Document Version: 2.2

Date: 2020-01-31

Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Purpose

This document provides users with a comprehensive overview of the feature Manage Users for OUTSCAN and HIAB. This document has been elaborated under the assumption the reader has access to the OUTSCAN/HIAB account and Portal Interface.  

Introduction 

This document is a step-by-step configuration setup guide for configuring the OUTSCAN/HIAB solution according to best practice. It  consider the size of the organizations and provide information about why different options are taken over other in order to provide justification why the different paths where chosen.

Users

The users are defined within the Main Menu > Settings > Manage Users in the lower left corner of the screen. When selected, a window is displayed showing an overview of the tree structure of the already defined users. Should none be defined then the leftmost field would only state Top level.

When considering setting up multiple users it is always good to investigate how to group them or perhaps have them organize themselves. Users can be created with sub users (and sub sub users) where access rights are inherited from the parent users. Meaning that if a user can add targets, then that user may be able to grant that access to sub users (unless he/she is not allowed to administrate users).

Depending on the size of the organizations there are different best practice in place but the main thing that applies to all of them are the following:

  • Assign an individual account to all users – This is in order to get accountability. Users that understands that they have a personal account for which they are responsible will think before sharing such an account.
  • Set up a password policy within the solution that matches the one in your company.
  • Since this solution contains the discovered risks for your organization, if you have multiple password policies within your organization, choose the password policy accordingly.
  • Before adding the users, see if there is any additional information that you which to have access to when managing the users. For example, business role such as Sys admin, DBA, Manager or likewise. The reason for this is that there is a role-based access system built into the tool and not having a clear view of the role of the users may cause trouble afterwards when the number of users grows.
  • Within the system you can also define another user to be a Super user. This allows you to share the responsibilities of the tool should any of you go on a holiday or likewise. Verify that this is present and working prior to going abroad and communicate to whom they can turn to for questions to the rest of the users utilizing this tool.

Size of Organization

SMALL

Should the number of people be 1-5 that will be operating the tool, and all are working in a close group then it may be justified that all the people having access to the tool are Super users. Of course, giving more access than required is not best practice but setting to granular  restrictions upon users within a small group may cause issues within the group itself. However, should a manager have access then that person can be created to only have access to the dashboard and given only read access to the tool in order to prevent any unwanted changes.

MEDIUM

When you have personal responsibilities for targets (like system owners) then it is wise to define groups within the target management section, which you then assign as granted targets to the individual users. Depending on the size of the network this can either be based on the user itself or a specific role. Like for example in the below picture, where Jane Doe is a user and a DBA, thus whenever a new database is added to the target group or if she becomes the owner of a new system then her access rights to that target will automatically be increased once the target group is updated.

LARGE

In a complex organization it may be required to assign targets to specific teams instead. Like Network Operational Center(NOC), Security Operational Center (SOC), Microsoft, or Linux team. These teams can then be individually divided into smaller groups if required. Appoint a single person responsible for the team by normal delegation of responsibilities within the user setup. 

Cheat sheet – User

Best practice GoalIn place?
YesNoN/A

Password policy defined

The password policy should reflect the company password policy for tools matching the same




Add additional information on users

Include information prior to population for easier maintenance of larger set of users




Add additional user with full rights

In larger organizations, have a stand-in for managing the tool in case of an emergency occurs where the main point of contact can’t be reached.




Define target assignment groups

These groups are for ease the management of multiple users within the group without having to individually update each user when a new target is added to the vulnerability management program.




Enforce two factor authentications

When 2FA is enabled then the user also needs to provide information from something they also have (one-time token) instead of just something they know (the password) and thus increasing the security.




Force password change on initial login

Enforce that users change their password to a new one once they log in for the first time. This allows you to force the users to define their own password, which comply too the security policy defined by the tool and minimizing the impact on your preference or the automatic randomization of generated credentials.







Getting Started

There are two ways of launching your applications.

  • From OUTSCAN
  • From a HIAB

OUTSCAN

To launch the OUTSCAN application, navigate to https://outscan.outpost24.com.

Note

Use HTTPS protocol.

Login OUTSCAN


Log in using your credentials.

HIAB

To connect to a HIAB, use the assigned network address.

Note

Use HTTPS protocol.

Login HIAB

Log in using your credentials.

Go to Main Menu > Settings > Manage Users to access the Manage Users feature. This area allows for viewing and editing of all the users that you administer in the system.

Manage User Accounts 

The Manage User Accounts tab consists of the Groups tree and Users tree to the left, and a user grid to the right.

Groups 

The Groups section shows a hierarchical structure of the defined user groups. The Groups section enable you to categorize users in different groups. 

Clicking any group displays the users which are included in that specific group.

See Groups section for more information on how manage groups.


MgnUser01


Filter: The Groups tree can be filtered by entering a partial or full name in the filter area at the bottom of the Groups tree section. This only show the groups that match the filtering string, and the parent accounts that are needed to show the hierarchy. Press the X-icon to clear the filter and show all groups again.  

Users 

In Users section, the Top Level represents your account and underneath a hierarchical structure of all the users that you can administrate is  displayed. The usernames are shown in this tree. To select any user, click on the user name. This changes the user account grid to show only that user. Re-click to deselect that user.

MgnUser02


Filter: The Users tree can be filtered by entering a partial or full name in the search bar, located at the bottom of the Users section. This shows only the users that match the filtering string, and the parent accounts that are needed to show the hierarchy. Click on the X button, to clear the filter and show all users again.

MgnUser03

User Accounts Grid

The User Accounts grid shows detailed information about the users. It is possible to add or remove columns in this grid.

To add or remove columns:

  1. Click on the arrow ▼ beside any column name to view the drop-down menu.
  2. Choose Columns, and select the columns that you wish to add.  

MgnUser04

Below you find a list of the different columns available. 


Option

Description

Logons

Displays how many times the user has logged into the system.

2-Factor Authentication

What sort of 2-factor authentication the user is using.

Active

If the account active or not.

Country

The users’ country.

Created

The date and time when the account was created.

Email

The email address of the user.

Email Sent

The last time an information email or password recovery email was sent to the user.

Last logged on

When the user last logged into the system. If this entry is blank the user has still not logged into the system.

Name

The full name of the user.

Parent Account

The parent account of the user account. Top Level means that your account is the parent.

User Roles

The type of user roles assigned to the user.

Username

The username that the user logs into the system with.


Right clicking on a user brings up a context menu where specific actions on that user or view can be performed.


Option

Description

New

Opens the Create new user window.

Delete

Deletes the selected user.

Edit

Change details on the selected user.

Copy

Copies the selected user's base settings, and open a new user where the general information needs to be filled in.
(First name, Last name, Email, Mobile number, Country, Username and Password).

Export

Export all user accounts as a CSV or HTML file.

MgnUser05

  

By clicking on the expand icon  or double click on a user displays additional information about the user account.

MgnUser06

Manage Users

Prerequisites

User Roles need to be created before the user to be available for selection.
See User Roles for more information on how to create roles.

Create a User

To create a user:

  1. Click Main Menu > Settings > Manage User.
  2. In the Manage User Accounts window select User Accounts tab.
    The buttons at the top center of the screen ids used to create, delete, or import users from LDAP/AD.

    CreateUser01

    Note

    The Import from LDAP/AD function is only available on HIAB. See LDAP/AD user guide for more information on setting up and mapping users in LDAP.

  3. Click + New to create a user.
  4. In the Maintaining User Account window, fill in the Account Details and Login Details.

    CreateUser02

    Note

    In the grid on the lower half of Maintaining User Account window, the account access and rights can be further set up in the different tabs. Note that the tabs differs depending on your license. 

    Account Details

    Option

    Description

    Parent Account

    Sets the parent account, could be used to create hierarchy structures.

    First name

    The first name of the user.

    Last name

    The last name of the user.

    Email

    The email address of the user.

    Mobile number

    The mobile number of the user.

    Country

    The country of the user.

    State

    The state of the user (Active if Country is United States).

    Email PGP public key

    Select PGP public key or click the + sign to upload a PGP key.

    • None
    • Unencrypted
    • [uploaded keys]

    Login Details

    Option

    Description

    Authentication
    (HIAB Only)

    Choose if the user credentials should be verified against the local database or the defined LDAP or Active Directory server.

    Username

    Enter a username.

    Password

    Enter a password, or generate a password using the password button. Passwords are generated according to the password policy located in the Security Policy tab under Main Menu > Settings > Account.

    See section Password Policy in Account Settings document for information on how to set password policies.

    Password againConfirm the password by re-typing in this field.

    Require password change on next logon

    If enabled, forces the user to change his/her password the next time they log in to the system.

    2-Factor Authentication

    If enabled, you may set up the mode of authentication from here. Mobile Security Code or Google Authenticator can be used for authentication. The method used for authentication can be limited, depending on the options configured for two factor authentications in the security policy.

    When Google authentication is selected, you will be asked to enter the credential ID which is used to set up the account.

  5. In Account Settings tab you can deactivate an account and set the users notification.

    OptionDescription
    Active

    Activate or deactivate account.

    Super UserA user with Super User enabled will have the same rights as the main account (which is unrestricted).
    Receive System NotificationsWhen Super User is active, the user can receive system notifications, or have it deactivated.
    Allow Enroll HIABAllow the user to enroll HIABs.
    Send Informative Email

    If Send Informative Email is activated, then the system will send an email to the sub user when their account has been changed.

    Escalate tickets toThe Escalate tickets to drop down menu allow you to define who should receive any tickets which has not been resolved prior to its due date (which were assigned to this specific user).
  6. Assign the user with one or more Granted User Roles otherwise the user will not be allowed to perform any actions in the system.
    For more information on how to create user roles, see User Roles.

    CreateUser03

  7. In the Granted Targets tab, you can define which targets and scanners (if enabled) the user should have access to.

    CreateUser04

    • Not all Targets Granted limits the target groups and targets a user can see and administrate. The target list feature should be used sparsely since it create an overhead when it comes to administrative task in the long run. The only time you should use this feature is when you would like to grant access to a whole IP range without having to define all targets within the system.
    • Granted Scanners limits which scanners the user has access to within the system. If All Scanners is selected then the user will also automatically have access to scanners which are added afterwards.
  8. Once the user has been set up, click Save.

Groups

The Groups function enable you to bundle users together into simple groups to be presented in the group grid.


Note

Roles cannot be applied to groups, roles can only be applied on a user level.

Create Groups

To create a new group, click the + New option, or right click and All folder in the Groups tree and choose New.


To create a new subgroup, select a main group and click the + New option, or right click the group name and select New in the menu.

Manage Groups

Populate Groups

Once a group is created, it can be populated with users.

To populate a group:

  1. Select the users by pressing Ctrl + Left click on each user in the User Account grid and drag them to the designated group.


Note

A user can only be part of one group.

Moving Users Between Groups

Users can be moved freely between groups.

To move users to another group:

  1. Click the the group where the user resides in to list the group content in the User Account grid.
  2. Select the users by pressing Ctrl + Left click on each user you want to move. Then drag the user/users into the new group.

Note

Users connect to a top level user will not be moved together with the top level user. Each user need to be moved individually or as a selected group.

Delete Groups

To delete a group, select the group in the Groups section, and click  Delete option, or right click the group and select Delete in the menu.


Note

Deleting a group do not delete the users within the group. They go back to All folder .

User Roles 

Create Roles

To create a user role:

  1. Click Main Menu > Settings > Manage User.
  2. In the Manage User Accounts window select User Roles tab and click + New.
  3. In the Maintaining User Role window, enter a Role Name.

    MgnUserRole01

  4. Select the various boxes to match the role being created.
  5. Click Save.

Maintaining User Role 

Option

Description

Role name

Every user role needs to have a given name to identify the role.

Read Only

User will not be permitted to do any changes or new creations when this option is enabled.

LDAP/AD Group (HIAB only)The LDAP/AD Group field is available if LDAP/AD is enabled on the HIAB. This user role is mapped to the defined role in LDAP/AD when the user login.

Target Management

MgnUserRole02

Option

Description

Administrate Targets/Target Groups

Allows the user to administrate targets and groups in the Manage Targets view.

Scan Scheduling

MgnUserRole03

Option

Description

Administrate Scheduling

Determines if the user can define and set up new scan schedules.

Force Target Group in Scheduling

Enforces the user only to use the already defined groups in the scheduling section. No manual targets can be entered in the targets tab.

Administrate Scanning Policies

Determines if the user can create, modify and remove scanning policies within the system.

Stop scans

If the user can administrate scan scheduling he/she will also be allowed to stop scans if this setting is enabled.

Reporting Tools

MgnUserRole04

Reporting Tools field gives a user, permission to view the reporting tools. If not enabled, reporting tools is not shown to the user.

Option

Description

Mark False Positives

Allow the user to mark a finding as a false positive.

Risk Management

Allow the user to mark vulnerabilities as accepted risks and/or change the risk level for a finding.

Verify scan

Allow the user to perform verification scans. No scans will be deducted from the license when using this feature.

Receive Scan Results SMS NotificationsEnable the user to receive scan results as SMS.

Remove Scan Result

Allow the user to remove reports.

Receive Scan Results by Email

Enable the user to receive reports by email.

Access Dashboard

Allow the user to see the Dashboard.

 

Compliance Scanning

Note

Compliance Scanning is only visible if it is included in your license.

MgnUserRole05

Compliance Scan field gives a user, permission to view the Compliance scanning module. 
If not enabled, it will not be shown to the user.

Option

Description

Create/Edit Policies

Allow the user to Create/Edit policies.

Mark Exceptions

Allow the user to mark exceptions.

Answer Question

Allow the user to answer questions.

Approve Question

Allow the user to approve questions.

Web Application Scanning

Note

Web Application Scanning is only visible if it is included in your license.

MgnUserRole06

OptionDescription
Administrate ScopingAllow user to administrate Scoping.
Access ReportingAllow user to access reporting.
Remove Scan ResultsAllow user to remove Scan results. Access Reporting needs to be selected for this role.

Appsec Scale

Note

This section is only visible if you have an Appsec license.

Option

Description

Appsec Scale

Grants access to the Appsec module for the sub user.

SWAT

Note

This section is only visible if you have an SWAT license.

MgnUserRole08

Option

Description

Add Comment

Allows the user role to comment findings.

Request Verification

Allows the user role to submit verification requests.

Discussion

Allows the user role to discuss findings with the Outpost24 support.

Risk Management

Allows the user role to change risk levels and mark findings as accepted risks .

Scoping

Note

Outscan only

MgnUserRole09

OptionDescription
Submit scoping requestAllows the user role to submit Appsec scoping requests.

PCI Management

Note

PCI Management is only visible if PCI Compliance scan is included in your license.

MgnUserRole10.png

Option

Description

Administrate Scoping

Allow the user to create, modify, or remove any scopes in this module.

Administrate Scheduling

Allow the user to start and stop PCI scans.

Access Reporting

Allow the user to view PCI reports.

Dispute Findings

If the user has Access Reporting this option allow the user to dispute findings from the report.

Managed Reports

Note

This section is only visible if you have an Managed Reports license.

MgnUserRole11

Option

Description

Comment Reports

Allow users to add comments to reports.

Vulnerability Management

MgnUserRole12

Option

Description

Comment Vulnerability Database

Allow the user to create and edit comments in the vulnerability database.

User Management

MgnUserRole13

Option

Description

Administrate Accounts

Allow the user to administrate accounts.

Administrate User Roles

Allow the user to administrate user roles.

Ticket Management

MgnUserRole14

Option

Description

Manage Tickets

Allow the user to administrate tickets.

Grant All Tickets

Give access to all internal tickets. (If Manage Tickets is selected).

 Audit Log Management

MgnUserRole15

Option

Description

Read Audit Logs

The user is able to read the auditing log.

License

MgnUserRole16

Option

Description

View License

Allow the user to view the License tab in Main Menu > Settings > Account.


HIAB Management (HIAB only)

Note

HIAB Management only visible if it is included in your license.

MgnUserRole17

Option

Description

Administrate HIAB Server

Allow the user to restart the HIAB and setup HIAB settings like backup and networking.

Attributes 

The Attributes tab is available only if they are set to active. See Attributes section in Account Settings document for information on how to set attributes. 

Note

The tabs in the lower half of the window varies depending on your license.