Set Up Windows Authentication

Create Windows records to allow our service to authenticate to your Windows hosts at scan time. Running authenticated scans gives you the most accurate results with fewer false positives. To create Windows records, go to Scans > Authentication and then go to New > Operating Systems > Windows.

Login Credentials

Use an account with administrator privileges (local administrator or Windows domain administrator) for the most accurate security assessment and recommended fixes for your system. This allows the scanning engine to collect information based on registry keys, administrative file shares (such as C$) and running services. Less than administrator privileges limits the scan to fewer checks and the results will not be as complete.

Using a password vault?


Domain Types

If you're using a domain account, enter the domain name and select the domain type.

NetBIOS, User-Selected IPs

When selected we'll use NetBIOS to authenticate to IP addresses in the domain configuration. You enter IPs in the IPs section of the record. A single authentication record may be defined for an entire domain (tree) using this method.

NetBIOS, Service-Selected IPs

When selected we'll use NetBIOS to authenticate to hosts in the domain using credentials stored on the domain. If trust relationships exist and the account's permissions are properly propagated, it's possible for us to authenticate to hosts which are not members of the same domain. Learn more

Active Directory

When selected we'll use an Active Directory forest to authenticate to hosts in a certain domain within the framework. You'll need to enter a Fully Qualified Domain Name (FQDN). If "Follow trust relationships" is selected and trust relationships exist, we'll authenticate to hosts in other domains having a trust relationship with the domain you've defined in the record.

Not sure what to pick? Check out common use cases >>


Trust Relationships

Are trust relationships supported?

Yes, our security service supports trust relationships in Windows domain logins. In other words, you can use credentials stored on one domain to authenticate to one or more hosts stored on another domain when trust relationships are present. This is done by the scan targets automatically, using pass-through authentication.

When to follow trust relationships

The "Follow trust relationships" setting (available with Active Directory domain type) is only intended for Small to Midsize businesses that have all of their domains in a single place (for example, a single office). This setting is NOT intended for Enterprise customers with hundreds of domains spread over many locations with firewalls between them.

When this setting is enabled, the scanner needs access to ALL domain controllers of ALL domains in the forest which have a trust relationship with the domain used in the authentication record. If firewalls block the connections to those domain controllers or if they block connections to the DNS servers resolving those domains then this can lead to authentication failures.


Authentication Protocols

Our scanners will attempt authentication to your target hosts using one of the authentication protocols selected in your record, starting with the most secure protocol to the least secure protocol. For domain level authentication, all three protocols are supported. For local host authentication, NTLMv2 and NTLMv1 protocols are supported.



Select the Windows hosts (IPs) you want to authenticate to using the login credentials defined for this record. Each IP may be included in one Windows record.

For domain level authentication, you only select IPs when domain type "NetBIOS, User-Selected IPs" is selected on the Login Credentials tab. All IPs specified in this section must be part of the domain configuration.

If you select "NetBIOS, Service-Selected IPs" or "Active Directory" on the Login Credentials tab, then the IPs section is disabled as you do not enter IPs in records for these domain types.

Warning for non-Manager users editing the record


SMB Options

SMB signing required - This option is unchecked by default, meaning SMB signing is not required. This is the recommended setting. When unchecked, we can authenticate to any Windows version regardless of how SMB signing is configured on the target. You are not protected, however, against man-in-the-middle (MITM) attacks. What happens if I select this option?

Minimum SMB version - Select a minimum SMB protocol version, such as version 1, 2.0.2, 2.1, etc, and we’ll require that each Windows target has that version or later. If the target has an older version of the SMB protocol, authentication will fail and the host will not be scanned.


Agentless Tracking

Select the option "Enable agentless tracking" to track the hosts in this record by host ID. During the scanning process, the service assigns a unique host ID to each target host. Learn more


Quick Links

Why use host authentication

Windows Auth PDF Icon

Windows UAC PDF Icon

Account Set Up

Windows domain account

Local account:

Windows 2000, 2003, XP

Windows Vista, 2008, 2012, 2016

Windows 7, 8, 10

Multiple Windows records

Add as many records as you like. We'll try to match each target host to one record. Learn more

WMI Service Configuration

Some compliance checks require that you set the WMI service to run securely by increasing the authentication level to Packet Privacy. Learn how