What are the requirements for running an Active Directory scan?
::This article describes the credentials, scan profile settings, and network ports required to run an Active Directory scan.
Before you start
Make sure to configure a scan profile for authenticated scanning.
Credentials
The scanner authenticates over SMB and LDAP using a standard Windows domain account.
| Field: | Value: |
|---|---|
| Domain | NetBIOS or FQDN of the domain (e.g. CORP or corp.example.com). |
| Username | SAM account name (e.g. svc-scanner). |
| Password | Account password. |
| NTLM | Default NTLMv2 and NTLMv1 or NTLMv2 only if the domain disables NTLMv1. |
Permissions required
The account does not require Domain Admin. Membership in Domain Users is sufficient for the bulk of checks. For full coverage, the account additionally needs read access to SYSVOL (used for GPO collection) and the Remote Registry on the target domain controller (used by a small number of active probes).
Read rights
Checks that read security descriptors on privileged objects, AdminSDHolder ACLs, or RODC password replication groups may return incomplete data if the account lacks the corresponding read rights.
The authentication record can be reused across scan profiles. Saved credentials are encrypted at rest.
Default in standard network profile
The Active Directory scan is driven by a small, fixed set of plugins and will be part of the standard Network profile. If you don't want it in default network scans, it can be excluded by including [HID-2-1-5443416]. This will disable Active Directory collector from the profile.
Show low probability vulnerabilities
Enabling Show low probability vulnerabilities in scan result is recommended for AD scans. Several baseline checks are deliberately scored as low-probability and will not appear in the report otherwise.
Authentication record
Configure the authentication record under the Authentication tab:
| Domain: | Domain FQDN (e.g., corp.example.com): |
| Username | The scanning account (e.g. Administrator or scv-scanner). |
| Password | Account password. |
| NTLM mode | Use NTLMv2 and NTLMv1 (default) is appropriate for most domains; select Use NTLMv2 only when NTLMv1 has been disabled. |
Network ports
The Scanner Appliance requires direct network access from the scan node to the target domain controller.
| Port: | Protocol: | Used for: |
|---|---|---|
| 389 | TCP | LDAP — primary directory queries. |
| 636 | TCP | LDAPS — preferred when available. |
| 445 | TCP | SMB — SYSVOL access, null-session probe, SMB signing/version checks. |
| 135 | TCP | RPC endpoint mapper — DCE/RPC interface probing. |
| 53 | UDP/TCP | DNS — DC resolution and per-DC DNS registration check. |
| 80 | TCP | HTTP — WebClient / WebDAV service detection (optional). |
| 3268 | TCP | Global Catalog LDAP (optional, used if available). |
| 3269 | TCP | Global Catalog LDAPS (optional). |
Minimum required ports
Ports 389 (or 636) and 445 are the minimum required. Phases that depend on unreachable ports are skipped; the scan completes with the data available.
When port 636 is reachable, LDAPS is selected automatically. LDAPS is strongly recommended as it encrypts directory queries and credentials in transit.