Authenticated testing can add a lot of value to your overall security assessment results. You’ll find a lot more missing patches, weak share permissions, and general misconfigurations. But before you start testing with authentication, there are a few things you need to know:
- Authenticated scans will give you give you a ton of information – sometimes too much. This can be a problem, especially if others reading your report are not very technical. A lot of high level flaws can make internal auditors, management, and others outside of IT really nervous if they don’t fully understand what they’re looking at.
- Authenticated scans can create trouble on the local hosts you’re testing. It’s rare, but general vulnerability scans can lock user accounts, fill up log files, and leave other remnants on the system. These scans are not as invasive as web vulnerability scans but this is something you need to be prepared for.
- You’re going to need more time – a lot more time – to run authenticated scans. Vulnerability scans with authentication typically take two to three times longer than unauthenticated scans, so if you have several hundred, or even thousands of, network hosts, this can lengthen your testing time significantly. You’ll also need more time for analyzing your scanner results and reporting – especially if you’re writing a separate formal report.
- Scanning using multiple user role levels is ideal (i.e. using standard domain user with limited privileges and a local or domain administrator). At a minimum, scan at the highest privilege level possible. Scanning as an administrator or equivalent will give you the most visibility into your security vulnerabilities. Besides, most hackers will invade as authenticated users themselves, so scanning with the highest privilege will give you a view of what hackers see in your network.
- You don’t have to run authenticated scans every time. It’s good to know how things look from an outsider’s perspective, i.e. without authentication. Running unauthenticated scans at least once per year – works well.