. Press OK to close the dialog. Don't forget to click on Check Names.

6. Configure policy with read-only permissions to local drive (Optional)

This step is an optional precaution to restrict the permission of the policy and group to only have read rights.

  1. Edit the policy "Holm Security Policy". 
  2. Open:
    Computer Configuration\Polices\Windows Settings\Security Settings\File Systems
  3. Click on File System in the left pane and select Add File...
  4. Enter the value %SystemDrive% in the Folder field and click OK.

Group membership 

  1. Under Group or user names:, click on Add
  2. Browse and find the newly created Holm Security Local Scan and add it (press OK to close the dialog. Don't forget to click on Check Names)

Read/write permissions

  1. In the...
    Computer Configuration\Polices\Windows Settings\Security Settings\File Systems
  2. Set the permissions on the newly created Group/User by unchecking all checkboxes in the column Allow and check them under Deny.
  3. Click OK and confirm changes.

Make permissions recursive

  1. Select Configure this file or folder then and Propagate inheritable permissions to all subfolders and files
  2. Click OK and confirm the changes

7. Establish the link to the Group Policy Object

  1. Open Group Policy Management.
  2. In the right panel, right-click on the organizational unit or domain.
  3. Select Link an Existing GPO
  4. Select the newly created policy "Holm Security Policy" and press OK

Important information

In theory you can set up a GPO that does not have any local admin permissions but it is a very large and complex effort to perform as you will need to involve individual registry branches and specific folders.