Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=managed-risk-credentials

Managed Risk credentials

Managed Risk authenticated scanning can identify vulnerabilities in your internal network that unauthenticated scanning might miss.

This page tells you how to create and manage the credentials you need for authenticated scanning.

Before you begin

Before you add credentials, make sure you configure your systems to allow authenticated scanning. Use the links in the sections below to see the detailed configuration requirements for each operating system.

Windows

For Windows requirements, see Tenable: Credentialed Checks on Windows.

Follow these best practices:

  • Create dedicated local admin accounts for scanning. Use accounts in the Local Admins group, not Domain Admins, for scanning regular Windows systems. This limits potential credential exposure.

  • Create separate scans specifically for Domain Controllers using properly secured Domain Admin credentials. This prevents these powerful credentials from being used elsewhere.

For guidance on hardening the Active Directory policy settings associated with these credentials, see Additional Tenable Guidance.

macOS

For macOS requirements, see Tenable: Credentialed Checks on macOS.

Linux

For Linux requirements, see Tenable: Credentialed Checks on Linux.

Add a credential

To add a credential, do as follows:

  1. Go to Managed Risk > Settings.

  2. Select the Credentials tab.

    Managed Risk Credentials tab.

  3. Click Add credential.

    Add credential button.

  4. In Create credential, select the appropriate credential type for your environment:

    • SNMPv3: For network devices supporting SNMP version 3.
    • SSH: For UNIX/Linux/macOS systems.
    • Windows: For Windows domain or local authentication.
    • VMware ESX SOAP API: For VMware ESX/ESXi hosts.

    Note

    Managed Risk doesn't support Plaintext authentication.

    Create credential pane.

  5. Create the credentials following the steps below. Click the tab for your credential type.

    To add SNMPv3 credentials, do as follows:

    1. In Credential type, select SNMPv3.
    2. Enter a unique Credential name.
    3. (Optional) Add a Description to help identify this credential.
    4. Enter the Username for the SNMPv3 account.
    5. Specify the Port number. The default is 161.
    6. In Security Level, select Authentication and privacy. This uses both authentication and encryption, and is currently the only option.
    7. Select an Authentication algorithm: SHA-256, SHA-384, or SHA-512.
    8. Enter the authentication password.
    9. Select a Privacy algorithm: AES-256 or AES-256C.
    10. Enter the privacy password.
    11. Click Create to save the credential.

    To add Windows credentials, do as follows:

    1. Under Credential type, select Windows.
    2. Enter a unique Credential name.
    3. (Optional) Add a Description to help identify this credential.

    4. Select the Authentication method:

      • Kerberos: Kerberos authentication for domain environments
      • NTLM Hash: NTLM hash-based authentication
      • Password: Standard username and password authentication

      If you selected Kerberos authentication, do as follows:

      1. Enter the Username.
      2. Enter the Password.
      3. Enter the Domain.
      4. Enter the Key Distribution Center (KDC) address.
      5. Enter the KDC Port. The default is 88.
      6. Select the KDC Transport protocol: TCP or UDP.
      7. Enter the Realm.

      If you selected NTLM Hash authentication, do as follows:

      1. Enter the Username.
      2. Enter the Hash.
      3. Enter the Domain.

      If you selected Password authentication, do as follows:

      1. Enter the Username.
      2. Enter the Password.
      3. (Optional) Enter the Domain.

    5. Click Create to save the credential.

    If you want to test the credential, see Test Managed Risk credentials.

    To ensure successful Windows scanning, follow the configuration steps in Tenable: Credentialed Checks on Windows.

    1. Under Credential type, select SSH.
    2. Enter a unique Credential name.
    3. (Optional) Add a Description to help identify this credential.

    4. Select the Authentication method.

      • Kerberos: Kerberos authentication for integrated environments
      • Password: Standard username and password authentication
      • Public Key: Authentication using SSH key pairs

      If you selected Kerberos authentication, do as follows:

      1. Enter the Username.
      2. Enter the Key Distribution Center (KDC) address.
      3. Enter the KDC Port. The default is 88.
      4. Select the KDC Transport protocol: TCP or UDP.
      5. Enter the Realm.

      If you selected Password authentication, do as follows:

      1. Enter the Username.
      2. Enter the Password.
      3. Select the Elevate privileges with option if needed.

      If you selected Public Key authentication, do as follows:

      1. Enter the Username.

      2. For the Private key, click Add File to upload your private key file, or paste your private key directly.

        Note

        Only RSA and DSA OpenSSH keys are supported.

      3. Enter the Private key passphrase (if your key is protected with one).

      4. Under Elevate privileges with, select the appropriate option:

        • Nothing: Don't use privilege elevation.
        • sudo: Use sudo for privilege elevation.
        • Enter the sudo user (the account to escalate to).
        • Enter the sudo password (if required).

    5. (Optional) Enter Targets to prioritize credentials: hostnames, IPs, or CIDR blocks (comma or space-separated).

    6. Click Create to save the credential.

    For SSH host-based authentication configuration, see Configure a Tenable Nessus Scan for SSH Host-Based Checks.

    1. Under Credential type, select VMware ESX SOAP API
    2. Enter a unique Credential name.
    3. (Optional) Add a Description to help identify this credential.

    4. In ESX SOAP API Authentication Method, select Username and Password. This is the only option currently available.

      1. Enter the Username for the VMware account with administrative privileges.
      2. Enter the Password for the account.

    5. Click Create to save the credential.

    To perform comprehensive scanning, the account must have administrative access to the VMware ESX/ESXi host. This credential type is specifically designed for scanning VMware virtualization environments.

Edit a credential

To edit a credential, do as follows:

  1. Go to Managed Risk > Settings.
  2. Select the Credentials tab.
  3. Find the credential you want to edit in the list.
  4. In the Actions column, click the three dots Three dots icon..
  5. Select Edit.
  6. Make the changes to the credential details.
  7. Click Update.

Delete a credential

  1. Go to Managed Risk > Settings.
  2. Select the Credentials tab.
  3. Find the credential you want to delete in the list.
  4. In the Actions column, click the three dots Three dots icon..
  5. Select Delete.
  6. In the confirmation dialog, click Confirm to permanently delete the credential.

When you delete a credential, we remove it from all scan configurations where it was being used. This might affect future scans that were configured to use it.

Refresh the credentials list

To refresh the list of credentials, click the refresh icon Refresh icon. at the top right of the list.

Troubleshooting

If you have problems with Managed Risk credentials, do as follows:

  • Ensure firewall rules allow traffic from the scanning appliance's IP address.
  • Verify the Remote Registry service is running on target systems.

For information on testing credentials, see Test Managed Risk credentials.