Professional Documents
Culture Documents
Training Labs
All
Material
contained
herein
is
the
Intellectual
Property
of
Qualys
and
cannot
be
reproduced
in
any
way,
or
stored
in
a
retrieval
system,
or
transmitted
in
any
form
or
by
any
means,
electronic,
mechanical,
photocopying,
recording,
scanning
or
otherwise,
without
the
express
written
consent
of
Qualys,
Inc.
Please
be
advised
that
all
labs
and
tests
are
to
be
conducted
within
The
parameters
outlined
within
the
text.
The
use
of
other
domains
or
IP
addresses
is
prohibited.
Contents
Introduction
................................................................................................................................................................
4
Prerequisites/System
Requirements
.........................................................................................................
4
LAB
1
Account
Setup
(15-20
min.)
................................................................................................................
5
Personalize
Your
Account
................................................................................................................................
9
Context
Sensitive
Help/Online
Manual
...................................................................................................
12
Add
IP
Assets
to
Your
Account
...................................................................................................................
13
LAB
2:
KnowledgeBase
Search
List
(15
min.)
...........................................................................................
16
LAB
3:
Mapping
(30
min.)
..................................................................................................................................
20
Mapping
Targets
...............................................................................................................................................
20
Add
Mapping
Target
........................................................................................................................................
21
View
and
Use
Map
Results
............................................................................................................................
24
Additional
Exercises
........................................................................................................................................
27
LAB
4:
Assets
(30
min.)
.......................................................................................................................................
30
Asset
Group
.........................................................................................................................................................
31
Asset
Tagging
.....................................................................................................................................................
38
AssetView
.............................................................................................................................................................
40
Additional
Exercises
........................................................................................................................................
47
AssetView
Dashboard
.....................................................................................................................................
51
LAB
5:
Vulnerability
Scan
(30
min.)
..............................................................................................................
54
Trusted
Scanning
..............................................................................................................................................
55
Additional
Exercises
........................................................................................................................................
61
LAB
6:
Reporting
(30
min.)
...............................................................................................................................
63
High
Severity
Report
.......................................................................................................................................
63
Selective
Vulnerability
Reporting
.............................................................................................................
64
Patch
Report
.......................................................................................................................................................
67
Additional
Exercises
........................................................................................................................................
73
LAB
7:
User
Management
(10
min.)
..............................................................................................................
77
Create
User
Account
........................................................................................................................................
77
LAB
8:
Remediation
(15
min.)
.........................................................................................................................
79
A
Final
Note
Account
Setup
...........................................................................................................................
81
Contacting
Support
..........................................................................................................................................
87
3
Introduction
The
Vulnerability
Management
application
will
provide
you
and
your
organization
with
the
tools
and
features
needed
to
successfully
manage
and
mitigate
vulnerabilities.
When
you
complete
all
of
the
exercises
in
this
lab
document
you
will
be
able
to:
1. Map
the
Network
2. Manage
Host
Assets
3. Scan
the
Network
4. Report
on
Scans
5. Manage
User
Accounts
6. Remediate
Risk
Please
do
not
skip
any
of
the
required
lab
exercise
steps,
as
they
will
be
needed
to
complete
other
lab
exercises
later.
Some
labs
contain
a
section
called
Additional
Exercises
that
can
be
performed
any
time,
at
your
own
convenience.
Prerequisites/System
Requirements
To
perform
the
exercises
in
this
lab,
you
will
need:
1. Qualys
Account
2. Web
Browser
Login
to
Qualys
Your
Qualys
instructor
will
provide
you
with
a
URL
to
download
your
demo
account
credentials.
1. Open
the
demo
account
file
(yourName.pdf)
provided
by
your
Qualys
instructor.
2. Record
the
USERNAME
from
this
document
and
save
it
in
a
safe
place
(e.g.,
text
document
or
password
manager).
**The
period
at
the
end
of
the
sentence
is
NOT
a
part
of
the
USERNAME.
3. Click
the
ONE
TIME
link
to
view
the
password
page.
The
one
time
link
is
designed
to
prevent
others
from
viewing
your
password
information;
it
will
not
work
a
second
time.
4. Record
the
PASSWORD
from
this
document
and
save
it
in
a
safe
place
(e.g.,
text
document
or
password
manager).
5. Use
the
link
provided
in
the
password
document
to
login
and
activate
your
Qualys
demo
account.
6. Select
the
check
box
to
accept
the
Service
User
Agreement
and
click
the
I
Agree
button.
A
pop-up
window
will
list
the
features
and
benefits
provided
by
the
New
Data
Security
Model:
The
New
Data
Security
Model
(NDSM)
combines
high
performance
disk
encryption
with
Virtual
Private
Database
(VPD)
technology
to
ensure
that
your
data
is
only
visible
and
accessible
to
authorized
users
(i.e.,
users
within
your
account
subscription)
that
have
valid
authentication
credentials.
The
NDSM
also
provides
advanced
productivity
and
detection
features:
7. Click
the
Enable
Now
button.
Although
the
Quick
Start
steps
will
not
be
used
in
this
lab,
you
can
always
display
these
steps
again
by
clicking
on
your
Qualys
User
ID
(to
the
right
of
the
Help
button)
and
selecting
the
Quick
Start
Guide
option.
8
1. Click
on
your
Qualys
User
ID
(located
just
to
the
right
of
the
Help
button)
and
select
User
Profile.
General Information
2. Change
the
First
Name
field
and
Last
Name
field
to
reflect
your
own
name.
3. Update
the
E-mail
Address
field
with
your
current
e-mail
address
(all
notifications
and
password
reset
information
will
be
sent
to
the
address
you
provide).
Notification
Options
All
notification
options
will
be
sent
to
the
e-
mail
address
specified
in
the
General
Information
section.
4. Use
the
navigation
pane
(left)
to
select
Options,
and
leave
all
Scan
and
Map
options
turned
on.
5. Click
the
My
reports
radio
button
to
activate
notification
for
reports
that
you
create.
10
1. Navigate
to
A)
the
Users
section,
click
B)
the
Setup
tab,
and
click
C)
the
Security
dialog.
2. Scroll
down
and
ensure
that
the
New
Data
Security
Model
has
been
enabled.
Select
the
acceptance
checkbox,
if
you
have
NOT
yet
enabled
the
NDSM.
3. Increase
your
Session
Timeout
value
to
the
maximum
(240
min.)
This
adjustment
will
help
you
to
maintain
an
ACTIVE
session
throughout
the
entire
training
class.
4. Click
the
Save
button,
followed
by
the
Close
button.
11
1. Click
on
the
Help
button
in
the
upper
right
hand
corner,
and
select
the
Online
Help
option.
The
Search
option
will
help
you
to
find
specific
topics,
and
provide
links
to
helpful
Qualys
videos.
The
Contents
option
will
provide
you
with
a
start-to-finish
explanation
of
Vulnerability
Application
tasks
and
features.
12
Host
IP
Address
Host
DNS
Name
Host
NetBIOS
Name
The
objective
is
to
choose
the
tracking
method
for
each
host
that
provides
the
greatest
consistency
over
time
(i.e.,
the
tracking
method
that
does
not
change).
1. Navigate
to
1)
the
Assets
section,
and
then
click
on
2)
the
Host
Assets
tab.
2. Click
the
New
button,
and
select
the
option
to
track
each
host
by
its
DNS
name.
Tracking
by
DNS
name
will
maintain
host
history
data
even
if
the
IP
address
changes.
13
3. Click
the
Host
IPs
section
(left
navigation
pane)
and
type
the
following
IP
address
range
into
the
IPs:
field:
64.41.200.233-64.41.200.236 (DO
NOT
USE
COPY
AND
PASTE).
4. Click
the
Add
button,
to
add
all
four
IP
addresses
to
your
account.
Important
Notice
about
your
student
account
Using
your
student
account,
you
have
permission
to
scan
only
the
demo
IP
addresses
identified
in
this
lab
document.
You
do
not
have
permission
to
scan
any
other
IP
addresses
and/or
web
applications
using
your
student
account.
5. Click
the
OK
button
to
acknowledge
your
scanning
permission.
Best
Practice
-
Before
you
start
scanning
with
Qualys,
always
be
sure
to
get
approval
to
scan
IP
addresses
and/or
web
applications.
It
is
your
responsibility
to
obtain
this
approval.
14
6. Navigate
to
1)
the
Assets
section,
2)
the
Host
Assets
tab,
click
the
New
button
and
select
3)
NetBIOS
Tracked
Hosts.
Tracking
by
NetBIOS
name
will
maintain
host
history
data
even
if
the
IP
address
changes.
7. Click
the
Host
IPs
section
and
type
the
following
IP
address
ranges
into
the
IPs:
field:
64.41.200.231, 64.41.200.232, 64.41.200.237, 64.41.200.238 (DO
NOT
USE
COPY
AND
PASTE).
8. Click
the
Add
button,
to
add
all
four
IP
addresses
to
your
account.
9. Click
the
OK
button
to
acknowledge
your
scanning
permission.
15
Add
a
Search
List
to
an
Option
Profile,
to
perform
a
very
accurate
and
precise
vulnerability
scan.
Add
a
Search
List
to
a
Report
Template
to
create
a
Patch
Report
for
High
Risk
vulnerabilities.
Create
a
Remediation
Policy
that
automatically
ignores
Low
Risk
vulnerabilities,
or
assign
Windows
OS
vulnerabilities
to
the
Windows
team
lead,
and
set
a
deadline
for
timely
patching.
1. Use
your
mouse
to
navigate
to
1)
the
Search
Lists
tab,
click
2)
the
New
button,
and
3)
select
the
Import
from
Library
option.
16
2. Click
the
top-level
check
box
to
select
all
lists
in
the
library.
3. Click
the
Import
button.
The
Global
option
allows
you
to
control
the
visibility
of
the
objects
you
create
or
import.
If
you
make
an
object
Global
it
will
be
visible
to
other
users
(Scanners,
Readers,
etc)
within
your
Qualys
subscription.
4. Click
the
Dont
Make
Global
button.
17
3. In
the
Title
section,
give
it
the
name
Low
Severity
Vulns
(Sev.
1
and
2)
no
patch.
4. Select
List
Criteria
in
the
navigation
pane.
Scroll
down
and
select
the
No
Patch
Solution
check
box.
Vulnerabilities
that
do
not
have
a
patch
solution
typically
take
more
time
to
mitigate,
and
therefore
cost
more
to
resolve
than
vulnerabilities
that
already
have
a
patch.
5. Scroll
down
and
choose
Levels
1
and
2
for
Potential
Severities.
Remember:
while
these
vulnerabilities
have
a
low
impact,
individually;
collectively
they
can
lead
to
a
potential
compromise.
6.
Save
the
List.
This
list
of
Low
Impact
vulnerabilities
will
provide
a
good
resource
later,
when
you
build
a
Remediation
Policy
that
demonstrates
the
steps
for
ignoring
a
list
of
vulnerabilities.
18
1. Go
to
the
KnowledgeBase
tab.
2. Click
on
the
3. Change
the
number
of
rows
you
can
view
to
the
maximum
value.
19
Mapping
Targets
Unless
you
manage
a
limited
number
of
hosts,
it
is
considered
a
best
practice
to
map
you
network
or
enterprise
architecture
in
small
segments.
You
can
accomplish
this
task
using
any
of
the
basic
mapping
targets:
Asset
Group
Domain
Netblock
Understanding the proper use of mapping targets will lead to the creation of successful map reports.
Asset
Group
Although
Asset
Groups
will
be
defined
in
detail
later,
within
the
Asset
Management
lab,
a
couple
of
key
points
are
required
here
in
the
discussion
of
mapping:
Asset
Groups
only
contain
hosts
that
have
already
been
added
to
your
Vulnerability
Management
subscription.
The
Domains
and
IPs
checkboxes
are
used
only
when
an
Asset
Group
has
been
selected
as
a
target.
Domain
Another
target
option
for
mapping
involves
using
a
domain
name.
A
domain
name
must
be
added
to
the
Domains
tab,
before
it
can
be
used
as
a
target
for
mapping.
Basic
DNS
reconnaissance
is
used
to
collect
information
from
a
domain
target.
Additionally,
TCP,
UDP,
and
ICMP
probes
are
used
to
validate
the
DNS
reconnaissance
findings.
20
Netblock
A
netblock
must
also
be
added
to
the
Domains
tab,
before
it
can
be
used
as
a
mapping
target.
The
none
Domain
is
a
special
domain,
used
to
add
netblocks
to
the
Domains
tab.
Various
probes
such
as
TCP,
UDP,
and
ICMP
are
used
to
locate
LIVE
hosts
within
the
targeted
netblock.
1. Navigate
to
the
1)
Assets
section,
2)
Domains
tab,
click
on
the
3)
New
button
and
select
the
Domain
option.
2. Add
the
following
netblock
to
the
Domains
field:
none:[64.41.200.231-64.41.200.250]
DO
NOT
USE
COPY
AND
PASTE
(there
is
no
blank
space
in
the
none
domain).
The
none
domain
can
be
used
to
target
any
netblock
within
your
organization.
Notice
that
the
netblock
listed
above
contains
two
more
IP
addresses
than
the
number
of
IPs
already
within
your
subscription.
It
is
a
Best
Practice
recommendation
to
add
all
reserved
IP
address
netblocks
(RFC
1918)
to
the
none
domain.
21
Launch
Map
In
the
next
few
exercise
steps,
you
will
use
the
none
domain
target
to
create
a
Map
Report
of
the
hosts
within
the
Qualys
Training
Network.
1. Use
your
mouse
to
navigate
to
the
1)
Scans
section,
2)
Maps
tab,
click
on
the
3)
New
button
and
select
the
Map
option.
2. In
the
Title
field
type:
Qualys
Training
Network.
3. Leave
the
Option
Profile
set
to:
Initial
Options
(default).
4. Under
Target
Domains
click
the
Select
link
just
to
the
right
of
the
Domains/Netblocks
field.
22
5. Check
the
none
Domain
and
click
the
Add
button.
6. Click
the
Launch
button
to
begin
mapping.
It
is
normal
for
your
map
task
to
display
the
Queued
status,
before
changing
to
the
Running
status.
23
1. To
view
your
finished
map
results,
open
the
Quick
Action
menu
and
select
the
View
Report
option.
2. Scroll
down
to
the
Results
to
view
the
hosts
that
were
discovered.
Each
host
is
identified
by
its
IP
address
and
name
(DNS
or
NetBIOS).
If
Basic
Information
Gathering
is
enabled
the
map
will
also
provide
Router
and
OS
information.
The
columns
that
appear
on
the
right
side
of
the
report
are
used
to
identify
authorized
hosts
(A),
scannable
hosts
(S),
live
hosts
(L),
and
netblock
hosts
(N).
A
host
is
considered
scannable
if
it
has
already
been
added
to
your
Vulnerability
Management
subscription.
The
netblock
symbol
is
only
relevant
when
a
netblock
is
selected
as
the
mapping
target.
24
3. Click
the
arrow
icon
Notice
there
may
be
some
host(s)
that
are
outside
of
the
IP
range
you
mapped.
They
are
not
members
of
the
target
netblock.
They
have
typically
discovered
via
traceroute.
Hosts
inside
the
IP
range
you
mapped
were
discovered
in
various
ways
(common
TCP
ports,
UDP
ports,
and/or
ICMP).
Actions
Menu
The
Actions
drop-down
menu
is
provided
to
perform
various
actions
on
any
host
that
appears
in
the
Map
Results.
The
key
to
using
a
map
report
is:
1)
use
a
checkbox
to
select
a
host,
2)
choose
an
action
from
the
Actions
menu,
and
3)
click
the
Apply
button.
The
next
set
of
exercises
will
walk
you
through
the
steps
of
adding
new
hosts
to
your
Vulnerability
Management
subscription,
adding
several
hosts
to
a
new
Asset
Group,
and
launching
an
initial
vulnerability
scan.
1. Place
a
check
next
to
all
ten
hosts
that
are
now
in
your
Vulnerability
Management
subscription
(64.41.200.231 64.41.200.240).
2. Use
the
Actions
menu
to
select
the
Launch
Vulnerability
Scan
action,
and
click
the
Apply
button.
3. In
the
scan
Title
field
type:
Initial
Vulnerability
Scan.
4. Leave
the
Option
Profile
field
and
IPs/Ranges
field
set
to
their
default
values,
and
click
the
Launch
button.
5. When
the
Scan
Status
window
appears,
click
the
Close
button.
6. Close
the
Map
Results
(File
>
Close).
26
Additional
Exercises
You
may
perform
all
Additional
Exercises
at
your
own
convenience.
Other
lab
exercises
in
this
document
are
not
dependent
on
the
outcome
of
these
exercises.
Scheduled
Maps
You
can
use
differential
reporting
to
compare
two
maps
to
identify
new
hosts
introduced
into
the
network,
as
well
as
retired
hosts
that
have
been
removed.
Reporting
like
this
relies
on
having
regular
snapshots
of
the
network
from
which
to
make
a
comparison.
The
next
lab
steps
are
designed
to
schedule
a
Map
Report
to
run
every
day.
1. Navigate
to
the
1)
Scans
section,
2)
Maps
tab,
click
the
3)
New
button
and
select
the
Schedule
Map
option.
2. Configure
the
schedule
with
the
following
details:
Title:
Daily
Map
Option
Profile:
Initial
Options
(default)
Target
Domains:
none:[64.41.200.231-64.41.200.240]
27
Scheduling:
Start
the
scheduled
task
at
a
future
date
and
time
(time
zone
is
required)
Occurs:
Daily
3. Click
Save.
3. While
viewing
the
map
results,
click
the
File
menu
and
select
the
Download
option.
28
Experiment
with
different
file
formats.
A
CSV
file
can
be
easily
imported
into
a
spreadsheet.
4. While
viewing
the
same
map
results,
click
the
View
menu
and
then
select
the
Graphic
Mode
option.
5. Use
the
filters
on
the
left
to
locate
the
Windows
assets
in
the
map
results
(right).
Experiment
with
different
OS
options.
6. Click
the
icon
over
any
host
to
view
its
information
in
the
preview
pane.
You
can
also
toggle
the
Summary
and
Results
tabs
at
the
top
of
the
window
to
view
a
list
of
assets
discovered
in
the
map.
29
Geographical
location
Service
provided
Device
type
or
operating
system
Responsible
operational
team
Asset
owner
IP
address
Business
impact
Although
the
methods
listed
above
are
commonly
used,
it
is
important
to
recognize
that
every
company
is
unique,
and
your
company
may
choose
to
organize
and
manage
its
host
assets
using
methods
or
techniques
that
others
do
not
even
consider.
The
proper
use
of
Asset
Groups
and
Asset
Tags
will
allow
you
to
effectively
organize
and
manage
host
assets
within
the
Vulnerability
Management
application.
Both
Asset
Groups
and
Asset
Tags
can
be
combined
to
accomplish
numerous
objectives,
such
as:
This
lab
will
begin
with
a
discussion
of
Asset
Groups,
continues
with
a
discussion
on
Asset
Tagging
features
and
characteristics,
and
ends
with
the
use
of
AssetView.
With
AssetViews
search
capabilities,
you
can
query
your
most
up-to-date
host
data
instantaneously
in
the
Qualys
Platform.
It
enables
you
to
build
dynamic,
customizable
dashboards
which
give
you
easy
and
immediate
visibility
into
your
IT
and
security
data.
30
Asset
Group
Asset
Groups
are
the
original
mechanism
for
managing
assets
within
the
Vulnerability
Management
application.
Asset
Groups
provide
containers
for
collecting
host
assets.
Simply
create
an
Asset
Group,
give
it
a
name
that
reflects
its
host
members,
and
add
the
appropriate
host
IP
addresses.
Here
are
some
important
characteristics
of
an
Asset
Group:
Used
to
assign
access
privileges
(IPs,
scanners,
and
domains)
to
individual
user
accounts.
Contain
a
Business
Impact
attribute
that
is
used
to
calculate
Business
Risk.
Can
be
used
as
a
target
for
mapping,
scanning,
reporting,
and
remediation.
A
single
host
IP
address
can
be
a
member
of
multiple
Asset
Groups.
Nesting
one
Asset
Group
inside
another
is
not
supported.*
Created
and
updated
manually.*
*
The
last
two
items
in
this
list,
will
be
addressed
through
the
use
of
Asset
Tags.
Asset
Tags
are
updated
automatically
and
dynamically
with
every
vulnerability
scan.
Asset
Tag
nesting
is
the
recommended
approach
for
designing
functional
Asset
Tag
hierarchies
(parent/child
relationships).
2. Use
the
Quick
Actions
menu
to
Edit
the
San
Jose
Asset
Group.
31
To
assign
a
domain
to
an
individual
user,
the
domain
must
first
be
associated
with
an
Asset
Group,
and
then
the
Asset
Group
must
be
assigned
to
the
target
user.
3. From
the
navigation
pane
click
the
Domains
option
and
use
the
Available
domains
drop-down
menu
to
associate
the
none
domain
with
the
San
Jose
Asset
Group.
With
the
domain
association
complete,
any
user
that
receives
access
to
the
San
Jose
Asset
Group,
will
also
receive
access
to
the
none
domain
(for
mapping
purposes).
Business
Impact
Some
hosts
are
more
important
than
others.
While
both
printers
and
database
servers
represent
legitimate
attack
vectors
within
you
network,
your
time
is
typically
best
spent
fixing
a
critical
vulnerability
on
your
DBMS
one
that
could
be
used
to
steal
critical
data
rather
than
a
vulnerability
that
can
take
a
networked
printer
off-line.
With
this
in
mind,
Asset
Groups
contain
a
Business
Impact
setting.
Set
it
up
now,
and
itll
pay
dividends
later
under
Reporting
where
well
use
it
to
identify
real
Business
Risk.
4. From
the
navigation
pane,
select
the
Business
Info
option.
5. Use
the
Business
Impact
drop-down
menu
to
change
the
San
Jose
Asset
Group
to
Medium.
6. Click
the
View
Link
(just
right
of
Business
Impact).
32
Business
Risk
is
the
product
of
the
Average
Security
Risk
(represented
by
the
various
severity
levels
associated
with
each
vulnerability)
and
the
Asset
Groups
Business
Impact
setting.
Notice
that
the
vulnerabilities
discovered
on
host
assets
that
belong
to
an
Asset
Group
with
a
Critical
or
High
Business
Impact
setting,
will
carry
a
higher
Business
Risk
score
than
hosts
in
the
San
Jose
Asset
Group
(Business
Impact
=
MEDIUM),
while
vulnerabilities
discovered
on
host
assets
that
belong
to
Asset
Groups
with
a
Minor
or
Low
Business
Impact
setting
will
carry
a
lower
Business
Risk
Score.
7. Click
the
Close
button.
8. Click
the
Save
button
to
save
your
changes
to
the
San
Jose
Asset
Group.
33
1. From
the
Asset
Groups
tab
click
the
New
button
and
select
the
Asset
Group
option.
2. In
the
Asset
Group
Title
field
type:
Server.
34
3. From
the
navigation
pane
select
the
IPs
option,
and
click
the
Select
IPs/Ranges
link.
4. Click
the
Expand
Range
icon
to
view
all
IPs
in
your
subscription.
5. Check
the
following
IP
addresses
(6):
64.41.200.232
64.41.200.233
64.41.200.235
64.41.200.236
64.41.200.239
64.41.200.240
35
7. From
the
navigation
pane
select
the
Business
Info
option,
and
change
the
Business
Impact
field
of
the
Server
Asset
Group
to
Critical.
8. Click
the
Save
button
to
save
the
Server
Asset
Group.
The
next
new
Asset
Group
will
contain
desktop
computers
that
have
a
low
impact.
1. From
the
Assets
Group
tab
click
the
New
button
and
select
the
Asset
Group
option.
2. In
the
Asset
Group
Title
field
type:
Desktop.
3. From
the
navigation
pane
select
the
IPs
option,
and
click
the
Select
IPs/Ranges
link.
36
4. Click
the
Expand
Range
icon
to
view
all
IPs
in
your
subscription.
5. Check
the
following
IP
addresses
(4):
64.41.200.231
64.41.200.234
64.41.200.237
64.41.200.238
7. From
the
navigation
pane
select
the
Business
Info
option,
and
change
the
Business
Impact
field
of
the
Desktop
Asset
Group
to
Low.
8. Click
the
Save
button
to
save
the
Desktop
Asset
Group.
Three
Asset
Groups
have
been
created:
San
Jose,
Desktop,
and
Server.
All
three
asset
groups
will
automatically
be
converted
into
Asset
Tags
by
the
Qualys
service
(see
Asset
Tag
section).
37
Asset
Tagging
With
IT
and
systems
environments
that
are
constantly
fluctuating
(e.g.,
mobile
devices,
virtualization,
cloud-based
services,
remote
employees,
etc)
its
imperative
to
have
a
sound
method
to
track
host
assets.
Knowing
what
assets
exist,
improves
the
chances
of
securing
them.
Asset
Tags
were
designed
to
provide
a
flexible,
scalable,
and
dynamic
solution
to
manage
assets,
based
on
scan
results
obtained
using
the
Vulnerability
Management
application.
As
the
Vulnerability
Management
application
processes
data
from
each
scan,
it
will
also
automatically
and
dynamically
add
tags
to
various
assets,
and
update
or
remove
tags
that
already
exist.
Asset
Tags
are
organized
into
hierarchical
structures,
also
known
as
parent/child
relationships.
A
single
host
asset
can
simultaneously
have
multiple
tags.
For
example,
a
host
can
have
a
tag
because
its
located
in
Chicago,
it
belongs
to
the
10.1.2.0/24
net
block,
and
has
SSH
running
on
it.
Asset
Search
During
a
scan,
the
Qualys
scanning
engine
gathers
information
from
targeted
hosts,
including
each
hosts
operating
system,
open
ports,
and
active
services.
The
Asset
Search
feature
provides
you
with
the
ability
to
search
through
scan
results
and
find
hosts
based
on
this
type
of
information.
This
same
feature
can
also
be
used
to
create
tags.
1. Navigate
to
the
1)
Assets
section,
and
then
click
on
the
2)
Asset
Search
tab.
2. In
the
Search
for
section,
type
All
in
the
Asset
Groups
field.
The
All
Asset
Group
is
built-in
to
the
Qualys
platform,
and
contains
all
host
assets
that
have
been
added
to
your
Vulnerability
Management
subscription.
38
3.
In
the
attributes
section,
select
the
Running
Services
checkbox
and
then
select
the
smtp
option
to
find
all
host
running
the
Simple
Mail
Transfer
Protocol;
mail
servers.
4. Click
the
Create
Tag
button.
5. Type
Mail
Server,
when
prompted
to
Enter
a
name
for
your
Asset
Tag
and
click
the
OK
button.
Watch
for
the
following
pop-up
message:
39
AssetView
AssetView
is
a
free,
asset
inventory
service,
providing
a
continuously
updated
inventory
of
asset
details.
It
scales
to
millions
of
assets,
and
allows
you
to
query
data
about
those
assets
quickly
and
easily.
Its
a
centralized
spot
for
viewing
all
of
your
asset
details,
creating
asset
tags,
querying
asset
data,
and
managing
customizable
dynamic
dashboards,
all
within
the
Qualys
Cloud
Platform.
While
the
Asset
Search
feature
in
Vulnerability
Management
provides
a
simple
way
to
create
Asset
Tags
from
within
the
Vulnerability
Management
application,
the
real
power
and
benefit
of
creating
custom
Assets
Tags
is
found
within
AssetView.
As
you
complete
the
exercises
that
follow,
please
note
that
some
lag
time
may
occur
between
the
point
where
an
Asset
Tag
is
initially
created
and
the
point
where
it
is
eventually
applied
to
its
respective
asset(s).
The
same
lag
time
may
exist
between
the
point
where
a
host
is
added
to
the
Vulnerability
Management
application,
and
the
point
where
it
appears
in
the
AssetView
application.
1. From
the
Vulnerability
Management
application,
use
the
application
drop-down
menu
to
switch
to
the
AssetView
application.
The
landing
page
will
be
on
the
Dashboard
section
of
AssetView.
You
will
utilize
Dashboards
later
in
the
lab.
2. Navigate
to
the
Assets
section
and
the
Assets
tab.
40
This
page
(i.e.,
Assets
tab)
of
the
AssetView
application
provides
many
useful
pieces
of
information:
The same Tag Tree information can be accessed from the Tags tab.
3. Navigate
to
the
Tags
tab.
41
To
take
full
advantage
of
the
power
and
benefit
of
Asset
Tagging,
custom
Asset
Tags
will
now
be
created
within
the
AssetView
application.
Static
Tag:
Operating
System
Many
tag
hierarchies
begin
with
some
type
of
static
parent
that
serves
as
a
placeholder
for
its
dynamic
children
tags.
This
principle
will
be
demonstrated
with
a
static,
parent
called:
Operating
System.
1. From
the
Tags
tab,
click
the
New
Tag
button.
42
2. Name
this
tag:
Operating
System.
3. Select
the
color
of
your
choice.
4. In
the
Description
field
type:
Operating
System
Hierarchy
Parent
Tag.
5. Click
the
Continue
button.
6. Leave
the
Rule
Engine
field
set
to
No
Dynamic
Rule.
This
is
typical
for
top
level
tags
that
form
the
parent
tag
of
a
new
hierarchy.
7. Click
the
Continue
button,
followed
by
the
Finish
button.
The
Operating
System
tag
should
now
be
viewable
in
the
Tag
Tree.
The
steps
that
follow
will
add
two
children
to
the
Operating
System
hierarchy.
Both
children
will
be
nested
under
the
Operating
System
parent,
and
both
will
use
dynamic
rules.
43
5. Click
on
the
Operating
System
tag
to
select
it
as
the
Parent
tag.
6. Click
the
Continue
button.
7. Select
the
Operating
System
Regular
Expression
Rule
Engine.
8. In
the
Regular
Expression
field,
type
windows
and
then
select
the
Ignore
Case
check
box.
44
9. Try
testing
this
rule
against
host
assets
in
your
account.
Hosts
running
the
Windows
OS
should
receive
a
positive
result
(green
ball
w/
check).
All
others
should
receive
a
negative
result
(red
X).
10. Select
the
Re-evaluate
rule
on
save
check
box.
11. Click
the
Continue
button,
followed
by
the
Finish
button.
5. Click
on
the
Operating
System
tag
to
select
it
as
the
Parent
tag.
6. Click
the
Continue
button.
7. Select
the
Operating
System
Regular
Expression
Rule
Engine.
8. In
the
Regular
Expression
field,
type
linux
and
then
select
the
Ignore
Case
check
box.
9. Try
testing
this
rule
against
host
assets
in
your
account.
Hosts
running
a
Linux-based
OS
should
receive
a
positive
result
(green
ball
w/
check).
All
others
should
receive
a
negative
result
(red
X).
10. Select
the
Re-evaluate
rule
on
save
check
box.
11. Click
the
Continue
button,
followed
by
the
Finish
button.
Any
of
the
dynamic
tagging
rule
engines
can
be
used
to
automatically
assign
tags
to
host
assets.
While
the
demo
lab
has
a
limited
number
of
hosts,
imagine
the
benefit
of
using
Asset
Tags
to
manage
hundreds,
thousands,
and
even
millions
of
dynamically
changing
host
assets!
45
How
would
you
take
advantage
of
the
Asset
Name
Contains,
ruledoes
your
company
use
standard
naming
conventions
that
identify
host
location,
host
owner,
or
other
host
attributes?
How
would
you
take
advantage
of
the
Software
Installed
rulewould
it
be
useful
to
know
when
new
applications
or
services
are
added
to
an
existing
host?
How
would
you
take
advantage
of
the
Vuln
(QID)
Exists
rulecould
you
use
this
tag
rule
to
quickly
identify
hosts
that
have
the
Heartbleed
or
Shellshock
vulnerabilities?
Once
Asset
Tags
have
been
applied
to
host
assets,
Smart
Search
within
the
AssetView
application
can
be
used
to
navigate
through
an
ocean
of
host
data,
to
locate
a
specific
type
of
host.
The
steps
covered
in
this
lab
provide
many
different
examples
for
managing
and
tracking
host
assets
within
your
Qualys
subscription.
You
now
have
many
different
choices,
when
choosing
targets
for
vulnerability
scanning,
reporting,
and
remediation
tasks.
46
Additional
Exercises
Search
AssetView
provides
a
very
powerful
method
to
query
all
of
your
asset
data
in
one
location.
You
can
search
through
all
of
the
asset
data
obtained
via
your
scans
and
Cloud
Agents
using
its
search
capability.
AssetView
enables
you
to
export
your
query
results,
view
them
in
a
topological
graph,
or
build
widgets
from
your
queries
in
your
own
Dashboard.
1. Navigate
to
the
Assets
section
and
the
Assets
tab,
to
utilize
AssetViews
search
capabilities.
2. Begin
typing
operatingSystem
into
the
Search
field.
3. Click
on
operatingSystem
in
the
dropdown
options
you
are
provided.
47
4. Type
Windows
(without
quotes),
and
press
the
Enter
key
on
your
keyboard.
Your
results
from
your
search
will
be
provided
immediately.
5. Under
the
Group
asset
by
dropdown
menu,
select
Operating
Systems.
48
This
will
give
you
a
breakdown
of
all
of
your
different
Windows
Operating
Systems
based
on
information
collected
from
your
Vulnerability
Management
Scans
and
Cloud
Agents.
6. Click
the
View
Network
Graph
icon
to
view
a
topology
of
your
assets
from
these
search
results.
You
can
click
on
assets
from
within
the
graphical
representation
and
view
their
details.
7. Once
done
viewing
the
graphic,
close
the
topology
view.
49
9. Give
it
a
Search
Title
of
Windows
Assets
and
check
the
boxes
next
to
Add
this
search
to
your
favorites
and
Share
this
search
with
others.
This
gives
you
the
ability
to
come
back
to
your
searches
you
use
often,
without
having
to
retype
the
whole
search.
By
sharing
with
others,
other
users
will
also
be
able
to
use
your
saved
query.
10. Click
on
Saved
Searches
and
view
your
recently
saved
search.
11. Replace
your
existing
search
with
the
following
query:
This
will
find
all
of
your
Linux
systems
that
also
have
vulnerabilities
where
there
is
a
patch
available.
50
12. Click
on
Linux
2.6
to
view
your
specific
assets.
13. Use
the
Save
As
link
to
save
this
as
Patchable
Linux
Assets
as
well
as
Add
this
search
to
your
favorites.
14. Click
Save.
The
capabilities
of
the
search
feature
in
AssetView
are
nearly
endless.
Use
the
Help
menu
to
find
all
of
the
different
Asset
Search
fields
you
can
use
to
filter
your
data.
AssetView
Dashboard
AssetView
enables
you
to
build
unlimited,
dynamic
dashboards
to
view
your
IT
and
security
data
in
many
ways.
Dashboards
in
AssetView
will
save
you
time
because
they
will
contain
customizable,
up-to-
date
views
of
your
data
without
having
to
manage
API
scripts
and
spreadsheets.
You
can
build
as
many
dashboards
as
you
need.
1. From
within
AssetView,
click
on
the
Dashboard
section.
2. Click
the
New
Dashboard
button.
51
52
8. Click
the
link
to
create
a
custom
widget.
9. Give
it
a
title
Sev
4
and
5
Vulns
by
OS.
10. Enter
the
following
query:
vulnerabilities.vulnerability.risk:40 or 50
The
purpose
of
this
query
is
to
find
hosts
with
vulnerabilities
that
have
severity
4
or
5.
11. Click
the
Pie
option,
and
the
Show
Labels
checkbox.
12. Under
the
Categories/Rows
click
on
operatingSystem
and
limit
to
Top
5.
13. Click
the
Add
to
Dashboard
button.
14. View
your
new
widget
in
your
Dashboard.
53
1. Click
back
to
the
Vulnerability
Management
Application.
2. Navigate
to
the
Host
Assets
tab
(within
the
Assets
Section).
3. Click
the
Expand
Range
icon
to
view
individual
IP
addresses
in
your
subscription
Alternatively,
you
can
create
a
Map
Report
and
look
for
the
hosts
with
the
S
symbol.
54
Trusted
Scanning
It
is
a
Best
Practice
to
perform
vulnerability
scans
with
administrator
or
root
level
privileges.
Qualys
refers
to
these
as
Trusted
Scans.
Qualys
can
authenticate
to
numerous
technology
platforms.
In
this
exercise,
well
create
a
Windows
authentication
record,
a
UNIX
authentication
record,
and
an
Option
Profile
that
uses
them.
5. In
the
Login
section,
leave
the
radio
button
for
Basic
authentication
selected.
6. Enter
qscanner
(omit
quotes)
in
the
User
Name
field
and
abc1234!
(omit
quotes)
in
the
Password
and
Confirm
Password
fields.
7. Click
the
IPs
tab,
and
assign
the
IPs
for
your
Windows-based
host
devices
(64.41.200.231,
64.41.200.232, 64.41.200.237, 64.41.200.238).
8. Click
the
Save
button
to
complete
the
creation
of
your
new
Authentication
Record.
55
4. Click
the
Login
Credentials
tab
on
the
left
hand
side,
and
ensure
the
Basic
authentication
radio
button
is
selected.
5. In
the
Login
section,
leave
the
radio
button
for
Basic
authentication
selected.
6. Enter
qscanner
(omit
quotes)
in
the
User
Name
field
and
abc1234!
(omit
quotes)
in
the
Password
and
Confirm
Password
fields.
7. Select
Sudo
from
the
Root
Delegation
drop
down
menu.
8. Click
the
IPs
tab,
and
assign
the
IPs
for
your
Unix-based
host
devices
(64.41.200.233 64.41.200.236, 64.41.200.239, and 64.41.200.240).
9. Click
the
Save
button
to
complete
the
creation
of
your
new
Authentication
Record.
Authentication
isnt
enabled
by
default,
and
must
be
selected
within
an
Option
Profile.
9. Navigate
to
1)
the
Option
Profiles
tab,
click
2)
the
New
button
and
select
3)
Option
Profile.
10.
Enter
Custom
Authentication
in
the
Title
field.
11. Click
Scan
in
the
left
navigation
panel.
56
12. Locate
the
Authentication
section
and
enable
the
Windows
and
Unix/Cisco
authentication
methods.
13. Click
the
Save
button.
Launch Scan
1. Navigate
to
the
1)
Scans
section,
2)
Scans
tab,
click
the
3)
New
button
and
select
the
Scan
option.
2. Enter
the
Title:
Custom
Auth
Scan.
3. Select
the
Option
Profile
you
just
created
(Custom
Authentication).
57
4. Under
Targets
select
the
Assets
radio
button.
5. Use
the
Select
link
to
add
both
Desktop
and
Server
Asset
Groups
as
scanning
targets.
6. Click
the
Launch
button
to
launch
the
scan.
7. Click
the
Close
button
to
close
the
Scan
Progress
window,
when
it
is
displayed.
The
Scans
tab
lists
running
scans
and
stored
scans.
You
can
use
the
Quick
Actions
menu
to
cancel
or
pause
running
scans.
To
delete
a
scan,
simply
place
a
check
in
the
box
next
to
the
Title,
and
choose
the
Delete
option
from
the
Actions
button.
58
Although
the
Status
column
may
display
the
Finished
status,
your
scan
results
will
not
be
available
for
use
until
the
green
circle
icon
turns
into
a
green
ball
( )
icon.
Storage
By
default,
the
Qualys
service
deletes
individual
scan
results
from
the
Scans
tab
and
Maps
tab
every
six
months.
You
may
extend
this
up
to
a
year,
or
reduce
it
to
one
month
(Scans
>
Setup
>
Storage).
To
disable
the
auto
delete
feature,
clear
(remove)
the
appropriate
checkbox.
59
Vulnerability
Ratings
Scanning
analyzes
the
security
of
your
network
devices
using
an
Inference-Based
Scanning
Engine,
an
adaptive
process
that
intelligently
runs
only
tests
applicable
to
the
host
being
scanned.
Vulnerabilities
(red)
Potential
vulnerabilities
(yellow)
Information (blue)
Configuration data
Potential
Vulnerabilities
Two
common
classes
of
potential
vulnerabilities
include
Denial
of
Service
(DoS)
and
buffer
overflow
attacks.
Qualys
wont
try
an
active
test
if
that
active
test
might
deny
service
or
introduce
instability,
so
we
cant
actively
test
these.
That
said
Many
potential
vulnerabilities
can
be
promoted
to
straight-up
vulnerabilities
using
authentication.
These
are
labeled
(red/yellow)
in
the
Vulnerability
Knowledgebase.
When
a
normal
(untrusted)
scan
includes
a
(red/yellow)
vulnerability,
Qualys
can
find
conditions
that
flag
the
risk
(e.g.
SMB
is
enabled).
When
a
trusted
scan
is
performed
(Qualys
authenticates
to
the
device),
the
registry
is
analyzed
and
other
tests
are
performed.
And
in
the
scan
results,
Qualys
identifies
the
issue
as
a
confirmed
vulnerability
or
a
potential
vulnerability
.
Severity
levels
Level
5
Remote root/administrator
Level 4
Remote user
Level 3
Level 2
Level 1
Basic information
60
Additional
Exercises
You
may
perform
all
Additional
Exercises
at
your
own
convenience.
Other
lab
exercises
in
this
document
are
not
dependent
on
the
outcome
of
these
exercises.
10. Scroll
to
the
end
of
the
Option
Profile
and
click
Save.
You
may
now
use
this
Option
Profile
to
perform
a
vulnerability
scan.
The
resulting
scan
report
will
only
reflect
the
vulnerabilities
identified
in
the
Custom
Search
List
attached
to
this
profile.
61
3. Choose
Low
from
the
Overall
Performance
drop
menu.
4. Close
the
performance
window
by
clicking
OK.
5. Save
the
Option
Profile.
62
Notice
the
vulnerability
status
next
to
the
action
icon.
The
first
time
a
vulnerability
is
found
with
the
latest
scan,
the
word
New
will
appear
in
the
report.
Once
a
vulnerability
has
been
discovered,
its
63
status
will
change
to
Active
with
each
successive
vulnerability
scan.
If
the
vulnerability
has
been
fixed,
the
word
Fixed
appears.
Also
notice
our
tags
appear
within
the
report.
In
the
next
steps,
we
will
perform
the
actions
to
ignore
a
specific
vulnerability
for
a
single
host
device.
5. Click
the
icon
for
host
64.41.200.231
(Host
Name:
demo01.s02.sjc01.qualys.com)
to
display
its
vulnerability
details.
6. Locate
the
severity
5
vulnerability
called
Microsoft
SMB
Remote
Code
Execution
Vulnerability
(MS09-001)
and
expand
it.
7. Mouse-over
the
vulnerability.
8. Enter
an
appropriate
reason,
such
as
This
host
will
be
decommissioned
next
week
and
thus
will
not
be
patched
and
click
the
OK
button.
It
is
important
to
note
that
steps
4
through
6
above
will
ignore
the
Microsoft
SMB
Remote
Code
Execution
Vulnerability
specifically
for
host
IP
address
64.41.200.231.
Other
host
devices
that
have
this
same
vulnerability
(64.41.200.232
and
64.41.200.238)
will
not
be
affected
by
these
actions.
64
3. From
the
left
navigation
tab
click
on
the
Findings,
and
use
the
Desktop
Asset
Tag
as
the
target
for
this
report.
4. From
the
left
navigation
pane,
click
the
Display
tab.
In
the
Detailed
Results
section,
choose
the
option
to
sort
by
vulnerability,
and
select
the
check
box
to
include
the
Vulnerability
Details.
5. From
the
left
navigation
pane,
click
the
Filter
tab.
In
the
Selective
Vulnerability
Reporting
section,
click
the
Custom
radio
button,
and
then
click
the
Add
List
button.
6. Select
the
Critical
Vulnerabilities
with
Vendor
Patches
v.1
Search
List.
7. Click
the
Exclude
QIDs
check
box,
and
then
click
the
Add
Lists
button.
8. Select
the
Adobe
Vulnerabilities
v.1
Search
List.
We
will
make
the
assumption
here
that
a
different
administrator
will
handle
the
Adobe-related
vulnerabilities.
65
9. Use
the
Test
button
again
to
test
your
new
exclusion
option.
10. Close
the
report
and
Save
the
report
template.
66
Patch
Report
The
Qualys
Patch
Report
identifies
patches
that
fix
detected
vulnerabilities.
The
detailed
results
in
the
report
include
a
table
of
QIDs
that
will
be
fixed
by
applying
a
missing
patch,
and
links
for
patches
are
displayed
if
available.
The
most
relevant
patches
are
recommended
for
installation.
The
recommended
patch
may
be
broader
in
scope
and
it
may
fix
more
vulnerabilities
than
the
QID
associated
with
the
vulnerability
detection.
67
2. Choose
New
>
Patch
Report
3. Under
report
title
type
Online
Patch
Report.
4. Click
the
Select
link
next
to
the
Report
Template
selection
box.
5. Click
on
the
Template
Library
tab
and
then
select
Critical
Patches
Required
v.1
for
the
report
template.
Click
the
Import
button.
6. Click
the
Make
Global
button
to
share
this
template
with
others.
This
enables
other
users
in
Qualys
to
use
this
template
to
report
against
the
assets
that
have
been
assigned
to
them.
7. Select
Online
Report
for
the
Report
Format.
8. In
the
Asset
Groups
section
type
All
and
click
Run.
68
9. When
the
report
opens,
click
on
the
Sev
column
in
the
left
pane
(and
sort
most
severe
to
least
severe).
10. In
the
left
pane,
use
the
Title
column,
to
click
on
the
top
patch
in
the
list.
Notice
that
the
same
patch
might
affect
multiple
hosts.
11. Click
on
the
Title
of
other
patches
to
see
what
hosts
are
impacted.
12. From
the
right
pane,
try
clicking
on
the
number
of
vulnerabilities
(Vulns
column)
to
display
the
vulnerabilities
impacted
by
a
patch.
13. To
distribute
this
report
to
your
system
administrators,
click
File>
Download
(select
PDF
or
CSV
format).
69
Scorecard
Report
Scorecard
reports
are
part
of
the
robust
reporting
mechanism
within
the
Qualys
environment.
These
reports
provide
the
state
of
security
within
the
enterprise.
They
are
designed
to
assist
IT
line
managers,
Auditors,
or
the
Board
of
Directors.
Using
the
Vulnerability
Scorecard,
users
can
evaluate
Business
Risk
by
asset
group
or
tag
and
establish
acceptable
Business
Risk
levels
for
the
organization.
Also,
the
same
scorecard
can
be
used
to
identify
vulnerabilities
by
type,
status
and
age.
1. Navigate
to
1)
the
Reports
section
and
2)
Reports
tab.
Click
the
New
button
and
select
3)
Scorecard
Report
option.
2. From
the
New
Scorecard
Report
window,
highlight
Vulnerability
Scorecard
Report,
and
click
the
Edit
link
just
below
the
Scorecard
report
list.
70
3. Click
Report
Source
in
the
left
navigation
pane.
4. Select
the
Asset
Tags
radio
button
and
add
both
Windows
and
Linux
hosts.
5. Select
the
Any
operator
to
target
host
that
have
any
of
the
Asset
Tags
listed.
All:
target
only
hosts
that
have
all
of
the
tags
listed
(AND
equivalent).
Any:
target
hosts
that
have
any
of
the
tags
listed
(OR
equivalent).
6.
Click
Filter
in
the
left
navigation
pane.
7. Remove
the
default
check
mark
from
the
Confirmed
(Severity
5,4,3)
option.
8. Click
the
Add
List
button
(Included
Search
Lists:)
and
add
Critical
Vulnerabilities
with
Vendor
Patches
v.1
(these
are
the
vulnerabilities
that
will
be
targeted
in
this
report).
71
9. Click
Display
in
the
navigation
pane,
and
change
the
Business
Risk
Goal
to
20.
The
Business
Risk
Goal
reflects
your
aversion
or
appetite
for
risk
(based
on
a
percentage
of
hosts
that
are
vulnerable
with
the
targeted
QIDs
(those
in
the
Critical
Vulnerabilities
with
Vendor
Patches
v.1)
search
list.
10. Click
Save
As
and
title
the
report
Adjusted
Business
Risk.
11. Select
the
Scorecard
you
just
created
(Adjusted
Business
Risk)
and
run
the
report
with
HTML
as
a
format.
The
report
will
show
the
percentage
of
Critical
Vulnerabilities
with
Vendor
Patches
for
each
targeted
Asset
Tag.
Passing
values
will
display
in
green,
failing
values
will
display
in
red.
You
can
continue
to
adjust
the
risk
goal
as
you
create
different
types
of
scorecard
reports
that
target
various
hosts
and
different
types
of
vulnerabilities.
72
Additional
Exercises
You
may
perform
all
Additional
Exercises
at
your
own
convenience.
Other
lab
exercises
in
this
document
are
not
dependent
on
the
outcome
of
these
exercises.
Executive
Report
The
Executive
Report
is
a
high-level
trend
report.
It
identifies
changes
to
the
vulnerability
exposure
of
your
network
over
time.
Presently,
you
do
not
have
an
adequate
amount
of
scan
history
in
your
demo
account
to
produce
an
effective
trend
report.
For
this
reason,
an
illustrated
description
of
the
Executive
Report
will
be
provided.
When
you
have
generated
more
scan
data
(after
several
days),
feel
free
to
return
to
this
section
to
create
an
Executive
Report.
You
can
create
an
Executive
Report
by
selecting
the
Executive
Report
Template.
Vulnerability Status
The
Filter
tab
of
the
Executive
Report
Template
contains
Vulnerability
Status.
With
all
Vulnerability
Status
filters
selected,
we
can
produce
the
graphic
seen
above.
Most
of
these
are
obvious,
but
theres
one
hidden
gem:
Re-Opened.
A
re-opened
vulnerability
is
a
vulnerability
that
you
previously
fixed
but
has
returned.
Re-opened
vulnerabilities
are
typically
the
result
of
re-imaging
a
host
from
an
un-patched
image,
or
using
compensating
controls
(e.g.,
a
firewall
rule
that
blocks
access
to
a
vulnerable
service)
in
the
absence
of
patches.
Also,
it
could
represent
a
service
that
was
recently
enabled
on
a
host
device
(like
a
web
server).
73
74
Scheduled
Reporting
Like
with
mapping
and
scanning,
users
have
the
ability
to
schedule
reports
to
run
automatically
at
a
scheduled
time,
on
a
recurring
basis.
Users
can
also
set
options
to
notify
select
distribution
groups
when
a
report
is
complete
and
ready
for
viewing.
There
are
several
report
types
that
can
be
scheduled.
You
can
schedule
template-based
scan
reports
(set
to
Host
Based
Findings
source
selection),
scorecard
reports,
patch
reports,
template-based
compliance
reports
and
remediation
reports.
To
create
a
new
report
schedule,
go
to
Reports
>
Schedules
and
select
the
type
of
report
youre
interested
in
from
the
New
menu.
In
the
steps
that
follow,
a
new
template-based
scan
report
will
be
scheduled.
1. Within
the
Reports
section,
navigate
to
the
Schedules
tab.
2. If
prompted,
click
the
I
Accept
button
to
enable
scheduled
reporting.
3. Click
the
New
button
and
select
Scan
Report
>
Template
Based.
4. From
the
Report
Details
section,
give
your
report
a
title,
such
as
Demo
Scheduled
Report.
5. For
Report
Template,
click
the
Select
link
and
select
the
Executive
Report
template.
75
6. For
Report
Format
keep
the
selection
for
Portable
Document
Format
(PDF).
7. In
the
Report
Source
section,
leave
the
Asset
Groups
set
to
All.
8. Click
the
checkbox
for
Scheduling
and
Report
Notification.
9. Leave
today
as
your
start
date,
and
midnight
(00:00)
as
your
starting
time.
10. Select
(GMT-0800)
United
States
(California):
Los
Angeles,
San
Francisco,
San
Diego,
Sacramento
as
you
time
zone.
11. Set
this
scheduled
report
to
occur
every
week
(Weekly)
on
Friday.
12. In
the
Schedule
Status
section,
please
choose
the
check
box
to
Deactivate
this
report.
13. Click
the
Schedule
button
to
finish.
76
User
Roles
User
privileges
are
assigned
and
identified
using
various
User
Roles.
Your
Qualys
student
account
has
the
role
of
Manager.
The
Scanner
role
carries
the
primary
responsibility
of
mapping
and
scanning
network
resources.
The
Reader
role
carries
the
least
privileges.
They
can
create
custom
reports
from
existing
scan
and
map
data,
but
cannot
launch
scans
or
maps.
Privileges
Summary
Manager
Scanner
Reader
Create Reports
Optionally
Under
the
Users
section,
click
the
Users
tab.
1. Choose
New
>
User....
2. Fill
in
the
blank
fields
in
the
General
Information
section
with
your
info.
Use
a
valid
email
address
that
you
can
get
to
from
the
computer
you
are
seated
at.
3. Under
the
User
Roles
tab,
choose
Reader
as
your
User
Role.
77
4. Click
Asset
Groups
in
the
navigation
pane,
and
add
the
San
Jose
Asset
Group
to
this
account.
Presently,
access
permissions
are
provided
to
user
accounts,
using
Asset
Groups.
This
includes
scanning,
reporting
and
remediation
access
privileges.
5. Click
the
Options
tab
and
view
the
Notification
Options.
6. Save
the
user;
close
the
window.
Activate
this
account
by
looking
at
the
email
sent
by
Qualys,
clicking
on
the
link,
and
viewing
the
credentials.
The
link
can
only
be
clicked
once,
so
make
sure
you
save
the
credentials.
78
5. Under
the
Vulnerability
Section,
to
the
right,
click
on
6. Select
the
checkbox
next
to
title,
Confirmed
Severity
4
+
5
and
press
the
Ok
button.
7. Assign
these
vulnerabilities
to
the
user
account
you
created
in
LAB
7,
and
enforce
a
7-day
deadline
for
patching
and
mitigation.
79
8. Save
the
rule
by
clicking
the
Save
button.
3. Under
the
Actions
tab,
select
the
Create
Tickets
set
to
Closed/Ignored
radio
button.
4. Save
the
rule,
close
the
window,
and
return
the
Remediation
Policies
List.
5. Now
that
you
have
created
a
Remediation
Policies,
you
will
need
to
launch
another
vulnerability
scan
to
allow
Qualys
to
automatically
create
remediation
tickets.
6. Go
ahead
and
launch
a
scan.
80
Dashboard
Because
weve
mapped
and
scanned,
some
information
will
be
populated
in
our
Dashboard.
1. Navigate
to
the
Dashboard
section.
2. Customize
some
items
on
the
Dashboard
by
clicking
on
the
Configure
link.
81
2. Select
the
home
page
that
best
suits
your
needs,
and
click
the
Save
button.
82
You
may
also
need
to
determine
if
the
lower
privileged
groups
will
be
able
to
Close
and
Ignore
tickets
or
allow
them
to
Delete
tickets
both
can
be
allowed
here.
The
Security
function
under
the
Setup
tab
in
the
Users
section
allows
for
the
more
critical
security
settings
for
users
and
the
service:
83
You
may
want
to
restrict
which
IPs
have
the
ability
to
connect
to
your
QG
UI.
For
this
reason,
you
can
restrict
access.
You
can
also
set
password
security,
even
allowing
users
to
set
their
own
passwords.
Finally,
lets
take
a
look
at
the
Report
Share
section.
8. Navigate
to
the
Setup
tab
in
the
Reports
section,
and
click
on
Report
Share.
84
9. Choose
to
Enable
Secure
PDF
Distribution.
10. Click
Save.
11. Now
navigate
to
Reports
and
choose
a
new
Technical
Report.
12. Click
Add
Secure
Distribution
and
choose
an
email
to
send
your
report
to.
13. Run
the
Report.
85
Now
when
you
generate
a
PDF
report
you'll
have
the
chance
to
enter
a
list
of
email
addresses
that
you'd
like
the
report
distributed
to
securely.
As
long
as
you
have
Adobe
on
your
computer
and
you
know
the
report
password,
you'll
be
able
to
pull
up
the
report...OUTSIDE
of
Qualys.
These
are
the
default
values
for
Business
Risk.
As
you
can
see,
a
level
5
vulnerability
on
a
host
whose
Asset
Group
is
of
Critical
importance
is
weighted
100
times
greater
than
that
of
a
level
1
vulnerability
on
a
host
whose
asset
group
is
of
Low
importance.
86
Contacting
Support
Overview
Try
as
we
may,
inevitably
you
will
need
to
contact
support
and
we
support
you
24x7.
With
the
Qualys
interface,
you
will
have
all
the
necessary
information
at
your
fingertips.
From
the
Qualys
User
Interface,
click
on
Help
and
then
Contact
Support.
Youll
see
our
support
center
where
you
can
find
answers
to
your
questions,
learn
from
Qualys
and
other
security
professionals
at
our
Community,
submit
support
tickets.
Scroll
down
to
see
our
phone
list
with
support
contact
numbers
for
your
region.
87
So
then,
the
question
becomes
what
information
do
you
need
to
send
to
Qualys?
Well,
that
can
depend
on
the
type
of
problems
you
are
seeing.
False
Positive
If
you
believe
that
you
have
identified
a
false
positive,
please
provide
us
with
additional
information
so
that
we
can
resolve
the
issue
as
quickly
as
possible.
Please
provide
the
following
in
this
message:
Reasons you believe you have a false positive. Include steps you've taken to patch the system.
Was
the
issue
reported
during
an
authenticated
scan?
If
yes,
was
the
authentication
successful?
There
are
several
appendices
in
your
scan
results
that
provide
information
related
to
authentication.
When was the vulnerability first detected? Have there been changes to the host since then?
For
publicly-facing
IPs,
we
can
greatly
expedite
the
investigation
if
we
can
perform
a
light
scan
on
the
host.
Do
you
grant
permission
for
us
to
scan
the
host?
After
receiving
a
ticket
number
from
Support,
send
a
follow-up
email
referencing
the
ticket
number
and
attach
the
following
items:
A
packet
capture
of
traffic
to/from
the
affected
service/port
for
its
typical
communications.
(only
if
requested
by
DEV)
Additional
information,
such
as
a
registry
dump
or
a
screenshot
of
the
system
showing
that
it
is
patched
and
not
vulnerable.
False
Negative
On
very
rare
occasions
we
may
produce
a
False
Negative.
If
you
believe
this
to
be
the
case,
please
provide
the
following
in
your
message:
Reasons you believe you have a false negative. Include steps taken to troubleshoot the issue.
When was the vulnerability last detected? Have there been changes to the host since then?
For
publicly-facing
IPs,
we
can
greatly
expedite
the
investigation
if
we
can
perform
a
light
scan
on
the
host.
Do
you
grant
permission
for
us
to
scan
the
host?
After
receiving
a
ticket
number
from
Support,
send
a
follow-up
email
referencing
the
ticket
number
and
attach
the
following
items:
A
scan
report
of
the
scan
that
did
not
identify
the
vulnerability.
88
A
description
of
the
symptoms.
When
did
the
issue
first
appear?
If
the
issue
is
reproducible,
please
provide
steps
to
reproduce
the
issue.
Detailed
information
for
each
affected
system,
including:
operating
system
version
and
patch
level,
IP
address,
the
system's
primary
function
and
the
location
of
the
system
on
the
network
(i.e.
behind
a
firewall,
in
DMZ
or
behind
a
load
balancer.)
Detailed
information
for
each
affected
service,
including:
software
name,
exact
version
and
build
or
patch
level,
the
port
number
that
the
affected
service
is
running
on
and
whether
the
port
is
static
or
dynamic.
For
publicly-facing
IPs,
we
can
greatly
expedite
the
investigation
if
we
can
perform
a
light
scan
on
the
host.
Do
you
grant
permission
for
us
to
scan
the
host?
After
receiving
a
ticket
number
from
Support,
send
a
follow-up
email
referencing
the
ticket
number
and
attach
the
following
items:
A scan report of the scan that caused the service to stop responding.
A packet capture of traffic to/from the affected service/port for its typical communications.
#
On
a
Windows
system,
you
can
run
the
free
tcpview.exe
and
save
the
output.
This
program
is
available
at:http://www.sysinternals.com/ntw2k/source/tcpview.shtml
# On a Linux system, you can run netstat -ntulp and save the output.
An
image
of
the
box
is
useful
to
help
us
reproduce
the
issue.
For
Windows
machines,
images
may
be
created
using
MS
Virtual
PC
(free).
For
*nix,
VMWare
may
be
used.
If
the
host
has
custom
software
on
it,
then
please
also
provide
us
with
a
copy
of
the
software.
The
IP
configuration
for
the
LAN
interface
(static
or
DHCP).
For
static
configurations,
include
the
IP
address,
netmask,
gw,
dns1,
dns2,
wins
and
domain.
If
WAN
is
enabled,
provide
the
IP
configuration
for
the
WAN
interface.
For
static
configurations,
include
the
IP
address,
netmask,
gw,
dns1,
dns2,
wins
and
domain.
If
proxy
is
enabled,
identify
the
proxy
software
and
list
the
proxy
configuration.
Indicate
whether
a
username
and
password
is
used
but
do
not
send
us
the
password.
How
long
is
the
timeout
from
when
you
hit
Enter
on
"Really
enable.."
to
when
the
"Network
Error"
message
appears?
When
you
use
a
laptop
with
the
same
network
configuration
on
the
same
network
port,
are
you
able
to
connect
to
the
Qualys
service
at
https://qualysguard.qualys.com?
Host
Crash
Qualys
scans
are
generally
non-intrusive.
If
a
scan
has
caused
a
host
to
crash
then
we
will
make
resolving
this
issue
a
top
priority.
We
are
eager
to
work
with
you
and
any
third-party
vendors
to
quickly
isolate
and
resolve
the
problem.
Please
provide
the
following
in
this
message:
A
description
of
the
symptoms.
When
did
the
issue
first
appear?
If
the
issue
is
reproducible,
please
provide
steps
to
reproduce
the
issue.
Detailed
information
for
each
affected
system,
including:
operating
system
version
and
patch
level,
IP
address,
the
system's
primary
function
and
the
location
of
the
system
on
the
network
(i.e.
behind
a
firewall,
in
DMZ
or
behind
a
load
balancer.)
For
publicly-facing
IPs,
we
can
greatly
expedite
the
investigation
if
we
can
perform
a
light
scan
on
the
host.
Do
you
grant
permission
for
us
to
scan
the
host?
After
receiving
a
ticket
number
from
Support,
send
a
follow-up
email
referencing
the
ticket
number
and
attach
the
following
items:
A packet capture of traffic to/from the affected service/port for its typical communications.
On a Windows system, you can run the free tcpview.exe and save the output.
On a Linux system, you can run netstat -ntulp and save the output.
An
image
of
the
box
is
useful
to
help
us
reproduce
the
issue.
For
Windows
machines,
images
may
be
created
using
MS
Virtual
PC
(free).
For
*nix,
VMWare
may
be
used.
If
the
host
has
custom
software
on
it,
then
please
also
provide
us
with
a
copy
of
the
software.
90
91