Policies

This page contains the list of existing scan policies, summary information regarding to these scan policies, and allows you to operate on these existing scan policies.

Scan policies contain the settings and the customized specifications according to our needs and determine the scope of the scan.

FSProtect scanning engine consists of submodules that have different responsibilities and allows users to create a customizable scan procedure according to the user need.

By default, there is one pre-defined scan policy named as Default Policy.

Scan policies are allow user to;

Enable or disable the scan modules.
Define exclusions for scans.
Define exclusions for vulnerabilities.
Define thresholds for vulnerabilities.
Enable or disable the checker engines for vulnerabilities.

Tooltip provider that is above and right side on the table allows us to;

Search: Search in the scan policies table according to their names.
Export: Exports all scan policies and respective information that is listed in this table as a CSV file.
New Policy: Creates a new scan policy by cloning one of the existing scan policies.

The table contains the regarding information about the scan policies and allows us to perform operations on these scan policies with the help of a three-dot button.

General Information

Name: Name of the scan policy.

Modules: Names of the enabled modules, that are defined in the scan policy.

General Operation

Three-dot button on the each row allows us to perform following operations on a scan policy;

Edit: Redirects the user to the Edit Scan Policy page. The Edit Scan Policy page allows the user to change all the configurations and specifications belong to the scan policy.

Delete: Deletes the selected scan policy.

Policy Settings

Create policy and Edit policy operations over the data table redirects the user to the Edit Scan Policy page seen below;

The scan policy page consists of two different configurations that are General configurations and Vulnerability configurations.

General Configurations tab allows the user to;

Define enabled/disabled scan modules in the scans run with this policy.
Define exclusions which mean, which assets will not be included in the scans run with this policy.

The definitions of the scan modules can be seen below;

Scan Modules

Active Directory Assesment: This module allows users to check and validate vulnerabilities, misconfigurations, and attack paths on each active directory asset and the relations between these assets. Because of this module is the core component of the engine, this is a mandatory option. When it is the only enabled module on the scan policy, the engine itself only communicates with the domain controllers in the active directory environment.
Network Security Assesment: This module allows users to enumerate network-related information like SMB port status, spool service status, shared files,contents of the GPO and GPP files, etc. Collected information is used to check and validate vulnerabilities, misconfigurations, and attack paths caused by the network-related services that are only detectable over the network communication like sensitive information on the files, MS17-10, Bluekeep, Zerologon, SMB Signing enforcements and etc. It is an optional module. Engine communicates with the each computer identified on the active directory environment.
Important Note:The modules that are mentioned below require the network security module to be active.
Service-Based Security Assesment: This module allows users to identify, deficiencies on the authentication service protocols of the active directory. Deficiencies on the Kerberos and NTLM authentication protocols like CVE based drop the MIC attacks can be identified with the help of this module. It is an optional module. Engine communicates with the each computer identified on the active directory environment.
Session Enumeration: This module allows users to enumerate active sessions on the computers. With the help of this module, questions like which users have sessions on which machines can be answered. In addition, tier model issues that can be caused by the sessions between entities that belong to different tiers can be easily identified. It is an optional module. Engine communicates with the each computer identified on the active directory environment.
Local Entity Enumeration: This module allows users to enumerate local users, local groups, and the membership information between either local or domain entities. In addition, it reveals the privileges of these entities to execute DCOM, Powershell, or RDP. Also, It reveals the local admin and group delegated local admin paths over these computers. It is an optional module. Engine communicates with each computer identified on the active directory environment.
ADCS Enumeration: This module allows users to collect Active Directory Certificate Services information like certificate authorities, subordinate certificate authorities, exposed enrollment services, certificate templates and etc. by enumerating both the Active Directory environment and computers/servers that have certificate services roles. It requires network communication to certificate authority servers over HTTP, HTTPS, LDAP and etc. and remote registry read operations to reveal different attack vectors.

General Exclusions

Exclusions allow users to restrict the scanning of specific entities on the scan scope.

Following table describes the unique identifier for each entity type; (See description of the Identifiers)

Entity Type	Identifier
Domain	FSName
Computer	FSName
User	FSName
Group	FSName
GPO	FSName
MSA	FSName
GMSA	FSName
LocalUser	FSName
LocalGroup	FSName
OU	FSName
Certificate Authority	FSName
Certificate Template	FSName
Hostname	DNS Hostname of the target client/server
IP	IP address of the target client/server
IP Range	IP address range of the target clients/servers

Entity Type

Identifier

Domain

FSName

Computer

FSName

User

FSName

Group

FSName

GPO

FSName

MSA

FSName

GMSA

FSName

LocalUser

FSName

LocalGroup

FSName

Certificate Authority

FSName

Certificate Template

FSName

Hostname

DNS Hostname of the target client/server

IP address of the target client/server

IP Range

IP address range of the target clients/servers

Important Note: If you have not any existing scan or the entity you want to exclude has not been identified before, you can just enter the FSName of the entity and Save. (See FSName formats)

Vulnerability Policies

Vulnerability based scan policy configurations allows users to;

Enable or disable the control mechanism of the each vulnerability.
Define threshold values for the supported vulnerabilities.
Define vulnerability specific exclusions to ignore a vulnerability on a specific entity or relation.

The search box, Status radio buttons, and Exclusion radio buttons can be used to filter or search a specific group of vulnerability policies.

The checkboxes that can be found on the left side of the list can be used to perform bulk operations on the selected vulnerability policies.

Allowed operations are;

Enable All: Enables control mechanism of the selected vulnerability policies.
Disable All: Disables control mechanism of the selected vulnerability policies.
Clear Exclusions: Deletes all defined exclusions of the selected vulnerability policies.

Vulnerability Exclusions

Vulnerability-based exclusions allow users to exclude or ignore the detected vulnerabilities on specific entities or relations.

Vulnerability-based exclusions vary according to the type of vulnerability.

Vulnerability-based exclusions are categorized as;

Object Exclusions
Object To Object Exclusions
Object Relation Object Exclusions

Object Exclusions

Object-based exclusions are defined for the vulnerabilities that are caused by issues on a single entity.

Inactive Users vulnerability is an example of these types of vulnerabilities.

To specify the entity, FSName of the regarding entity must be submitted to the input field. If you have not any existing scan or the entity you want to exclude has not been identified before, you can just enter the FSName of the entity and Save. In addition, submitting the input fields as Any excludes the all objects from this vulnerability.

The information tooltip shows the detailed definitions about the specifications.

Following figure shows the guideline of defining an exclusion over these types of vulnerabilities;

In addition, following actions can be used for ;

Delete: Delete selected exclusion item from the current vulnerability policy.
Clone: Duplicate selected exclusion item to the current vulnerability policy.
Apply To Others: Apply(add/delete) selected exclusion item to other vulnerability policies.

Object To Object Exclusions

Object to object based exclusions are defined for the vulnerabilities that are caused by issues on existence of a constant and specific relation between two objects.

Admin Sessions on Non-Domain Controller Servers vulnerability is an example of these types of vulnerabilities.

To specify the entities, FSName of the regarding entities must be submitted to the input fields. If you have not any existing scan or the entity you want to exclude has not been identified before, you can just enter the FSName of the entity and Save. In addition, submitting the input fields as Any excludes the all objects from this vulnerability.

The information tooltip shows the detailed definitions like source and destination about the specifications.

Following figure shows the guideline of defining an exclusion over these types of vulnerabilities;

In addition, following actions can be used for ;

Delete: Delete selected exclusion item from the current vulnerability policy.
Clone: Duplicate selected exclusion item to the current vulnerability policy.
Apply To Others: Apply(add/delete) selected exclusion item to other vulnerability policies.

Object-Relation-Object Exclusions

Object-relation-object based exclusions are defined for the vulnerabilities that are caused by issues on the existence of dynamic and various relations between two objects. (See Relations)

Dangerous Access Control Entries on Users vulnerability is an example of these types of vulnerabilities.

To specify the entities, FSName of the regarding entities must be submitted to the input fields.

To specify the relation names, relation name of the regarding relation between entities must be submitted to the input field.

If you have not any existing scan or the entity or relation you want to exclude has not been identified before, you can just enter the FSName of the entity and Save. In addition, submitting the input fields as Any excludes the all objects from this vulnerability.

The information tooltip shows the detailed definitions like source, destination and relation about the specifications.

Following figure shows the guideline of defining an exclusion over these types of vulnerabilities;

In addition, following actions can be used for ;

Delete: Delete selected exclusion item from the current vulnerability policy.
Clone: Duplicate selected exclusion item to the current vulnerability policy.
Apply To Others: Apply(add/delete) selected exclusion item to other vulnerability policies.

Apply To Others

The "Apply to Others" button allows us to add or delete the selected exclusion item to the other vulnerability policies that have the same exclusion definition type.

To be able to apply the selected exclusion item to the other vulnerability policies, the current vulnerability policy must not have unsaved changes.

As an example, the following figure shows how to add the selected exclusion item from the "Dangerous Access Control Entries on Users" vulnerability policy to "Dangerous Access Control Entries on Privileged/Admin Objects vulnerability policy;

As another example, the following figure shows how to delete the selected exclusion item from the "Dangerous Access Control Entries on Privileged/Admin Objects vulnerability policy;

PreviousScans NextDashboard

Last updated 11 months ago