Using QualysGuard With Secret Server
Last updated on: September 6, 2020
Why Does Authentication Matter?
Drive-by downloads. Excel spreadsheet zero-days. In today’s IT environment, threats are coming from more places than ever before, making it more important than ever to perform comprehensive assessment of vulnerabilities. Although remote-only checks can be very useful for finding issues, only authenticated scanning can guarantee that all issues – not just ones exposed on listening ports – are detected and addressed. Unfortunately, however, enterprises often face a number of challenges when attempting to roll out authenticated scanning:
- System administrators may be reluctant to give out credentials, especially when those credentials are stored by a third party.
- Performing password rotation can lead to lots of failed scans if credentials aren’t updated in every option profile and target asset simultaneously.
- Auditing the use of the shared credential becomes critically important when a single shared privileged ID is used across multiple targets.
In order to help address these issues, Qualys has added support for Thycotic’s Secret Server Enterprise Password Management solution. This new capability provides several benefits:
- Credentials for targets can be kept inside the customer’s network perimeter at all times. When configured to use Secret Server, QualysGuard scans only need Web Services credentials for Secret Server. When a target is scanned, the scanner appliance inside the customer’s network communicates directly with Secret Server to obtain credentials for scanning. These credentials are only kept in memory on the scanner appliance, are destroyed when the scan is completed, and are never transmitted outside the customer’s network.
- Password rotation can happen frequently and automatically. Because the credentials for a target are obtained at the time of the scan, administrators can set any password rotation time desired, even as often as daily. The only time updating is required in QualysGuard is when the Web Services credentials are changed, and this only needs to be configured in one place.
- Control and auditing of credential usage can be done easily. Secret Server can limit access to the credential to your scanner appliances only, and provides detailed reporting about access and usage of the credentials so that you know exactly when, where, and why a credential was used.
Configuring QualysGuard to use Secret Server
In order to begin using Secret Server with QualysGuard you must first ensure that Secret Server’s Web Services are enabled by doing the following:
- Log in to the Thycotic Secret Server Administration interface.
- Go to Administration > Configuration.
- Click Edit to change configuration settings.
- On the General tab, select "Enable Webservices".
- Click Save.
Once you’ve completed these steps you can then configure QualysGuard to use Secret Server .
- First, go to Scans -> Authentication -> Authentication Vaults
- Create a new Thycotic Secret Server vault:
- Fill out the information required:
URL: URL to the Secret Server webservices which may use http or https, e.g.
User Name: The user name of the Secret Server user account that has access to the secret names to be used for authentication.
Password: The password of the Secret Server user account; note this is for the Web Services user only, not for that target systems.
Domain (Optional): Provide a fully qualified domain name if Secret Server is integrated with Active Directory.
Now that you’ve configured Qualys to use Secret Server, you need to set up either Windows or Unix credentials in Secret Server for the targets you want to authenticate to. For example, let’s say that we’ve configured Secret Server to store administrative credentials for user vm_scan_account under the secret name win_scan_secret for 10.0.0.1 (mywindowsserver.acme.com). Following the steps above, we’ve create an Authentication Vault entry called Secret Server Vault.
We now need to create a new Windows Authentication Record with the following items checked:
Login Type: Authentication Vault
User Name: vm_scan_account (this is the name of the account on 10.0.0.1 that will be used for login)
Vault Type: Secret Server
Vault Title: Secret Server Vault (what we set up above)
Secret Name: win_scan_secret (the name of the secret in Secret Server that stores the password for user vm_scan_account)
Don’t forget to add IP 10.0.0.1 to the record as well (unless you’re using a NetBIOS Service-Selected IP domain type, in which case the record will be automatically used for any Windows systems participating in that domain).
If there are any problems using the Secret Server credentials then you’ll see the specific error message listed under QID #105015 (Windows Authentication Failed) or QID #105053 (Unix Authentication Failed).
Secret Server will help you expand the scope of your authenticated scanning, giving you even greater visibility of any vulnerabilities on the target systems, and allowing you to make effective use of features such as our Zero-Day Risk Analyzer. We hope you find this new integration useful; please let us know how we can improve these capabilities to make them even better.