How do I get started scanning Active Directory?
This article describes how to run an Active Directory (AD) assessment in Security Center. To get started, you need a scan profile, an asset, and Windows credentials.
Before you begin
Before running an Active Directory assessment, make sure the following requirements are met:
What are the requirements for running an Active Directory scan?
How do I start an assessment?
In order to start scanning Active Directory make sure to have:
-
The IP or hostname of at least one Domain Controller
-
A Windows domain account with sufficient privileges (Domain Admin or equivalent)
-
Ports 389 (LDAP) or 636 (LDAPS) reachable from the scanner
To start an Active Directory assessment follow these steps:
1. Install a Scanner Appliance
A Scanner Appliance is required if your Domain Controller (DC) is on an internal network behind a firewall. You can skip this step if the DC is publicly reachable as the external scanner already existing in Security Center can be used.
How do I install a Scanner Appliance?
2. Create an asset
AD checks only (recommended for AD assessments)
Add your Domain Controller's IP or hostname as a single asset. The AD collector runs per Domain Controller, so running the assessment directly against the DC directly gives the best results.
Full network range
Add an IP range covering your network. The default scan profile includes all Acitve Directory checks, so any DC found in the range will automatically receive a full AD assessment alongside the regular network scan.
Multiple Domain Controllers
Each Domain Controller must be scanned separately to get a full healthcheck for that domain. If your environment has multiple domains or multiple DCs, add each DC as its own asset (or make sure the IP range covers all of them). The AD assessment runs against each DC independently, covering the full domain it belongs to.
For multi-domain forests, run one scan per domain, cross-domain data is discovered automatically, but each domain's rules are evaluated independently.
How do I add one or more network assets?
3. Create a scanner profile
The Standard Network scan profile already includes all Active Directory checks therfore no additional configuration is needed.If you are using a custom profile, make sure the Active Directory checks family is included as a cathegory.
Go to Assessments > Profiles > Edit > Vulnerabilities > Include and choose Active Directory and add HID-2-1-5320777.
How do I create a network scan profile?
4. Add Windows authentication
In the scan profile, go to Authentication > Windows authentication record and add a new record with the following settings:
| Field: | Value: |
| Type | Domain |
| Username | username |
| Password | Domain account password |
| Domain | Your AD domain, e.g. corp.example.com |
How do I configure Windows authentication?
5. Schedule or run immediately
Schedule a recurring assessment or trigger a one-time run from the scan profile.