Policies

This page contains the list of existing scan policies, summary information regarding to these scan policies, and allows you to operate on these existing scan policies.

Scan policies contain the settings and the customized specifications according to our needs and determine the scope of the scan.

FSProtect scanning engine consists of submodules that have different responsibilities and allows users to create a customizable scan procedure according to the user need.

By default, there is one pre-defined scan policy named as Default Policy.

Scan policies are allow user to;

  • Enable or disable the scan modules.

  • Define exclusions for scans.

  • Define exclusions for vulnerabilities.

  • Define thresholds for vulnerabilities.

  • Enable or disable the checker engines for vulnerabilities.

Scan Policies

Tooltip provider that is above and right side on the table allows us to;

  • Search: Search in the scan policies table according to their names.

  • Export: Exports all scan policies and respective information that is listed in this table as a CSV file.

  • New Policy: Creates a new scan policy by cloning one of the existing scan policies.

The checkboxes that can be found on the left side of the list can be used to perform bulk operations on the selected scan policies.

Allowed operations are;

  • Export: Export the selected scan policies

  • Export All: Export all scan policies from the table

  • Delete: Delete the selected scan policies

Creating new Policy

New Policy can be created from Base Policy that is a virtual policy with default settings, all modules enabled, no general exclusions, all vulnerabilities enabled and no vulnerability exclusions.

Export/Import

Export/Import functionality can be used to save scan policies to a JSON file and importing them back.

Exporting Policies

Bulk Export

  • Navigate to the Policies section in the application.

  • Select the policies you wish to export by checking the boxes next to them.

  • Click on the Bulk Actions drop-down menu and select Export .

  • Choose whether to export all policies or only the selected ones.

  • The selected policies will be downloaded as a ZIP file containing individual JSON files.

Bulk Export

Individual Policy Export

  • Locate the policy you want to export in the Policies list.

  • Click on the three-dot menu (...) next to the policy.

  • Select Export from the drop-down menu.

  • The policy will be downloaded as a JSON file.

Individual Export

Importing Policies

Access the Import Policy Interface:

  • Navigate to the Policies section.

  • Click on the Import Policy button located at the top-right corner of the screen (refer to Image 2 ).

Upload the Policy File:

Upload Policy

In the Import Policy dialog box:

  • Click on the Upload your policy file area to select the JSON or ZIP file containing the policy(ies).

After uploading the file:

Import Policy Next Step

  • The system will display the GUID and name of imported policy that can be renamed if needed

  • Enter a new name for the policy in the text field provided.

  • Click Save to complete the import process.

  • New policy will be imported with new random GUID.

General Information

Name: Name of the scan policy.

Modules: Names of the enabled modules, that are defined in the scan policy.

General Operation

Three-dot button on the each row allows us to perform following operations on a scan policy;

Edit: Redirects the user to the Edit Scan Policy page. The Edit Scan Policy page allows the user to change all the configurations and specifications belong to the scan policy.

Clone: Creates a duplicate of the selected policy with the same configurations, allowing you to edit and save it as a new policy.

Delete: Deletes the selected scan policy.

Policy Settings

Create policy and Edit policy operations over the data table redirects the user to the Edit Scan Policy page seen below;

Scan Policy Settings

The scan policy page consists of three different configurations that are General configurations, Vulnerability and Tier 0 Assets configurations.

General Configurations tab allows the user to;

  • Define enabled/disabled scan modules in the scans run with this policy.

  • Define exclusions which mean, which assets will not be included in the scans run with this policy.

The definitions of the scan modules can be seen below;

Scan Modules

  • Active Directory Assesment: This module allows users to check and validate vulnerabilities, misconfigurations, and attack paths on each active directory asset and the relations between these assets. Because of this module is the core component of the engine, this is a mandatory option. When it is the only enabled module on the scan policy, the engine itself only communicates with the domain controllers in the active directory environment.

  • Network Security Assesment: This module allows users to enumerate network-related information like SMB port status, spool service status, shared files,contents of the GPO and GPP files, etc. Collected information is used to check and validate vulnerabilities, misconfigurations, and attack paths caused by the network-related services that are only detectable over the network communication like sensitive information on the files, MS17-10, Bluekeep, Zerologon, SMB Signing enforcements and etc. It is an optional module. Engine communicates with the each computer identified on the active directory environment.

    Important Note:The modules that are mentioned below require the network security module to be active.

  • Service-Based Security Assesment: This module allows users to identify, deficiencies on the authentication service protocols of the active directory. Deficiencies on the Kerberos and NTLM authentication protocols like CVE based drop the MIC attacks can be identified with the help of this module. It is an optional module. Engine communicates with the each computer identified on the active directory environment.

  • Session Enumeration: This module allows users to enumerate active sessions on the computers. With the help of this module, questions like which users have sessions on which machines can be answered. In addition, tier model issues that can be caused by the sessions between entities that belong to different tiers can be easily identified. It is an optional module. Engine communicates with the each computer identified on the active directory environment.

  • Local Entity Enumeration: This module allows users to enumerate local users, local groups, and the membership information between either local or domain entities. In addition, it reveals the privileges of these entities to execute DCOM, Powershell, or RDP. Also, It reveals the local admin and group delegated local admin paths over these computers. It is an optional module. Engine communicates with each computer identified on the active directory environment.

  • ADCS Enumeration: This module allows users to collect Active Directory Certificate Services information like certificate authorities, subordinate certificate authorities, exposed enrollment services, certificate templates and etc. by enumerating both the Active Directory environment and computers/servers that have certificate services roles. It requires network communication to certificate authority servers over HTTP, HTTPS, LDAP and etc. and remote registry read operations to reveal different attack vectors.

  • Coercion Enumeration: This module allows user to collect Coercion related vulnerebilities' data from online computers in network. When this module disabled, Coercion related vulnerabilities will not shown in the issues page.

  • Share Audit Enumeration: This module allows user to audit publicly accessible SMB shares across all online computers to locate regex-based secrets, including clear-text or improperly protected passwords, cryptographic keys, certificates, and configuration files that may contain sensitive credentials. The engine enumerates share listings, recursively samples file contents where permitted, and flags if Everyone can read or write them. The module depends on the Network Security Assessment module and communicates with every computer identified in the Active Directory environment.

  • Tier0 Analysis: This module is an analytics-only component that builds comprehensive graphs showing shortest feasible attack paths from Tier 2 assets to Tier 0 assets. Leveraging data produced by Active Directory Assessment, the engine performs graph-theoretical calculations (shortest-path, choke-point, and blast-radius analyses) without generating additional network traffic. Results help defenders visualize privilege-escalation routes, prioritize high-impact remediations, and measure the effectiveness of tier-segmentation strategies.

General Exclusions

Exclusions allow users to restrict the scanning of specific entities on the scan scope.

Defining Exclusions

Following table describes the unique identifier for each entity type; (See description of the Identifiers)

Entity Type
Identifier

Domain

FSName

Computer

FSName

User

FSName

Group

FSName

GPO

FSName

MSA

FSName

GMSA

FSName

LocalUser

FSName

LocalGroup

FSName

OU

FSName

Certificate Authority

FSName

Certificate Template

FSName

Hostname

DNS Hostname of the target client/server

IP

IP address of the target client/server

IP Range

IP address range of the target clients/servers

Important Note: If you have not any existing scan or the entity you want to exclude has not been identified before, you can just enter the FSName of the entity and Save. (See FSName formats)

Vulnerability Policies

Vulnerability based scan policy configurations allows users to;

  • Enable or disable the control mechanism of the each vulnerability.

  • Define threshold values for the supported vulnerabilities.

  • Define vulnerability specific exclusions to ignore a vulnerability on a specific entity or relation.

Vulnerability Policies

The search box, Status radio buttons, and Exclusion radio buttons can be used to filter or search a specific group of vulnerability policies.

The checkboxes that can be found on the left side of the list can be used to perform bulk operations on the selected vulnerability policies.

Allowed operations are;

  • Enable All: Enables control mechanism of the selected vulnerability policies.

  • Disable All: Disables control mechanism of the selected vulnerability policies.

  • Clear Exclusions: Deletes all defined exclusions of the selected vulnerability policies.

Vulnerability Policies

Vulnerability Exclusions

Vulnerability-based exclusions allow users to exclude or ignore the detected vulnerabilities on specific entities or relations.

Vulnerability-based exclusions vary according to the type of vulnerability.

Vulnerability-based exclusions are categorized as;

  • Object Exclusions

  • Object To Object Exclusions

  • Object Relation Object Exclusions

Object Exclusions

Object-based exclusions are defined for the vulnerabilities that are caused by issues on a single entity.

Inactive Users vulnerability is an example of these types of vulnerabilities.

To specify the entity, FSName of the regarding entity must be submitted to the input field. If you have not any existing scan or the entity you want to exclude has not been identified before, you can just enter the FSName of the entity and Save. In addition, submitting the input fields as Any excludes the all objects from this vulnerability.

The information tooltip shows the detailed definitions about the specifications.

Following figure shows the guideline of defining an exclusion over these types of vulnerabilities;

Defining Exclusion on Object

In addition, following actions can be used for ;

  • Delete: Delete selected exclusion item from the current vulnerability policy.

  • Clone: Duplicate selected exclusion item to the current vulnerability policy.

  • Apply To Others: Apply(add/delete) selected exclusion item to other vulnerability policies.

Object To Object Exclusions

Object to object based exclusions are defined for the vulnerabilities that are caused by issues on existence of a constant and specific relation between two objects.

Admin Sessions on Non-Domain Controller Servers vulnerability is an example of these types of vulnerabilities.

To specify the entities, FSName of the regarding entities must be submitted to the input fields. If you have not any existing scan or the entity you want to exclude has not been identified before, you can just enter the FSName of the entity and Save. In addition, submitting the input fields as Any excludes the all objects from this vulnerability.

The information tooltip shows the detailed definitions like source and destination about the specifications.

Following figure shows the guideline of defining an exclusion over these types of vulnerabilities;

Defining an Exclusion on Object to Object Relation

In addition, following actions can be used for ;

  • Delete: Delete selected exclusion item from the current vulnerability policy.

  • Clone: Duplicate selected exclusion item to the current vulnerability policy.

  • Apply To Others: Apply(add/delete) selected exclusion item to other vulnerability policies.

Object-Relation-Object Exclusions

Object-relation-object based exclusions are defined for the vulnerabilities that are caused by issues on the existence of dynamic and various relations between two objects. (See Relations)

Dangerous Access Control Entries on Users vulnerability is an example of these types of vulnerabilities.

To specify the entities, FSName of the regarding entities must be submitted to the input fields.

To specify the relation names, relation name of the regarding relation between entities must be submitted to the input field.

If you have not any existing scan or the entity or relation you want to exclude has not been identified before, you can just enter the FSName of the entity and Save. In addition, submitting the input fields as Any excludes the all objects from this vulnerability.

The information tooltip shows the detailed definitions like source, destination and relation about the specifications.

Following figure shows the guideline of defining an exclusion over these types of vulnerabilities;

Defining an Exlusion as Object-Relation-Object

In addition, following actions can be used for ;

  • Delete: Delete selected exclusion item from the current vulnerability policy.

  • Clone: Duplicate selected exclusion item to the current vulnerability policy.

  • Apply To Others: Apply(add/delete) selected exclusion item to other vulnerability policies.

Apply To Others

The "Apply to Others" button allows us to add or delete the selected exclusion item to the other vulnerability policies that have the same exclusion definition type.

To be able to apply the selected exclusion item to the other vulnerability policies, the current vulnerability policy must not have unsaved changes.

As an example, the following figure shows how to add the selected exclusion item from the "Dangerous Access Control Entries on Users" vulnerability policy to "Dangerous Access Control Entries on Privileged/Admin Objects vulnerability policy;

Apply to Others (Add)

As another example, the following figure shows how to delete the selected exclusion item from the "Dangerous Access Control Entries on Privileged/Admin Objects vulnerability policy;

Apply to Others (Delete)

Vulnerability Policy Export/Import

Vulnerability export/import functionality can be used to export and import only vulnerability settings which have enabled/disabled vulnerabilities and exclusions in them

Import / Export Vulnerability Policies

Exporting Vulnerability Policies

  • Navigate to the Vulnerability Policies Section

  • Go to the Vulnerability tab within the policies section

  • Click on the Export Vulnerability Policies button located at the top-right corner of the screen.

  • The system will prompt you to download the exported file, which will typically be in JSON format (e.g., Default Policy-vulnerability-policies.json).

Importing the Vulnerability Policy File

  • Click on the Import Vulnerability Policies button located at the top-right corner of the screen.

  • In the Import Policy dialog box, click on the "upload your policy file" area to select the JSON file containing the vulnerability policy.

  • After uploading the file, click "Save" to complete the import process.

Tier 0 Assets

Tier 0 Assets settings allow users to designate specific objects as Admin and Privileged. These selected objects will not be marked as Stealth Admin. When Organizational Units and Groups are chosen as Tier 0 Assets, all objects within them will also be classified as Tier 0 Assets.

Adding Tier 0 Assets

PreviousScansNextIssues

Last updated

Was this helpful?