9

Resources

Last Update il y a 18 jours

Whitelist Domain Rules - Microsoft OS and Microsoft Product Patches Whitelist Domain Rules - Third Party Patches Whitelist SecOps Solution Code Signing Public Certificate in a Windows System Configuring the Service Account for macOS Patch Management on Apple Silicon Configuring Proxy on Agents

Authenticated vs. Unauthenticated Vulnerability Scanning

Ashwani

Last Update il y a 6 mois

Overview

This document describes the characteristics of each scan type and serves as a reference for selecting the appropriate scan approach based on assessment scope, access constraints, and depth requirements.

Vulnerability Scanning is performed using two primary scan types:

  • Unauthenticated Scan
  • Authenticated Scan

These scan types differ based on whether access credentials are provided to the target system during execution and directly influence the depth and visibility of the assessment. 

Unauthenticated Scan

An unauthenticated scan is performed without providing any access credentials to the target system. The scan interacts with the target remotely and relies solely on network-accessible interfaces.

During this scan type, the target system is identified using network-based fingerprinting techniques. The scan enumerates open ports, exposed services, and reachable endpoints, and evaluates conditions that are externally observable, such as:

  • Network reachability and host discovery

  • Open ports and listening services

  • Service and protocol behavior

  • Externally visible service configuration

  • Publicly accessible application endpoints

  • Certificate and encryption-related exposure, and so on


This scan type does not perform intrusive or host-based checks and is limited to conditions observable from a remote perspective.

Unauthenticated scans are commonly used to assess network exposure, externally reachable services, and perimeter-facing assets.

Authenticated Scan

An authenticated scan is performed using valid credentials that allow secure access to the target system during the scan. This enables direct inspection of the system’s internal state and provides a deeper and more accurate assessment compared to unauthenticated scans.

Authenticated scans include all network-level checks performed during unauthenticated scans and extend assessment coverage to host-level components that are not externally visible.

With authenticated access, the scan can evaluate operating system details, installed applications, patch status, configuration settings, and local services. This allows vulnerabilities to be validated based on actual system conditions rather than inferred from exposed services.

Authenticated scans provide visibility across:


  • Network-layer exposure and service configuration (as covered in unauthenticated scans)

  • Operating system security updates

  • Vulnerable Microsoft applications and components

  • Third-party software and dependencies

  • Application frameworks and libraries (including Log4j-related exposure)

  • Local services, configurations, and system-level settings

  • Conditions contributing to the system’s overall attack surface


Because findings are validated directly on the host, authenticated scans typically result in more accurate detection and fewer false positives. 

The selection of scan type depends on assessment requirements and access constraints. However, authenticated scans generally provide broader coverage and are preferred when complete system visibility is required.

Authentication Protocols

Authenticated scans require valid credentials to establish secure access to the target system. The authentication protocol and method used depend on the operating system of the target host.

Linux and macOS Systems

For Linux and macOS targets, authenticated scans are performed using the SSH protocol.

SecOps supports the following SSH authentication methods:

  • Whitelisted Public Key authentication (Recommended)
    SecOps generates a public key that can be whitelisted on the target system. Once the public key is added to the authorized keys on the host, the platform uses the corresponding private key internally to establish SSH access. This method avoids sharing sensitive private keys and is recommended for secure and scalable deployments.

  • Password-based authentication
    Access is established using a valid username and password configured on the target system.

  • SSH key-based authentication (Private Key Upload)
    Access is established using an SSH private key provided by the user. The corresponding public key must already be configured on the target system.

    These authentication methods provide flexibility to align with different security policies and access control requirements.

    Windows Systems

    For Windows targets, authenticated scans are performed using the WinRM protocol.

    WinRM authentication requires:

    • A valid username

    • A corresponding password with sufficient access permissions

    This method enables secure remote access to Windows systems for host-level inspection during authenticated scans.

    Summary

    Unauthenticated scans assess targets from a remote perspective without credentials and are limited to externally visible conditions. Authenticated scans provide internal visibility through secure access and encompass all network-level scanning aspects as well. For complete assessment coverage, authenticated scans are recommended, with scan selection guided by the required scope and depth of assessment.
     

    Was this article helpful?

    0 out of 0 liked this article

    Still need help? Message Us