tenable appliance 4.6 user guide · pdf filetitle: tenable appliance 4.6 user guide author:...

How-to Guide: Tenable Nessus forMicrosoft Azure

Last Updated: April 03, 2018

Table of Contents

How-to Guide: Tenable Nessus for Microsoft Azure 1

Introduction 3

Auditing the Microsoft Azure Cloud Environment 4

Provisioning Nessus BYOL from the Microsoft Azure Marketplace 14

Nessus Agent Scans of Microsoft Azure Cloud Instances 22

About Tenable 23

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine areregistered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Introduction

Tenable Network Security is the first and only solution to offer security visibility, Azure cloud envir-onment auditing, system hardening, and continuous monitoring so you can regain visibility, reduceattack surface, and detect malware across your Microsoft Azure deployments. This documentdescribes how to deploy the following Tenable solutions to help ensure a secure and compliantMicrosoft Azure cloud environment:

l Auditing Microsoft Azure Cloud Environment

l Nessus BYOL (Bring Your Own License) Scanner

l Nessus Agent Scans of Microsoft Azure Cloud Instances

With more than one million users, Nessus is the world’s most widely-deployed vulnerability, con-figuration, and compliance assessment product. Nessus prevents attacks by identifying the vul-nerabilities, configuration issues, and malware that hackers could use to penetrate your network. It isas important to run these assessments in Microsoft Azure as it is in any other IT environment.

Please email any comments and suggestions to [email protected].


mailto:[email protected]

Auditing the Microsoft Azure Cloud Environment

Tenable offers the ability to audit the Microsoft Azure Cloud environment to detect misconfigurationswithin the cloud environment and with account settings. Audits can be performed using Tenable.io,Nessus Manager, or a standalone Nessus scanner. No pre-authorization is needed from Microsoft toperform the audit, but a Microsoft Azure account is required.

In order to perform an audit of the Microsoft Azure cloud environment, Nessus will need a MicrosoftAzure Client ID. To obtain a Client ID, navigate to Microsoft Azure (https://-manage.windowsazure.com) and log in.

1. Once logged in to the Microsoft Azure portal, click Azure Active Directory (highlighted below) inthe left-hand menu.

2. Click App registrations (highlighted below).


https://manage.windowsazure.com/


3. To add a new application, click New Application Registration (highlighted below).

4. Under the Create section (highlighted below), enter a descriptive Name for the application.Next, click the Application Type drop-down and select Native. Enter a Redirect URI and thenclick Create to finalize the settings.


5. A success message will display at the top of the page stating that the new Application has beencreated.

6. Double-click on the newly created application to display its details. Copy the Application ID(highlighted below). This information will be used to complete the audit configuration with Nes-sus.


7. Click Settings (highlighted below) under the Test Application section and then click Requiredpermissions (highlighted below).

8. Under the Required Permissions section click + Add (highlighted below).


9. Click Select an API (highlighted below) from within the Add API access section. Once selected,the Select an API options will appear. HighlightWindows Azure Service Management APIand click Select (highlighted below).

10. Check the box next to Access Azure Service Management as organization users (preview)


(highlighted below) to enable the permissions. Once enabled, click Select.

11. Once the permissions have been enabled, click Done (highlighted below) to finalize the settings.

12. Log in to Nessus and click New Scan.


13. Select the Audit Cloud Infrastructure template.

14. Enter a descriptive name for the scan and then click Credentials.


15. Click the + next to Microsoft Azure to open the Credentials options.

16. Enter your Microsoft Azure Username and Password, Client ID (Application ID), and Sub-scription IDs into the appropriate boxes. Leave the Subscription IDs box blank if you want toaudit all of your Azure subscriptions.


17. Click Compliance and expand theMicrosoft Azure option. Tenable offers three pre-configuredcompliance checks and also provides the ability to upload a custom Azure audit file. Click the +next to each compliance check you want to add to the scan. If you choose to add a custom auditfile, click Add File and select the file to upload. Once the compliance checks are added, clickSave or click the drop-down arrow next to Save and select Launch to initiate the scan.

Note:


Microsoft Azure Best Practices – Infrastructure: This audit file implements a set of general best prac-tices for Microsoft Azure infrastructure items including Principals, Virtual Networks, Certificates, and Vir-tual Machines.

Microsoft Azure Best Practices – Websites: This audit file implements a set of general best prac-tices for Microsoft Azure Website items including Website Status, SSL Status, and recent Site modi-fications.

Microsoft Azure Best Practices – Databases: This audit file implements a set of general best practicesfor Microsoft Azure items including Database Configuration, Audit Events, and Recoverable Databases.

For additional information on configuring Nessus scans, please refer to the Nessus User Guide.


https://docs.tenable.com/nessus/Content/GettingStarted.htm

Provisioning Nessus BYOL from the Microsoft Azure Mar-ketplace

The Nessus BYOL is an instance of Nessus installed within Microsoft Azure that allows scanning of theAzure cloud environments and instances. Nessus BYOL capabilities include web application scanningand detection of vulnerabilities, compliance violations, misconfigurations, and malware.

Customers interested in leveraging Nessus BYOL to secure their environments and instances must firstpurchase a Nessus license either directly from the Tenable Store or from an authorized reseller. Thelicense will provide an Activation Code to apply when provisioning Nessus from your Microsoft Azureaccount.

1. To provision a Nessus BYOL instance, go to Microsoft Azure (https://-manage.windowsazure.com) and log in.

2. Click the green + (highlighted below) to open the AzureMarketplace.

3. Enter Tenable in the search box (highlighted below) and the Tenable Nessus (BYOL) instanceshould appear below.




4. Click Tenable Nessus (BYOL) to open the instance details. Choose an option under Select adeployment model and click Create to begin deployment of the Nessus BYOL virtual machine.


5. Enter the configuration information on the Basics screen and click OK. Refer to Table 1 – Nes-sus BYOL Scanner Basics below for detailed information of each setting.


Table 1 – Nessus BYOL Scanner Basics

Option Description

Name Descriptive name for the Nessus BYOL scanner

VM disk type Select between SSD and HDD drives

User name User account name used to access the Nessus BYOLscanner

Authentication type Select SSH public key

SSH public key Once generated, enter the SSH public key

Subscription Select the subscription to which the virtual machine willbe added

Resource group Enter the name of a new Resource group or select anexisting Resource group

Location Select the geographical location for the virtual machine


6. Once the“Basics information is entered, instance sizes and pricing is displayed. Scroll down toview all of the available options. Choose a desired virtual machine size by clicking on one of thedisplayed options and clicking Select (highlighted below).

7. On the Settings screen, enter the following information and click OK”(highlighted below). Referto Table -2 Nessus BYOL Scanner Settings below for details.


Table 2 – Nessus BYOL Scanner Settings

Option Description

Storage accounts Create or select a storage account type and select Stand-


ard or Premium disk type

Network Create or select a virtual network where the Nessus BYOLwill reside

Subnet Assign Nessus BYOL to a subnet in the virtual network

Public IP Address Option to create a public IP address so that the NessusBYOL virtual machine is accessible outside the virtual net-work

Network security group Enables firewall rules to control traffic to and from theNessus BYOL virtual machine

Extensions Adds new features, like configuration management oranti-virus protection, to your virtual machine

High availability Provides redundancy by grouping two or more virtualmachines in an availability set

Monitoring Enable system diagnostics and create a diagnostics stor-age account to analyze the results

8. You are now presented with offer details. Review, then click Purchase to buy the Nessus BYOLvirtual machine you have configured.


9. If you are deploying the instance into an Azure Virtual Network, you must ensure you can reachTCP port 8834 on an IP address associated with the instance. This will be needed to complete theconfiguration process, as well as for the use of the product.

10. Configure the instance and/or the Azure Virtual Network so that Nessus can communicate withTenable servers; this is required for registration and plugin updates. If for some reason this isnot possible, please refer to the Nessus User Guide regarding off-line updates.

11. Generally, you will connect to the public IP address (or external hostname) associated with aninstance. If you are connecting to Nessus over a VPN to an Azure Virtual Network, it may be theprivate IP address. The IP addresses associated with the instance can be found under the virtualmachine Settings.

12. After the instance has initialized, open a browser and connect to the instance to complete theconfiguration. For example: https://<IP address or hostname>:8834

13. The following welcome screen will be displayed:

To complete the configuration, please refer to the Nessus User Guide.

Note: Prior to scanning, you must request permission to conduct vulnerability and penetration testingon instances in the Microsoft Azure cloud environment. Please visit the following page to review theapproval process and to submit a testing request: https://security-forms.azure.com/penetration-testing/terms.




https://security-forms.azure.com/penetration-testing/terms

https://security-forms.azure.com/penetration-testing/terms

Nessus Agent Scans of Microsoft Azure Cloud Instances

Tenable‘s Nessus Agents provide the ability to perform local scans on instances within the MicrosoftAzure cloud environment. Nessus agent scans, which are configured, managed, and updated throughTenable.io or Nessus Manager, help identify vulnerabilities, compliance violations, misconfigurations,and malware.

Nessus Agents are downloaded from the Tenable Support Portal, installed on an instance running inthe Microsoft Azure cloud environment, and then linked to Tenable.io or Nessus Manager.

Note: Agents can be installed on your target(s) manually, via Group Policy, SCCM, or other third-partysoftware deployment applications.

Nessus Agents are linked to Tenable.io or Nessus Manager in the same manner as linking to a sec-ondary scanner. Prior to installing Nessus Agents, you must acquire the Agent Key from within Ten-able.io or Nessus Manager.

1. To acquire the Agent Key, log in to Tenable.io or Nessus Manager and go to Settings.

2. Select Agents under the Scanners section, and then select Linked.

3. A key will be generated that is used as a shared secret for the Nessus Agents to link to the scan-ner.

For more information on installing and configuring Nessus Agents refer to the Nessus User Guide.


https://support.tenable.com/support-center/index.php?x=&mod_id=200


About Tenable

Tenable transforms security technology for the business needs of tomorrow through comprehensivesolutions that provide continuous visibility and critical context, enabling decisive actions to protectyour organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss.With more than one million users and more than 20,000 enterprise customers worldwide, organ-izations trust Tenable for proven security innovation. Tenable's customers range from Fortune Global500 companies, to the U.S. Department of Defense, to mid-sized and small businesses in all sectors,including finance, government, healthcare, higher education, retail, and energy. Transform securitywith Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com.


http://www.tenable.com/

tenable appliance 4.6 user guide · pdf filetitle: tenable appliance 4.6 user guide author:...

Documents