How to set up a custom domain user account for authenticated scans

These steps can be used to set up a user account on the domain that can be used for authenticated scans to login on targets systems included in the scan.

1. Set up Domain Security Group

Create a new security group on your domain controller named Holm Security Local Scan

  • The Group Scope should be set to Global
  • The Group Type should be set to Security

Assign the user account that should be used to login to the scanned target systems to this group.

2. Set up Group Policy (GPO)

Create a new Group Policy Object (GPO) named Holm Security Policy

3. Configure Policy

Add the group Holm Security Local Scan to Holm Security Policy and insert the local administrators to the group.

Note: Be aware that settings applied by the GPO can still exist after the GPO has been removed. Read more about this here

Connect policy

  1. Edit the policy Holm Security Policy 
  2. Open:
    Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  3. Select Add Group in the left pane on Restricted Groups
  4. Browse and find the newly created Holm Security Local Scan and add it (press OK to close the dialog. Don't forget to click on Check Names)

Group membership

  1. Now select This group is member of and add the group "Administrators (as well as all non-English names of Administrators if they exist)
  2. Press OK to save and close dialog

4. Configure user rights on the policy - Deny log on locally

This step will make sure we have applied the correct user rights to the policy. 

  1. Edit the policy Holm Security Policy 
  2. Open:
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  3. In the right pane, double click on Deny log on locally
  4. ...and set the checkmark Define these policy settings:
  5. Click on Add user or Group
  6. Browse and find the newly created Holm Security Local Scan and add it (press OK to close the dialog. Don't forget to click on Check Names)

5. Configure user rights on the policy - Deny log on through Remote Desktop Services

This step will make sure we have applied the correct user rights to the policy. 

  1. Edit the policy Holm Security Policy 
  2. Open:
    Computer Configuration\Polices\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  3. In the right pane, double click on Deny log on through Remote Desktop Services
  4. ...and set the checkbox Define these policy settings:
  5. Click on Add user or Group
  6. Browse and find the newly created Holm Security Local Scan and add it (press OK to close the dialog. Don't forget to click on Check Names)

6. (Optional) Configure policy with read-only permissions to local drive

This step is an optional precaution to restrict the permission of the policy and group to only have read rights.

  1. Edit the policy Holm Security Policy 
  2. Open:
    Computer Configuration\Polices\Windows Settings\Security Settings\File Systems
  3. Click on File System in the left pane and select Add File...
  4. Enter the value %SystemDrive% in the Folder field and click OK

Group Membership 

  1. Under Group or user names:, click on Add
  2. Browse and find the newly created Holm Security Local Scan and add it (press OK to close the dialog. Don't forget to click on Check Names)

Read/Write Permissions

  1. In the:
    Computer Configuration\Polices\Windows Settings\Security Settings\File Systems
  2. Set the permissions on the newly created Group/User by unchecking all checkboxes in the column Allow and check them under Deny.
    Click OK and confirm changes.

Make permissions recursive

  1. Select Configure this file or folder then and Propagate inheritable permissions to all subfolders and files
  2. Click OK and confirm changes

 

7. Establish the link to the Group Policy Object

  1. Open Group Policy Management
  2. In the right pane, right click on the Organizational Unit or Domain 
  3. Select Link an Existing GPO 
  4. Select the newly created policy Holm Security Policy and press OK 

 

Note: In theory you can set up a GPO that does not have any local admin permissions but it is a very large and complex effort to perform as you will need to involve individual registry branches and specific folders. 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.