Fortinet 3.0 MR7 manual Preparing Windows target hosts

authenticating without root or administrator credentials are typically not able to view sensitive areas of the system software or configuration; scans involving those parts cannot be accurately assessed without administrator credentials. You may also be required to modify the target host’s security policy to allow the connections and to ensure that the account uses administrator account privileges when authenticating remotely. Some vulnerability scan modules, such as those that test for denial of service (DoS) attack vulnerability by simulation, can result in degraded network performance during the scan. For all of these reasons, you may want to work with the owners of target hosts to schedule an appropriate time. For example, you might schedule to avoid peak traffic hours, to restrict unrelated network access, to configure a local or domain administrator account for the express purpose of the vulnerability scan, and to ensure that the target hosts will not be powered off during the vulnerability scan.

Required preparation varies by the operating system or other installed software on target host, and by the vulnerability scan modules that you want to use. For more information about preparing Windows and Unix variant operating systems for a vulnerability scan, see “Preparing Windows target hosts” on page 158 and “Preparing Unix target hosts” on page 160.

You may want to consider temporarily removing obstacles that prevent the vulnerability scan from reliably connecting to the intended target hosts on the required standard port numbers. If you do not remove the obstacles, the vulnerability scan may contain false negatives or may be unable to complete a full scan. However, some vulnerability scan obstacles are typical network security or other infrastructure, so removing or disabling them can involve some risk. In this case, you will want to consider whether or not you require a full scan, and how to negate or mitigate any risk during the scan. Examples of vulnerability scan obstacles include:

•intrusion prevention systems (IPS)

•dynamic NAT

•port forwarding

•firewalls, including FortiGate units and FortiClient installations

Consider also the perspective from which you are performing the vulnerability scan, and your network’s routing or other configuration to ensure that you do not scan target hosts outside your intended network space. For example, if you want to assess vulnerability from the perspective of the external network, but do not wish to impact the private network of a business partner whose network is connected to yours, you may want to connect the FortiAnalyzer unit to the external network while running the vulnerability scan job, and to carefully restrict the IP addresses and routing of traffic to target host IP addresses.

Preparing Windows target hosts

Vulnerability scan modules targeting Microsoft Windows hosts require the ability to log in to the target host using the NetBIOS protocol. If NetBIOS is not already enabled on target hosts running Windows, you must enable it for the duration of the vulnerability scan.