What are the requirements for running an Active Directory scan?
This article describes the credentials, scan profile settings, and network ports required to run an Active Directory scan.
Before you start
Make sure to configure a scan profile for authenticated scanning.
Credentials
The scanner authenticates over SMB and LDAP using a standard Windows domain account.
| Field: | Value: |
|---|---|
| Domain | NetBIOS or FQDN of the domain (e.g., CORP or corp.example.com). |
| Username | SAM account name (e.g., svc-scanner). |
| Password | Account password. |
| NTLM | Default NTLMv2 and NTLMv1 or NTLMv2 only if the domain disables NTLMv1. |
Remote Registry access required
The scanner reads the remote registry on the target host to confirm that it is a Domain Controller before running Active Directory-specific checks. If the Remote Registry service is not running on the target Domain Controller, the scanner cannot verify the Domain Controller role and the assessment will not return results.
Read more about systems and requirements:
What are the supported systems and requirements?
Read rights
Checks that read security descriptors on privileged objects, AdminSDHolder ACLs, or RODC password replication groups may return incomplete data if the account lacks the corresponding read rights.
The authentication record can be reused across scan profiles. Saved credentials are encrypted at rest.
Default in standard network profile
The Active Directory scan is driven by a small, fixed set of plugins and will be part of the standard Network profile. If you don't want it in default network scans, it can be excluded by including [HID-2-1-5443416]. This will disable Active Directory collector from the profile.
Show low probability vulnerabilities
Enabling Show low probability vulnerabilities in scan result is recommended for AD scans. Several baseline checks are deliberately scored as low-probability and will not appear in the report otherwise.
Authentication record
Configure the authentication record under the Authentication tab:
| Domain: | Domain FQDN (e.g., corp.example.com): |
| Username | The scanning account (e.g. Administrator or scv-scanner). |
| Password | Account password. |
| NTLM mode | Use NTLMv2 and NTLMv1 (default) is appropriate for most domains; select Use NTLMv2 only when NTLMv1 has been disabled. |
Network ports
The Scanner Appliance requires direct network access from the scan node to the target domain controller.
| Port: | Protocol: | Used for: |
|---|---|---|
| 389 | TCP | LDAP — primary directory queries. |
| 636 | TCP | LDAPS — preferred when available. |
| 445 | TCP | SMB — SYSVOL access, null-session probe, SMB signing/version checks. |
| 135 | TCP | RPC endpoint mapper — DCE/RPC interface probing. |
| 53 | UDP/TCP | DNS — DC resolution and per-DC DNS registration check. |
| 80 | TCP | HTTP — WebClient / WebDAV service detection (optional). |
| 3268 | TCP | Global Catalog LDAP (optional, used if available). |
| 3269 | TCP | Global Catalog LDAPS (optional). |
Minimum required ports
Ports 389 (or 636) and 445 are the minimum required. Phases that depend on unreachable ports are skipped; the scan completes with the data available.
When port 636 is reachable, LDAPS is selected automatically. LDAPS is strongly recommended as it encrypts directory queries and credentials in transit.