Fortinet 3.0 MR7 manual 159

Some vulnerability scan modules, such as those that test file permissions or check installed patch and software versions, require full access to the target host. Vulnerability scan modules for Microsoft Windows hosts specifically require an administrator account with access to not only the file system but also the registry. You must configure the vulnerability scan job with the user name and password of an administrator account to perform a full scan using all modules,.

You can provide the vulnerability scan with an administrator account by creating a new local or domain administrator account, rather than providing an existing administrator account. However, many Windows hosts are configured so that accounts authenticating over the network inherit guest privileges, rather than the administrator privileges they would normally use when logging in locally. Guest privileges are not sufficient for all vulnerability scan modules. Change the network access security policy for accounts to Classic: local users authenticate as themselves to ensure that all modules have the privileges that they require to function correctly when authenticating remotely, for the duration of the vulnerability scan.

Caution: Configuration changes necessary for a full vulnerability scan can temporarily ! introduce additional risks. If possible, use a firewall or other method of mitigation, such as

FortiClient, to limit which hosts can access the target host during the vulnerability scan, allowing only connections from the FortiAnalyzer, and undo any vulnerability scan configuration changes after the scan.

To configure the security policy for local accounts authenticating remotely (Windows XP)

The following procedure describes how to modify the local security policy of a Windows XP target host for which you have configured a local administrator account. This procedure may vary for other versions of Windows, or for target hosts whose security policy and user accounts are administered at the domain level rather than locally to each host.

1 Go to Start > Run, enter mmc, and then select OK to start the Microsoft Management Console.

2 If a security policy console file already exists, select File > Open to open the existing console file.

If no security policy console file exists, select File > New to create a new console file.

Caution: Use care when creating a domain or local security policy, and verify that there is ! no pre-existing security policy. If you are unsure whether or not there is already an existing

security policy in effect, consult the owner of the system. Creating a new console may overwrite any existing policy, including applying default values to settings that you have not modified specifically for the remote vulnerability scan.

3 If the console root does not contain Local Computer Policy (a Group Policy Object Editor snap-in that is stored on the local computer), you must add that snap-in. For instructions, see the help for the Microsoft Management Console.