Overview

Nessus is often used to perform network-based assessments of Windows domain computer systems. However, giving Nessus a little insider information can result in more thorough and accurate scans, and can allow local registry security checks to be conducted using a remote network scan. Specifically, Nessus can use a pre-configured domain username and password to access system registry settings that would not be accessible without the required credentials.

By default, remote registry access is typically only accessible to domain administrators. It is possible to create an account on a domain, give it domain administrator privileges, and configure Nessus to use that account when performing scans. However, this presents problems for both domain security and the scan results. It is undesirable to have more administrator accounts than absolutely necessary, so creating additional admin accounts just for the purpose of running scans may be unacceptable. During times when no scans are being conducted, individuals may attempt to use the domain admin account for purposes other than what was intended. While it is possible to disable accounts when not in use and enable them only when running scans, this can become burdensome from a management perspective.

Another shortcoming to using an account with full domain admin credentials is that scan results may not accurately reflect the true security posture of the target environment. For example, it may be difficult to detect improperly configured file shares on various domain servers because the Nessus scan using full domain admin privileges will have much more access...