Professional Documents
Culture Documents
Vmexercises V7
Vmexercises V7
Training Labs
All Material contained herein is the Intellectual Property of Qualys and cannot be
reproduced in any way, or stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
without the express written consent of Qualys, Inc.
Please be advised that all labs and tests are to be conducted within
The parameters outlined within the text. The use of other domains or IP addresses is
prohibited.
2
Contents
Introduction ............................................................................................................................................................ 4
Prerequisites/System Requirements ....................................................................................................... 4
LAB 1 – Account Setup (15 min.) .................................................................................................................... 5
Add Initial Assets to Your Account ............................................................................................................ 8
Personalize Your Account .......................................................................................................................... 11
Context Sensitive Help/Online Manual................................................................................................. 13
LAB 2: KnowledgeBase Search List (30 min.) ......................................................................................... 15
LAB 3: Mapping (30 min.) ............................................................................................................................... 19
Mapping Targets ............................................................................................................................................ 19
Add Mapping Target..................................................................................................................................... 20
View and Use Map Results ......................................................................................................................... 22
Additional Exercises ..................................................................................................................................... 26
LAB 4: Asset Management (30 min.) .......................................................................................................... 29
Asset Group ..................................................................................................................................................... 30
Asset Tag........................................................................................................................................................... 37
Asset Management Application ............................................................................................................... 39
LAB 5: Vulnerability Scan (30 min.) ........................................................................................................... 46
Trusted Scanning........................................................................................................................................... 47
Additional Exercises ..................................................................................................................................... 53
LAB 6: Reporting (30 min.) ............................................................................................................................ 55
Additional Exercises ..................................................................................................................................... 63
LAB 7: User Management (10 min.) ............................................................................................................ 67
Create User Account ..................................................................................................................................... 67
LAB 8: Remediation (15 min.)....................................................................................................................... 69
A Final Note – Account Setup ........................................................................................................................ 71
Contacting Support ....................................................................................................................................... 77
3
Introduction
The Vulnerability Management application will provide you and your organization with the tools and
features needed to successfully manage and mitigate vulnerabilities. When you complete all of the
exercises in this lab document you will be able to:
1. Map the Network
2. Manage Host Assets
3. Scan the Network
4. Report on Scans
5. Manage User Accounts
6. Remediate Risk
Please do not skip any of the required lab exercise steps, as they will be needed to complete other lab
exercises later. Some labs contain a section called “Additional Exercises” that can be performed any
time, at your own convenience.
Prerequisites/System Requirements
To perform the exercises in this lab, you will need:
1. Qualys Account
2. Web Browser
– Internet Explorer 9, 10, 11, or greater
– Mozilla Firefox (latest version from stable release channel)
– Google Chrome (latest version from stable release channel)
– Safari (latest version)
3. Java Browser Plug-in
4. Adobe Acrobat Reader or comparable
Tip: Your browser’s Pop-up Blocking configuration can interfere with the proper functioning of the Qualys
User Interface. Please modify the settings of your Web browser to:
1. Allow all pop-ups (less secure), or
2. allow pop-ups from qualys.com (more secure)
4
LAB 1 – Account Setup (15 min.)
This lab will address a few steps needed to setup your Qualys user account and the Vulnerability
Management application. These steps will make it possible to complete the remaining lab exercises in
this document.
Login to Qualys
Your Qualys instructor will provide you with a URL to download your demo account credentials.
1. Download and then open the demo account file provided to you by your Qualys instructor.
2. Record the USERNAME from this document (ex. Quays2qq32) and save it in a safe place (e.g., text
document or password manager). Notice that the period at the end of the sentence is NOT
actually a part of the USERNAME.
3. Click the ONE TIME link to collect your password and complete the login process.
5
4. Record the PASSWORD from this document (ex. GL81uSwYGe) and save it in a safe place (e.g., text
document or password manager).
5. Use the link provided in the “password” document to login and activate your Qualys demo
account.
The First Login window displays your default user information.
6. Leave the “Country” field set to Antarctica (this will facilitate access to the targets used in this
lab.)
7. Select the check box to accept the “Service User Agreement” and click the “I Agree” button.
6
A pop-up window will list the features and benefits provided by the New Data Security Model:
The New Data Security Model (NDSM) combines high performance disk encryption with Virtual Private
Database (VPD) technology to ensure that your data is only visible and accessible to authorized users
(i.e., users within your account subscription) that have valid authentication credentials.
The NDSM also provides advanced productivity and detection features:
Although the Quick Start steps will not be used in this lab, you can always display these steps again by
clicking on your Qualys User ID (to the right of the Help button) and selecting the “Quick Start Guide”
option.
7
Add Initial Assets to Your Account
The next few steps will add some initial host assets to your account
Host Tracking
Three basic methods are available for tracking the vulnerability history of each host within your
subscription:
Host IP Address
Host DNS Name
Host NetBIOS Name
The objective is to choose the tracking method for each host that provides the greatest consistency over
time (i.e., the tracking method that does not change).
1. Use your mouse to navigate to 1) the “Assets” section, and then click on 2) the “Host Assets” tab.
2. Click the “New” button, and select the option to track each host by its DNS name. Tracking by DNS
name will maintain host history data even if the IP address changes.
8
3. Click the “Host IPs” section (left navigation pane) and type the following IP address range into the
“IPs:” field: 64.39.106.244-64.39.106.247 (DO NOT USE COPY AND PASTE).
4. Click the “Add” button, to add all four IP addresses to your account.
9
NetBIOS Tracked Hosts
6. Use your mouse to navigate to 1) the “Assets” section, 2) the “Host Assets” tab, click the “New”
button and select 3) NetBIOS Tracked Hosts. Tracking by NetBIOS name will maintain host history
data even if the IP address changes.
7. Click the “Host IPs” section and type the following IP address ranges into the “IPs:” field:
64.39.106.242, 64.39.106.243, 64.39.106.248, 64.39.106.249 (DO NOT USE
COPY AND PASTE).
8. Click the “Add” button, to add all four IP addresses to your account.
9. Click the “OK” button to acknowledge your scanning permission.
10
Personalize Your Account
The steps that follow will help to personalize your student user account, and make other adjustments
that will provide a more effective training environment.
1. Click on your Qualys User ID (located just to the right of the Help button) and select “User Profile”.
General Information
2. Change the “First Name” field and “Last Name” field to reflect your own name.
3. Update the “E-mail Address” field with your current e-mail address (all notifications and password
reset information will be sent to the address you provide).
4. Leave the “Country” field set to Antarctica (this is a requirement for student accounts).
11
Notification Options
All notification options will be sent to the e-mail address specified in the “General Information” section.
5. Use the navigation pane (left) to select Options, and leave all Scan and Map options turned on.
6. Click the “My reports” radio button to activate notification for reports that you create.
Session Timeout
Although this next adjustment is not typically recommended in a production environment, it will allow
you to maintain an ACTIVE session throughout this training class.
1. Navigate to 1) Users, 2) Setup, and 3) open the “Security” dialog.
12
2. Increase your Session Timeout value to the maximum (240 min.)
3. Click the “Save” button. You can return Session Timeout to a secure value at the completion of
today’s training class.
1. Click on the “Help” button in the upper right hand corner, and select the “Online Help” option.
13
The “Search” option will help you to find specific topics, and provide links to helpful Qualys videos.
The “Contents” option will provide you with a start-to-finish explanation of Vulnerability Application
tasks and features.
14
LAB 2: KnowledgeBase Search List (30 min.)
A “Search List” is an extension of the Qualys KnowledgeBase, and is one of the most powerful
customization tools within the Vulnerability Management application. The name “Search List” is derived
from the KnowledgeBase “Search” tool that is used to create a list of vulnerabilities.
Add a Search List to an Option Profile, to perform a very accurate and precise vulnerability scan.
Add a Search List to a Report Template to create a Patch Report for “High Risk” vulnerabilities.
Create a Remediation Policy that automatically ignores “Low Risk” vulnerabilities, or assign
Windows OS vulnerabilities to the Windows team lead, and set a deadline for timely patching.
1. Use your mouse to navigate to 1) the “Search Lists” tab, click 2) the “New” button, and 3) select the
“Import from Library” option.
15
2. Click the top level check box to select all lists in the library.
3. Click the “Import” button.
1. Navigate to any of the three “Search Lists” tabs (you will find one within the “Scans,” “Reports,”
and “KnowledgeBase” sections. All three tabs perform the same function.
2. Click the New button and select the “Dynamic List” option.
16
3. In the “Title” section, choose the name Low Severity Vulns (Sev. 1 and 2) no patch.
4. Select “List Criteria” in the navigation pane. Scroll down and select the “No Patch Solution” check
box. Vulnerabilities that do not have a patch solution typically take more time to mitigate, and
therefore cost more to resolve than vulnerabilities that already have a patch.
5. Scroll down and choose Levels 1 and 2 for Potential Severities. Remember: while these
vulnerabilities have a low impact, individually; collectively they can lead to a potential compromise.
17
6. Save the List.
This list of “Low Impact” vulnerabilities will provide a good resource later, when you build a Remediation
Policy that demonstrates the steps for “ignoring” a list of vulnerabilities.
1. Go to the “KnowledgeBase” tab. Click on the icon, and change the amount of rows you
are viewing in the KnowledgeBase to 500.
18
LAB 3: Mapping (30 min.)
Map reports are very useful tools when managing all host assets within your company or enterprise
architecture. Only mapping provides “discovery” data that will allow you to distinguish between
authorized and unauthorized hosts. When used properly, mapping will give you the ability to add a new
hosts to your Vulnerability Management subscription, approve other hosts that will not be added to
your subscription, and even find “rogue” devices within your network.
Mapping Targets
Unless you manage a limited number of hosts, it is considered a “best practice” to map you network or
enterprise architecture in small segments. You can accomplish this task using any of the basic mapping
targets:
Asset Group
Domain
Netblock
Understanding the proper use of mapping targets will lead to the creation of successful map reports.
Asset Group
Although Asset Groups will be defined in detail later, within the Asset Management lab, a couple of key
points are required here in the discussion of mapping:
Asset Groups only contain hosts that have already been added to your Vulnerability
Management subscription.
The “Domains” and “IPs” checkboxes are used only when an Asset Group has been selected as a
target.
Domain
Another target option for mapping involves using a domain name. A domain name must be added to
the “Domains” tab, before it can be used as a target for mapping. Basic DNS reconnaissance is used to
collect information from a domain target. Additionally, TCP, UDP, and ICMP probes are used to validate
the DNS reconnaissance findings.
19
Netblock
A netblock must also be added to the “Domains” tab, before it can be used as a mapping target. The
“none” Domain is a special domain, used to add netblocks to the “Domains” tab. Various probes such as
TCP, UDP, and ICMP are used to locate LIVE hosts within the targeted netblock.
1. Use your mouse to navigate to the 1) “Assets” section, 2) “Domains” tab, click on the 3) “New”
button and select the “Domain” option.
20
Launch Map
In the next few exercise steps, you will use the “none” domain target to create a Map Report of the
hosts within the Qualys Training Network.
1. Use your mouse to navigate to the 1) “Scans” section, 2) “Maps” tab, click on the 3) “New” button
and select the “Map” option.
21
6. Click the “Launch” button to begin mapping. It is normal for your map task to display the
“Queued” status, before changing to the “Running” status.
1. To view your finished map results, open the Quick Action menu and select the “View Report”
option.
2. Scroll down to the “Results” to view the hosts that were discovered.
Each host is identified by its IP address and name (DNS or NetBIOS). If “Basic Information
Gathering” is enabled the map will also provide Router and OS information.
22
The columns that appear on the right side of the report are used to identify authorized hosts (A),
scannable hosts (S), live hosts (L), and netblock hosts (N). A host is considered “scannable” if it has
already been added to your Vulnerability Management subscription. The “netblock” symbol is only
relevant when a netblock is selected as the mapping target.
3. Click the arrow icon to the left of a host to view its discovery method.
Notice host 63.229.56.186 is not a member of the target netblock, but was discovered via
traceroute. Host demo10 (64.39.106.240) is Unix-based, and was discovered using multiple
techniques (probes).
Actions Menu
The “Actions” drop-down menu is provided to perform various actions on any host that appears in the
Map Results.
The key to using a map report is: 1) use a checkbox to select a host, 2) choose an action from the
“Actions” menu, and 3) click the “Apply” button.
The next set of exercises will walk you through the steps of adding new hosts to your Vulnerability
Management subscription, adding several hosts to a new Asset Group, and launching an initial
vulnerability scan.
23
Add Hosts to Subscription
Hosts demo10 and demo11 cannot be scanned for vulnerabilities, until they are added to your
Vulnerability Management subscription.
4. Place a check next to host demo10 (64.39.106.240) and host demo11 (64.39.106.241).
5. Use the “Actions” menu to select the “Add to Subscription” action, and click the “Apply” button.
6. Click the “Add” button to confirm your IP address selection.
7. Click the “OK” button to confirm your permission to scan.
Looking at the “DNS” column, it is easy to see that many hosts are located in Seattle (SEA).
8. Place a check next to all hosts located in the sea.qualys.com domain.
9. Use the “Actions” menu to select the “Add to new Asset Group” action, and click the “Apply”
button.
10. In the Asset Group “Title” field type: Seattle, and click the “Save” button.
24
Launch Initial Scan
To collect some initial scan data that will be used in the Asset Management lab, the Map Report will be
used to complete one final task; launch a vulnerability scan.
11. Place a check next to all ten hosts that are now in your Vulnerability Management subscription
(64.39.106.240 – 64.39.106.249).
12. Use the “Actions” menu to select the “Launch Vulnerability Scan” action, and click the “Apply”
button.
13. In the scan “Title” field type: Initial Vulnerability Scan.
14. Leave the “Option Profile” field and “IPs/Ranges” field set to their default values, and click the
“Launch” button.
15. When the “Scan Status” window appears, click the “Close” button.
16. Close the Map Results (File > Close).
25
Additional Exercises
You may perform all “Additional Exercises” at your own convenience. Other lab exercises in this
document are not dependent on the outcome of these exercises.
Scheduled Maps
You can use “differential reporting” to compare two maps to identify new hosts introduced into the
network, as well as retired hosts that have been removed.
Reporting like this relies on having regular snapshots of the network from which to make a comparison.
The next lab steps are designed to schedule a Map Report to run every day.
1. Use your mouse to navigate to the 1) “Scans” section, 2) “Maps” tab, click the 3) “New” button
and select the “Schedule Map” option.
2. Configure the schedule with the following details:
26
Scheduling: Start the scheduled task at a future date and time (time zone is required)
Occurs: Daily
3. Click “Save”.
3. While viewing the map results, click the “File” menu and select the “Download” option.
Experiment with different file formats. A CSV file can be easily imported into a spreadsheet.
27
4. While viewing the same map results, click the “View” menu and then select the “Graphic Mode”
option.
5. Use the filters on the left to locate the Windows assets in the map results (right). Experiment with
different OS options.
6. Click the icon over any host to view its information in the preview pane.
You can also toggle the “Summary” and “Results” tabs at the top of the window to view a list of
assets discovered in the map.
28
LAB 4: Asset Management (30 min.)
There are an infinite number of ways to organize the host assets within the Vulnerability Management
application. Here are just a few examples:
Geographical location
Service provided
Device type or operating system
Responsible operational team
Asset owner
IP address
Business impact
Although the methods listed above are commonly used, it is important to recognize that every company
is unique, and your company may choose to organize and manage its host assets using methods or
techniques that others do not even consider.
The proper use of Asset Groups and Asset Tags will allow you to effectively organize and manage host
assets within the Vulnerability Management application.
Both Asset Groups and Asset Tags can be combined to accomplish numerous objectives, such as:
Creating targets for mapping, scanning, reporting, and remediation.
Assigning access privileges to individual user accounts.
Host identification and inventory management.
This Asset Management lab will begin with a discussion of Asset Groups, and then finish with a
discussion of the Asset Tag features and characteristics that extend the capabilities of traditional Asset
Groups.
29
Asset Group
Asset Groups are the original mechanism for managing assets within the Vulnerability Management
application. Asset Groups provide “containers” for collecting host assets. Simply create an Asset Group,
give it a name that reflects its host members, and add the appropriate host IP addresses. Here are some
important characteristics of an Asset Group:
Used to assign access privileges (IPs, scanners, and domains) to individual user accounts.
Contain a “Business Impact” attribute that is used to calculate Business Risk.
Can be used as a target for mapping, scanning, reporting, and remediation.
A single host IP address can be a member of multiple Asset Groups.
Nesting one Asset Group inside another is not supported.*
Created and updated manually.*
* The last two items in this list, will be addressed through the use of Asset Tags.
Asset Tags are updated automatically and dynamically
with every vulnerability scan. Asset Tag “nesting” is the recommended approach for designing functional Asset Tag “hierarchies”
(parent/child relationships).
2. Use the “Quick Actions” menu to “Edit” the “Seattle” Asset Group.
30
To assign a domain to an individual user, the domain must first be associated with an Asset Group,
and then the Asset Group must be assigned to the target user.
3. From the navigation pane click the “Domains” option and use the “Available domains” drop-down
menu to associate the “none” domain with the “Seattle” Asset Group.
With the domain association complete, any user that receives access to the “Seattle” Asset Group,
will also receive access to the “none” domain (for mapping purposes).
Business Impact
Some hosts are more important than others. While both printers and database servers represent
legitimate attack vectors within you network, your time is typically best spent fixing a critical
vulnerability on your DBMS – one that could be used to steal critical data – rather than a
vulnerability that can take a networked printer off-line.
With this in mind, Asset Groups contain a “Business Impact” setting. Set it up now, and it’ll pay
dividends later under Reporting – where we’ll use it to identify real Business Risk.
4. From the navigation pane, select the “Business Info” option.
31
5. Use the “Business Impact” drop-down menu to change the “Seattle” Asset Group to Medium.
6. Click the “View” Link (just right of Business Impact).
Business Risk is the product of the “Average Security Risk” (represented by the various severity
levels associated with each vulnerability) and the Asset Group’s “Business Impact” setting.
Notice that the vulnerabilities discovered on host assets that belong to an Asset Group with a
“Critical” or “High” Business Impact setting, will carry a higher Business Risk Score than hosts in the
“Seattle” Asset Group (Business Impact = MEDIUM), while vulnerabilities discovered on host assets
that belong to Asset Groups with a “Minor” or “Low” Business Impact setting will carry a lower
Business Risk Score.
7. Click the “Close” button.
8. Click the “Save” button to save your changes to the “Seattle” Asset Group.
32
New Asset Group
To expand the illustration of Business Impact and Business Risk, the next set of exercises will create two
new Asset Groups with different Business Impact Settings.
The first Asset Group will contain production servers that have a critical impact.
1. From the “Asset Groups” tab click the “New” button and select the “Asset Group” option.
33
3. From the navigation pane select the “IPs” option, and click the “Select IPs/Ranges” link.
4. Click the “Expand Range” icon to view all IPs in your subscription.
5. Check the following IP addresses (6):
□ 64.39.106.240
□ 64.39.106.241
□ 64.39.106.243
□ 64.39.106.244
□ 64.39.106.246
□ 64.39.106.247
6. Click the “Add” button
7. From the navigation pane select the “Business Info” option, and change the “Business Impact”
field of the “Server” Asset Group to Critical
8. Click the “Save” button to save the “Server” Asset Group.
34
The next new Asset Group will contain desktop computers that have a low impact.
1. From the “Assets Group” tab click the “New” button and select the “Asset Group” option.
3. From the navigation pane select the “IPs” option, and click the “Select IPs/Ranges” link.
4. Click the “Expand Range” icon to view all IPs in your subscription.
5. Check the following IP addresses (4):
□ 64.39.106.242
□ 64.39.106.245
35
□ 64.39.106.248
□ 64.39.106.249
6. Click the “Add” button
7. From the navigation pane select the “Business Info” option, and change the “Business Impact”
field of the “Desktop” Asset Group to Low.
8. Click the “Save” button to save the “Desktop” Asset Group.
Three Asset Groups have been created: Seattle, Desktop, and Server. All three asset groups will
automatically be converted into Asset Tags by the Qualys service (see Asset Tag section).
36
Asset Tag
With IT and systems environments that are constantly fluctuating (e.g., mobile devices, virtualization,
cloud-based services, remote employees, etc…) it’s imperative to have a sound method to track host
assets. Knowing what assets exist, improves the chances of securing them.
Asset Tags were designed to provide a flexible, scalable, and dynamic solution to manage assets, based
on scan results obtained using the Vulnerability Management application. As the Vulnerability
Management application processes data from each scan, it will also automatically and dynamically add
tags to various assets, and update or remove tags that already exist.
Asset Tags are organized into hierarchical structures, also known as parent/child relationships. A single
host asset can simultaneously have multiple tags. For example, a host can have a tag because it’s
located in Chicago, it belongs to the 10.1.2.0/24 net block, and has SSH running on it.
Asset Search
During a scan, the Qualys scanning engine gathers information from targeted hosts, including each
host’s operating system, open ports, and active services. The Asset Search feature provides you with the
ability to search through scan results and find hosts based on this type of information. This same
feature can also be used to create tags.
1. Use your mouse to navigate to the 1) “Assets” section, and then click on the 2) “Asset Search” tab.
2. In the “Search for” section, type “All” in the “Asset Groups” field. The “All” Asset Group is built-in
to the Qualys platform, and contains all host assets that have been added to your Vulnerability
Management subscription.
37
3. In the “attributes” section, select the “Running Services” checkbox and then select the “smtp”
option to find all host running the Simple Mail Transfer Protocol; mail servers.
4. Click the “Create Tag” button.
5. Type “Mail Server”, when prompted to “Enter a name for your Asset Tag” and click the “OK”
button.
Watch for the following pop-up message:
38
Asset Management Application
Although the Asset Search feature provides a simple way to create Asset Tags from within the
Vulnerability Management application, the real power and benefit of creating custom Assets Tags is
found within the Asset Management Application.
As you complete the exercises that follow, please note that some lag time may occur between the point
where an Asset Tag is initially created and the point where it is eventually applied to its respective
asset(s). The same lag time may exist between the point where a host is added to the Vulnerability
Management application, and the point where it appears in the Asset Management application.
1. From the Vulnerability Management application, use the application drop-down menu to switch
to the Asset Management application.
The opening page (i.e., “Assets” tab) of the Asset Management application provides many useful
pieces of information:
The Qualys service creates a matching Asset Tag for every Asset Group.
Hosts running SMTP are tagged with the “Mail Server” tag (created using Asset Search).
Operating system information is identified for each host.
39
You can use the “Quick Action” menu for any host to “View host details” (e.g., demo11).
2. Click the “Show Filters” link in the upper right corner of the “Assets” Tab.
3. Use the tags already created to quickly locate all Mail Servers.
4. Remove your filtering options, then click the “Hide Filters” link to close the filter window.
5. Near the upper left corner of the “Assets” tab, click the “expand” icon to view the Tag Tree
alongside the list of assets.
6. Click the arrow to the left of the “Assets Groups” tag to expand this hierarchy. The name of the
parent tag is “Asset Groups.” Presently it has three children (Seattle, Desktop, and Server).
7. Click the arrow to the left of “Asset Search Tags” to expand this hierarchy.
8. Right-click the “Mail Server” tag to view its editing options. Experiment by changing its color.
40
The same “Tag Tree” information can be accessed from the “Tags” tab.
1. From the “Assets” tab, expand the Tag Tree, and click on the link.
41
2. Name this tag: Operating System.
3. Select the color of your choice.
4. In the “Description” field type: Parent tag (operating system hierarchy).
5. Click the “Continue” button.
6. Leave the “Rule Engine” field set to “No Dynamic Rule”. This is typical for top level tags that form
the “parent” tag of a new hierarchy.
7. Click the “Continue” button, followed by the “Finish” button.
The “Operating System” tag should now be viewable in the Tag Tree.
The steps that follow will add two children to the Operating System hierarchy. Both children will be
nested under the “Operating System” parent, and both will use dynamic rules.
42
Dynamic Tag: Windows
1. From the top of the Tag Tree, click on the link.
43
Dynamic Tag: Linux
1. From the top of the Tag Tree, click on the link.
45
LAB 5: Vulnerability Scan (30 min.)
Once you have successfully added hosts to your subscription, they can be scanned for vulnerabilities. As
Qualys learns about each hosts that it scans, it can categorically eliminate different vulnerability tests,
dramatically reducing scan time in the process.
To identify the host IPs that can be scanned:
3. Click the “Expand Range” icon to view individual IP addresses in your subscription
Alternatively, you can create a Map Report and look for the hosts with the “S” symbol.
46
Trusted Scanning
It is a “Best Practice” to perform vulnerability scans with administrator or root level privileges. Qualys
refers to these as “Trusted Scans.” Qualys can authenticate to numerous technology platforms.
In this exercise, we’ll create a Windows authentication record, a UNIX authentication record, and an
Option Profile that uses them.
5. In the Login section, leave the radio button for “Basic authentication” selected.
6. Enter “Administrator” (omit quotes) in the User Name field and “abc123” (omit quotes) in the
Password and Confirm Password fields.
7. Click the IPs tab, and assign the IPs for your Windows-based host devices (64.39.106.242,
64.39.106.243, 64.39.106.248, 64.39.106.249).
8. Click the “Save” button to complete the creation of your new Authentication Record.
47
4. Click the “Login Credentials” tab on the left hand side, and ensure the “Basic authentication” radio
button is selected.
5. In the Login section, leave the radio button for “Basic authentication” selected.
6. Enter “root” (omit quotes) in the User Name field and “abc123” (omit quotes) in the Password and
Confirm Password fields.
7. Click the IPs tab, and assign the IPs for your Unix-based host devices (64.39.106.240,
64.39.106.241, and 64.39.106.244 - 64.39.106.247).
8. Click the “Save” button to complete the creation of your new Authentication Record.
Authentication isn’t enabled by default, and must be selected within an Option Profile.
9. Navigate to 1) the “Option Profiles” tab, click 2) the “New” button and select 3) Option Profile.
10. Enter “Custom Authentication” in the “Title” field.
11. Click “Scan” in the left navigation panel.
48
12. Locate the “Authentication” section and enable the Windows and Unix/Cisco authentication
methods.
13. Click the “Save” button.
Launch Scan
1. Use your mouse to navigate to the 1) “Scans” section, 2) “Scans” tab, click the 3) “New” button
and select the “Scan” option.
49
4. Under “Targets” select the “Assets” radio button.
5. Use the “Select” link to add both “Desktop” and “Server” Asset Groups as scanning targets.
6. Click the “Launch” button to launch the scan.
7. Click the “Close” button to close the “Scan Progress” window, when it is displayed.
The “Scans” tab lists running scans and stored scans. You can use the “Quick Actions” menu to cancel or
pause running scans. To delete a scan, simply place a check in the box next to the Title, and choose the
Delete option from the Actions button.
50
Processed vs. Unprocessed Scans
When a Scanner Appliance has finished performing a vulnerability scan, the scan results are sent to the
Qualys Secure Operations Center (SOC). The raw scan data is then processed and integrated with the
“Host Based Findings” within your subscription.
Although the “Status” column may display the “Finished” status, your scan results will not be available
for use until the “green circle” icon turns into a “green ball” ( ) icon.
Storage
By default, the Qualys service deletes individual scan results from the “Scans” tab and “Maps” tab every
six months. You may extend this up to a year, or reduce it to one month (Scans > Setup > Storage).
To disable the auto delete feature, clear (remove) the appropriate checkbox.
51
Vulnerability Ratings
Scanning analyzes the security of your network devices using an “Inference-Based Scanning Engine,” an
adaptive process that intelligently runs only tests applicable to the host being scanned.
Vulnerabilities (red) Security weaknesses verified by an “active test”
Potential Security weaknesses that need manual verification
vulnerabilities (yellow)
Information (blue) Configuration data
Potential Vulnerabilities
Two common classes of potential vulnerabilities include Denial of Service (DoS) and buffer overflow
attacks. Qualys won’t try an active test if that active test might deny service or introduce instability, so
we can’t actively test these. That said…
Many potential vulnerabilities can be promoted to straight-up vulnerabilities using authentication.
These are labeled (red/yellow) in the Vulnerability Knowledgebase.
When a normal (untrusted) scan includes a (red/yellow) vulnerability, Qualys can find
conditions that flag the risk (e.g. SMB is enabled). When a trusted scan is performed (Qualys
authenticates to the device), the registry is analyzed and other tests are performed. And in the scan
results, Qualys identifies the issue as a confirmed vulnerability or a potential vulnerability
.
Severity levels
Level 5 Remote root/administrator Remote control over system with Admin privileges
Level 4 Remote user Remote control over system with user privileges
Level 3 Leaks critical sensitive data Remote access to services or applications
Level 2 Leaks sensitive data Determine precise system/service versions
Level 1 Basic information Open ports and other easily deduced data
52
Additional Exercises
You may perform all “Additional Exercises” at your own convenience. Other lab exercises in this
document are not dependent on the outcome of these exercises.
11. Scroll to the end of the Option Profile and click “Save”.
You may now use this Option Profile to perform a vulnerability scan. The resulting scan report will only
reflect the vulnerabilities identified in the Custom Search List attached to this profile.
53
Low Bandwidth Scan
Use Case: Scan a remote office over a low bandwidth link.
Qualys has three performance options “pre-sets” and a “custom” option. The “Low” option is ideal for
ISDN and DSL connected offices. “Normal” is a good general setting for Ethernet environments. “High” is
best for minimally utilized 100Mbit links and 1Gbit networks.
The number of hosts to scan/map concurrently affects scanning speed and network bandwidth. Qualys
adjusts its packet rate based on detected network load; your configuration choices dictate how
aggressive it should be in throttling back when it detects that the network is under load. In this exercise,
you will select different presets to see how each is configured; later, you can use what you learn here
when creating “Custom” performance options.
1. Create a new Option Profile titled “Low Bandwidth Scan - Option Profile”.
2. In the navigation pane on the left, choose the “Scan” tab. Under “Performance” click the
“Configure…” button.
The “Configure Scan Performance” window will open.
54
LAB 6: Reporting (30 min.)
Qualys stores your generated reports for a week. This is handy when you generate a large report that
you want to share with your colleagues. Qualys only needs to process the data when you create the
report; your colleagues can simply click to view the generated report.
1. From the Reports section, click the Reports tab. Choose “New > Scan Report > Template
Based”
3. Delete the word “All” from the Asset Groups field. Then, click on the “Add Tags” link and
using the search box, type in “Desktop”. Select the tag when it appears in the window.
4. Click the “Run” button to view the report, and scroll down to the “Detailed Results” section.
Notice the vulnerability status next to the action icon. The first time a vulnerability is found with the
latest scan, the word “New” will appear in the report. Once a vulnerability has been discovered, its
55
status will change to “Active” with each successive vulnerability scan. If the vulnerability has been fixed,
the word “Fixed” appears.
Also notice our tags appear within the report.
In the next steps, we will perform the actions to ignore a specific vulnerability for a single host device.
5. Click the icon for host 64.39.106.242 (NetBIOS Name: XP-SP2) to display its
vulnerability details.
6. Locate the severity 5 vulnerability called “Microsoft SMB Remote Code Execution
Vulnerability” (MS09-001) and expand it.
7. Mouse-over the menu for this vulnerability, and choose the option to “Ignore
vulnerability”.
8. Enter an appropriate reason, such as “This host will be decommissioned next week and thus
will not be patched” and click the “OK” button.
It is important to note that steps 4 through 6 above will ignore the Microsoft SMB Remote Code
Execution Vulnerability specifically for host IP address 64.39.106.242. Other host devices that have
this same vulnerability (64.39.106.243 and 64.39.106.249) will not be affected by these
actions.
6. Select the “Critical Vulnerabilities with Vendor Patches v.1” Search List.
7. Click the Exclude QIDs check box, and then click the Add Lists button.
We will make the assumption here that a different administrator will handle the Adobe-related
vulnerabilities.
9. Use the Test button again to test your new exclusion option.
58
9. When the report opens, click on the “Sev” column in the left pane (and sort most severe to least
severe).
10. In the left pane, use the “Title” column, to click on the top patch in the list. Notice that the same
patch might affect multiple hosts.
11. Click on the “Title” of other patches to see what hosts are impacted.
12. From the right pane, try clicking on the number of vulnerabilities (“Vulns” column) to display the
vulnerabilities impacted by a patch.
13. To distribute this report to your system administrators, click File> Download (select PDF or CSV
format).
59
Scorecard Report
Scorecard reports are part of the robust reporting mechanism within the Qualys environment. These
reports provide “the state” of security within the enterprise. They are designed to assist IT line
managers, Auditors, or the Board of Directors.
Using the Vulnerability Scorecard, users can evaluate Business Risk by asset group or tag and establish
acceptable Business Risk levels for the organization. Also, the same scorecard can be used to identify
vulnerabilities by type, status and age.
1. Navigate to 1) the “Reports” section and 2) “Reports” tab. Click the “New” button and select 3)
“Scorecard Report” option.
2. From the “New Scorecard Report” window, highlight “Vulnerability Scorecard Report,” and click
the “Edit” link just below the Scorecard report list.
60
3. Click “Report Source” in the left navigation pane.
4. Select the “Asset Tags” radio button and add both Windows and Linux hosts.
5. Select the “Any” operator to target host that have any of the Asset Tags listed.
All: target only hosts that have all of the tags listed (AND equivalent).
Any: target hosts that have any of the tags listed (OR equivalent).
61
9. Click “Display” in the navigation pane, and change the “Business Risk Goal” to 20.
The “Business Risk Goal” reflects your aversion or appetite for risk (based on a percentage of hosts
that are vulnerable with the targeted QIDs (those in the “Critical Vulnerabilities with Vendor
Patches v.1”) search list.
10. Click “Save As…” and title the report “Adjusted Business Risk”.
11. Select the Scorecard you just created (Adjusted Business Risk) and run the report with HTML as a
format.
The report will show the percentage of “Critical Vulnerabilities with Vendor Patches” for each
targeted Asset Tag. Passing values will display in green, failing values will display in red. You can
continue to adjust the risk goal as you create different types of scorecard reports that target various
hosts and different types of vulnerabilities.
62
Additional Exercises
You may perform all “Additional Exercises” at your own convenience. Other lab exercises in this
document are not dependent on the outcome of these exercises.
Executive Report
The Executive Report is a high-level trend report. It identifies changes to the vulnerability exposure of
your network over time.
Presently, you do not have an adequate amount of scan history in your demo account to produce an
effective trend report. For this reason, an illustrated description of the Executive Report will be
provided.
When you have generated more scan data (after several days), feel free to return to this section to
create an Executive Report. You can create an Executive Report by selecting the Executive Report
Template.
Vulnerability Status
The “Filter” tab of the Executive Report Template contains Vulnerability Status. With all Vulnerability
Status filters selected, we can produce the graphic seen above. Most of these are obvious, but there’s
one hidden gem: Re-Opened. A re-opened vulnerability is a vulnerability that you previously fixed but
has returned.
Re-opened vulnerabilities are typically the result of re-imaging a host from an un-patched image, or
using compensating controls (e.g., a firewall rule that blocks access to a vulnerable service) in the
absence of patches. Also, it could represent a service that was recently enabled on a host device (like a
web server).
63
Top Vulnerability Categories
The “Top Vulnerability Categories” table is handy come hiring time: it illustrates the areas that need the
most work, and how much the exposure has changed, so you can hire people to cover your most critical
needs.
64
Scheduled Reporting
Like with mapping and scanning, users have the ability to schedule reports to run automatically at a
scheduled time, on a recurring basis. Users can also set options to notify select distribution groups when
a report is complete and ready for viewing.
There are several report types that can be scheduled. You can schedule template-based scan reports
(set to Host Based Findings source selection), scorecard reports, patch reports, template-based
compliance reports and remediation reports.
To create a new report schedule, go to Reports > Schedules and select the type of report you’re
interested in from the New menu. In the steps that follow, a new template-based scan report will be
scheduled.
3. Click the New button and select Scan Report > Template Based.
4. From the Report Details section, give your report a title, such as “Demo Scheduled Report”.
5. For Report Template, click the Select link and select the Executive Report template.
6. For Report Format keep the selection for Portable Document Format (PDF).
7. In the Report Source section, leave the Asset Groups set to All.
65
8. Click the checkbox for Scheduling and Report Notification.
9. Leave today as your start date, and midnight (00:00) as your starting time.
10. Select (GMT-0800) United States (California): Los Angeles, San Francisco, San Diego, Sacramento
as you time zone.
11. Set this scheduled report to occur every week (Weekly) on Friday.
12. In the Schedule Status section, please choose the check box to “Deactivate this report”.
66
LAB 7: User Management (10 min.)
User accounts form the basis for privileges and access control within Qualys. This section will explore
creating users and the various levels of user privileges.
User Roles
User privileges are assigned and identified using various “User Roles”. Your Qualys student account has
the role of “Manager”.
The “Scanner” role carries the primary responsibility of mapping and scanning network resources.
The “Reader” role carries the least privileges. They can create custom reports from existing scan and
map data, but cannot launch scans or maps.
Privileges Summary
Manager Scanner Reader
Create Reports
Scan/Map: All Assets
Scan/Map: Assigned Assets
Create Option Profiles Optionally
Create User Accounts
3. Under the “User Roles” tab, choose “Reader” as your User Role.
67
4. Click “Asset Groups” in the navigation pane, and add the “Seattle” Asset Group to this account.
Presently, access permissions are provided to user accounts, using Asset Groups. This includes
scanning, reporting and remediation access privileges.
5. Click the “Options” tab and view the Notification Options.
Activate this account by looking at the email sent by Qualys, clicking on the link, and viewing the
credentials. The link can only be clicked once, so make sure you save the credentials.
68
LAB 8: Remediation (15 min.)
Qualys includes Remediation Policies that can be used to assign vulnerabilities to specific users or ignore
vulnerabilities that you do not plan to address.
6. Select the checkbox next to title, “Confirmed Severity 4 + 5” and press the “Ok” button.
7. Assign these vulnerabilities to the user account you created in LAB 7, and enforce a 7-day deadline
for patching and mitigation.
69
8. Save the rule by clicking the “Save” button.
3. Under the “Actions” tab, select the “Create Tickets – set to Closed/Ignored” radio button.
4. Save the rule, close the window, and return the Remediation Policies List.
5. Now that you have created a Remediation Policies, you will need to launch another vulnerability
scan to allow Qualys to automatically create remediation tickets.
6. Go ahead and launch a scan.
70
A Final Note – Account Setup
Before ending the training, it’s important that we cover some less conspicuous setup configurations of
Qualys. These are items that aren’t essential, but may be needed here and there.
Dashboard
Because we’ve mapped and scanned, some information will be populated in our Dashboard.
71
2. Select the home page that best suits your needs, and click the “Save” button.
1. Navigate to the “Setup” tab in the “Scans” section, and click on Excluded Hosts section.
6. Click “Close”.
Tip: it’s a good practice to add comments about “why” this is excluded in the event of an audit.
7. Rerun a light scan over the IP Segment containing the IP address you just excluded. You
should not see the .246 address.
Keep in mind, once you exclude a host, it’s a global setting for your subscription, the IPs will be excluded
from ALL activity, even though it’s still listed in your subscription.
Remember in Remediation how we talk about automatically closing tickets once the scan shows the
vulnerability is no longer available? Well, under the “Setup” tab in the “Remediation” section, you will
find:
72
You may also need to determine if the lower privileged groups will be able to Close and Ignore tickets or
allow them to Delete tickets – both can be allowed here.
The Security function under the “Setup” tab in the “Users” section allows for the more critical security
settings for users and the service:
73
You may want to restrict which IPs have the ability to connect to your QG UI. For this reason, you can
restrict access. You can also set password security, even allowing users to set their own passwords.
Finally, let’s take a look at the “Report Share” section.
8. Navigate to the “Setup” tab in the “Reports” section, and click on “Report Share”.
74
9. Choose to “Enable Secure PDF Distribution”.
12. Click “Add Secure Distribution” and choose an email to send your report to.
75
Now when you generate a PDF report you'll have the chance to enter a list of email addresses that you'd
like the report distributed to securely. As long as you have Adobe on your computer and you know the
report password, you'll be able to pull up the report...OUTSIDE of Qualys.
Business Risk is the product of the “Average Security Risk” and the rating set by the Asset Group’s
“Business Impact.” Let’s take a look at how the weights are calculated.
Choose “Business Risk” from the “Setup” tab under the “Reports” section.
These are the default values for Business Risk. As you can see, a level 5 vulnerability on a host whose
Asset Group is of “Critical” importance is weighted 100 times greater than that of a level 1 vulnerability
on a host whose asset group is of “Low” importance.
76
Contacting Support
Overview
Try as we may, inevitably you will need to contact support. In order for us to properly and efficiently
troubleshoot issues, we will need information from you.
There are 3 ways to contact support:
o The Qualys Interface
o Email to support@qualys.com
o For Critical issues – call us:
U.S. and Canada: +1.866.801.6161 24x7
Europe, the Middle East and Africa: +33.1.41.97.35.81 24x7
UK: +44 1753 872102 24x7
With the Qualys interface, you will have all the necessary information at your fingertips. From the
Qualys User Interface, click on “Help” and then “Contact Support”
77
So then, the question becomes – what information do you need to send to Qualys? Well, that can
depend on the type of problems you are seeing.
False Positive
If you believe that you have identified a false positive, please provide us with additional information so
that we can resolve the issue as quickly as possible.
Please provide the following in this message:
Reasons you believe you have a false positive. Include steps you've taken to patch the system.
Was the issue reported during an authenticated scan? If yes, was the authentication
successful? There are several appendices in your scan results that provide information related
to authentication.
When was the vulnerability first detected? Have there been changes to the host since then?
For publicly-facing IPs, we can greatly expedite the investigation if we can perform a light scan
on the host. Do you grant permission for us to scan the host?
After receiving a ticket number from Support, send a follow-up email referencing the ticket number and
attach the following items:
A scan report with the vulnerability reported.
A packet capture of traffic to/from the affected service/port for its typical communications.
(only if requested by DEV)
System configuration information. For Windows, this is provided by systeminfo.exe and
MSinfo32.exe.
78
Additional information, such as a registry dump or a screenshot of the system showing that it
is patched and not vulnerable.
False Negative
On very rare occasions we may produce a False Negative. If you believe this to be the case, please
provide the following in your message:
IP address, DNS hostname or NetBIOS hostname for the host.
QID, if available, for the potential false negative.
Reasons you believe you have a false negative. Include steps taken to troubleshoot the issue.
When was the vulnerability last detected? Have there been changes to the host since then?
For publicly-facing IPs, we can greatly expedite the investigation if we can perform a light scan
on the host. Do you grant permission for us to scan the host?
After receiving a ticket number from Support, send a follow-up email referencing the ticket number and
attach the following items:
A scan report of the scan that did not identify the vulnerability.
Additional information, such as a registry dump or screenshot of your system.
Host Crash
Qualys scans are generally non-intrusive. If a scan has caused a host to crash then we will make resolving
this issue a top priority. We are eager to work with you and any third-party vendors to quickly isolate
and resolve the problem.
Please provide the following in this message:
A description of the symptoms. When did the issue first appear? If the issue is reproducible,
please provide steps to reproduce the issue.
Detailed information for each affected system, including: operating system version and patch
level, IP address, the system's primary function and the location of the system on the network
(i.e. behind a firewall, in DMZ or behind a load balancer.)
80
For publicly-facing IPs, we can greatly expedite the investigation if we can perform a light scan
on the host. Do you grant permission for us to scan the host?
After receiving a ticket number from Support, send a follow-up email referencing the ticket number and
attach the following items:
A scan report of the scan that resulted in the host crash.
A packet capture of traffic to/from the affected service/port for its typical communications.
A list of open ports and services running on those ports.
o On a Windows system, you can run the free tcpview.exe and save the output.
o On a Linux system, you can run netstat -ntulp and save the output.
An image of the box is useful to help us reproduce the issue. For Windows machines, images
may be created using MS Virtual PC (free). For *nix, VMWare may be used. If the host has
custom software on it, then please also provide us with a copy of the software.
Additional information, such as screenshots and log files.
81