There will be two unchecked tick boxes at the bottom, Start the Remote Registry service during the scan and Enable administrative shares during the scan which will need to be ticked, as depicted below. Nessus supports several authentication types, further reading on which can be found here, however we're going to use a good old fashioned username and password so we click Windows and add the credentials for our account. Then in the scan library click Credentials, followed by Windows or SSH (SSH will most likely be used if you're testing the patch levels on a *nix system). The amount of info the patch audit reveals will depend on the privileges it runs with, so in order to obtain as much data as possible we're going to use a local admin account.Īfter selecting the scan, enter a scan name and the target IP address as per a normal scan. We're going to test the patch levels of a Windows 10 evaluation build installation, followed by a CIS Windows 2012 R2 compliance audit scan. Nessus Professional v6.8.1 is being used for both scans.
#HOW TO USE NESSUS SCANNER HOW TO#
We're going to provide a run through of how to carry out an authenticated scan to ascertain the patch levels of a desktop operating system, followed by a compliance audit scan of a server, both of which Nessus has in-built templates for. Whatever the requirement, an authenticated scan using administrative credentials can provide detailed insight into the security posture of an asset when compared against a baseline. This activity may be part of a build review, that assesses a system's base configuration in order to identify weaknesses in the source build it was created from, or maybe even as part of a compliance audit, like PCI DSS requirement 2.2, where a system's configuration can be assessed against known baselines, for example the Centre for Internet Security's (CIS) Windows Server 2012 R2 benchmark. This post will walk you through using Tenable's Nessus to perform a credentialed patch audit and compliance scan. OWASP Top Ten Secure Development Training.Migrate an App Securely to Cloud Computing.Deploy Rugged Code Rapidly with DevSecOps.