How to Setup Windows For a Nessus Credentialed Patch Scan
Setting up a Windows 10 PC so that It can be scanned by Nessus using a fully credentialed patch scan is and straight forward process but there are several parts required for it to work. This guide includes the manual steps required but you can also implement the settings using a centralised RMM tool if you have one. Also Note in most Local AD environments Nessus will work without any changes. For standalone or Azure AD joined workstations these steps are required.
The steps required are as follows:
- Configure the network profile to private for standalone or Azure AD joined devices and Domain for local AD domain joined devices.
- Create a new Nessus local administrator account.
- Allow WMI access through the firewall.
- Allow File and Printer Sharing through the firewall.
- Create a LocalAccountTokenFilterPolicy registry entry.
- Set the Remote Registry service to Manual.
Configure the network profile
First step is to ensure the network profile on each computer is set to the Private or Domain if you’re in a local domain environment. If you’re not sure choose Private
Open Windows settings from the start menu.
Click on ‘Network & Internet’.
Click on Wireless or Ethernet depending on how the machine is connected.
Click on the network connection.
Set the Network Profile to Private.
Create a new Nessus local administrator account
Open ‘Computer Management’ by right clicking on the start menu icon. Then click ‘Computer Management’.
Click on ‘Local Users and Groups’ from the left hand panel. Click on Users then right click and select ‘New User’.
Set the ‘User name’ to Nessus and set a long random password of at least 13 characters and press Create.
Click on Groups from the left hand panel. Double click on ‘Administrators’ and click the ‘Add’ button. Add the new Nessus account to the list and press OK.
Allow WMI access through the firewall
Open up the Windows Firewall settings by clicking on the start menu and start typing ‘windows firewall.
‘Windows Defender Firewall’ should show up at the top of the list. Click on Windows Defender Firewall to open it.
Click ‘Advanced Settings’ then ‘Inbound Roules’ then ‘New Rule’.
From the Predefined list select ‘Windows Management Instrumentation (WMI)’ and click on Next.
From the rule list select the options from the image shown.
Keep pressing Next and accept all other default options until it finishes.
Allow File and Printer Sharing through the firewall
Click on ‘New Rule’ again and this time select ‘File and Printer Sharing’ from the list and press Next.
Select the rules in the image below and press Next accepting all other default values until it finishes.
Create a LocalAccountTokenFilterPolicy registry entry
Open the Registry Editor by clicking on the start menu and type ‘regedit’. The Registry Editor program should show up in the list. Click on it to open the editor.
Next browse down to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Right click on System and select ‘New’ -> DWORD (32 bit) Value.
Give the value the name of LocalAccountTokenFilterPolicy.
Click on the new item and set the Value data to 1 and press ok.
Set the Remote Registry service to Manual
Click on the start menu and type services.msc. The Services app should show in the start menu so click on it to open.
Find the ‘Remote Registry’ service from the list and double click on it.
Set the ‘Startup Type’ to Manual and press ok.
Now reboot the computer and it is ready for the Nessus vulnerability scan.
If you have any issues getting a successful scan it may be due to a 3rd party firewall blocking the required services from being accessed.
If you found this useful or you want to suggest a chance please comment below.