Table Of Contents
Configure Windows Domain Authentication Account in Qualys VMDR: A Step-by-Step Guide
Requirements for this Lab
- Active Directory Domain Controller
- Windows 10 (Target machine
- Qualys VMDR Account
We need to create a new AD Domain user account for Qualys in the Active Directory Domain Controller named “qualys_account” and add the user to the Global administrator group.
How to create an Active Directory Domain user
To create a new AD Domain user account, type Control Panel in the search box
Click Control Panel as shown below.
Change your “view by” on the top right to small icons. To easily locate Administrative Tools. Click Administrative Tools.
Double-click Active Directory Users and Computers.
Right Click Users > New > User.
Enter qualys as the first name and account as the last name. “qualys_account” is in the full name box. Enter “qualys_account” in the User logon name and click the Next button.
Create and confirm a password for the new user. Check the box next to User must change password at the next logon if you want to change the password. For this example, I do not want to change the password, so I checked Password never expires.
Click the Finish button.
How to add an Active Directory User to a Domain Admins group
Next, let’s add the user to the Domain Admins group. User > Right-click the “qualys_account” > click Add to a group
Type Domain Admins, click the Check Names button to make sure it’s a valid group, and click OK.
Right-click on”qualys_account” and click property. Click Member Of. Click Domain Users and click the Remove button, as shown below. This is to make sure this user only belongs to the Domain admin group, according to Qualys.
How to Create Windows Authentication in Qualys VMDR
Now, let’s create Windows Authentication in Qualys VMDR. In your Qualys VMDR account, click the drop-down arrow at the top left and select VMDR.
Click on the scans tab > Authentication. Click the New button > Operating Systems > Windows.
Click on the Record Title and give your authentication a name. Click on the Login Credentials button on the left, as shown in the screenshot below, and choose Active Directory as your domain type. Make sure Basic authentication is checked. Create a username and password using the credential for the “qualys_account” user we created in the AD Domain controller earlier.
Qualys Authentication Protocols
Qualys uses the following Authentication Protocols for authentication scans.
- Kerberos with AES-128/256
- Kerberos with RC4-128
- NTLMv2
- NTLMv1
Attempts to use from the most secure protocol to the least secure protocol on the target host. NTLMv1 is unchecked by default. The default authentication protocols are Kerberos and NTLMv2. Leave it as default and click the Save button.
Click on the IPs on the left, as shown in the screenshot below. Enter your target IP addresses or IP address range. Click on comments, type in your comment (Optional), and click the Save button.
To see your newly created Windows Domain Authentication, Click on the scans tab > Authentication as shown below.
In the next lab, we are going to use our newly created Windows Domain Authentication to perform an authentication scan in Qualys. Click here to learn how to launch an Authenticated scan in Qualys virtual appliance.