Document Version: 2.2
© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.
This document provides users with a comprehensive overview of the feature Manage Users for OUTSCAN and HIAB. This document has been elaborated under the assumption the reader has access to the OUTSCAN/HIAB account and Portal Interface.
This document is a step-by-step configuration setup guide for configuring the OUTSCAN/HIAB solution according to best practice. It consider the size of the organizations and provide information about why different options are taken over other in order to provide justification why the different paths where chosen.
The users are defined within the Main Menu > Settings > Manage Users in the lower left corner of the screen. When selected, a window is displayed showing an overview of the tree structure of the already defined users. Should none be defined then the leftmost field would only state Top level.
When considering setting up multiple users it is always good to investigate how to group them or perhaps have them organize themselves. Users can be created with sub users (and sub sub users) where access rights are inherited from the parent users. Meaning that if a user can add targets, then that user may be able to grant that access to sub users (unless he/she is not allowed to administrate users).
Depending on the size of the organizations there are different best practice in place but the main thing that applies to all of them are the following:
- Assign an individual account to all users – This is in order to get accountability. Users that understands that they have a personal account for which they are responsible will think before sharing such an account.
- Set up a password policy within the solution that matches the one in your company.
- Since this solution contains the discovered risks for your organization, if you have multiple password policies within your organization, choose the password policy accordingly.
- Before adding the users, see if there is any additional information that you which to have access to when managing the users. For example, business role such as Sys admin, DBA, Manager or likewise. The reason for this is that there is a role-based access system built into the tool and not having a clear view of the role of the users may cause trouble afterwards when the number of users grows.
- Within the system you can also define another user to be a Super user. This allows you to share the responsibilities of the tool should any of you go on a holiday or likewise. Verify that this is present and working prior to going abroad and communicate to whom they can turn to for questions to the rest of the users utilizing this tool.
Size of Organization
Should the number of people be 1-5 that will be operating the tool, and all are working in a close group then it may be justified that all the people having access to the tool are Super users. Of course, giving more access than required is not best practice but setting to granular restrictions upon users within a small group may cause issues within the group itself. However, should a manager have access then that person can be created to only have access to the dashboard and given only read access to the tool in order to prevent any unwanted changes.
When you have personal responsibilities for targets (like system owners) then it is wise to define groups within the target management section, which you then assign as granted targets to the individual users. Depending on the size of the network this can either be based on the user itself or a specific role. Like for example in the below picture, where Jane Doe is a user and a DBA, thus whenever a new database is added to the target group or if she becomes the owner of a new system then her access rights to that target will automatically be increased once the target group is updated.
In a complex organization it may be required to assign targets to specific teams instead. Like Network Operational Center(NOC), Security Operational Center (SOC), Microsoft, or Linux team. These teams can then be individually divided into smaller groups if required. Appoint a single person responsible for the team by normal delegation of responsibilities within the user setup.
Cheat sheet – User
|Best practice||Goal||In place?|
Password policy defined
The password policy should reflect the company password policy for tools matching the same
Add additional information on users
Include information prior to population for easier maintenance of larger set of users
Add additional user with full rights
In larger organizations, have a stand-in for managing the tool in case of an emergency occurs where the main point of contact can’t be reached.
Define target assignment groups
These groups are for ease the management of multiple users within the group without having to individually update each user when a new target is added to the vulnerability management program.
Enforce two factor authentications
When 2FA is enabled then the user also needs to provide information from something they also have (one-time token) instead of just something they know (the password) and thus increasing the security.
Force password change on initial login
Enforce that users change their password to a new one once they log in for the first time. This allows you to force the users to define their own password, which comply too the security policy defined by the tool and minimizing the impact on your preference or the automatic randomization of generated credentials.
There are two ways of launching your applications.
- From OUTSCAN
- From a HIAB
To launch the OUTSCAN application, navigate to https://outscan.outpost24.com.
NoteUse HTTPS protocol.
Log in using your credentials.
To connect to a HIAB, use the assigned network address.
NoteUse HTTPS protocol.
Log in using your credentials.
Go to Main Menu > Settings > Manage Users to access the Manage Users feature. This area allows for viewing and editing of all the users that you administer in the system.
Manage User Accounts
The Manage User Accounts tab consists of the Groups tree and Users tree to the left, and a user grid to the right.
The Groups section shows a hierarchical structure of the defined user groups. The Groups section enable you to categorize users in different groups.
Clicking any group displays the users which are included in that specific group.
See Groups section for more information on how manage groups.
Filter: The Groups tree can be filtered by entering a partial or full name in the filter area at the bottom of the Groups tree section. This only show the groups that match the filtering string, and the parent accounts that are needed to show the hierarchy. Press the X-icon to clear the filter and show all groups again.
In Users section, the Top Level represents your account and underneath a hierarchical structure of all the users that you can administrate is displayed. The usernames are shown in this tree. To select any user, click on the user name. This changes the user account grid to show only that user. Re-click to deselect that user.
Filter: The Users tree can be filtered by entering a partial or full name in the search bar, located at the bottom of the Users section. This shows only the users that match the filtering string, and the parent accounts that are needed to show the hierarchy. Click on the X button, to clear the filter and show all users again.
User Accounts Grid
The User Accounts grid shows detailed information about the users. It is possible to add or remove columns in this grid.
To add or remove columns:
- Click on the arrow ▼ beside any column name to view the drop-down menu.
- Choose Columns, and select the columns that you wish to add.
Below you find a list of the different columns available.
Displays how many times the user has logged into the system.
What sort of 2-factor authentication the user is using.
If the account active or not.
The users’ country.
The date and time when the account was created.
The email address of the user.
The last time an information email or password recovery email was sent to the user.
Last logged on
When the user last logged into the system. If this entry is blank the user has still not logged into the system.
The full name of the user.
The parent account of the user account. Top Level means that your account is the parent.
The type of user roles assigned to the user.
The username that the user logs into the system with.
Right clicking on a user brings up a context menu where specific actions on that user or view can be performed.
Opens the Create new user window.
Deletes the selected user.
Change details on the selected user.
Copies the selected user's base settings, and open a new user where the general information needs to be filled in.
Export all user accounts as a CSV or HTML file.
By clicking on the expand icon or double click on a user displays additional information about the user account.
User Roles need to be created before the user to be available for selection.
See User Roles for more information on how to create roles.
Create a User
To create a user:
- Click Main Menu > Settings > Manage User.
In the Manage User Accounts window select User Accounts tab.
The buttons at the top center of the screen ids used to create, delete, or import users from LDAP/AD.
- Click + New to create a user.
In the Maintaining User Account window, fill in the Account Details and Login Details.
In the grid on the lower half of Maintaining User Account window, the account access and rights can be further set up in the different tabs. Note that the tabs differs depending on your license.
Sets the parent account, could be used to create hierarchy structures.
The first name of the user.
The last name of the user.
The email address of the user.
The mobile number of the user.
The country of the user.
The state of the user (Active if Country is United States).
Email PGP public key
Select PGP public key or click the + sign to upload a PGP key.
- [uploaded keys]
Choose if the user credentials should be verified against the local database or the defined LDAP or Active Directory server.
Enter a username.
Enter a password, or generate a password using the password button. Passwords are generated according to the password policy located in the Security Policy tab under Main Menu > Settings > Account.
See section Password Policy in Account Settings document for information on how to set password policies.
Password again Confirm the password by re-typing in this field.
Require password change on next logon
If enabled, forces the user to change his/her password the next time they log in to the system.
If enabled, you may set up the mode of authentication from here. Mobile Security Code or Google Authenticator can be used for authentication. The method used for authentication can be limited, depending on the options configured for two factor authentications in the security policy.
When Google authentication is selected, you will be asked to enter the credential ID which is used to set up the account.
In Account Settings tab you can deactivate an account and set the users notification.
Option Description Active
Activate or deactivate account.
Super User A user with Super User enabled will have the same rights as the main account (which is unrestricted). Receive System Notifications When Super User is active, the user can receive system notifications, or have it deactivated. Allow Enroll HIAB Allow the user to enroll HIABs. Send Informative Email
If Send Informative Email is activated, then the system will send an email to the sub user when their account has been changed.
Escalate tickets to The Escalate tickets to drop down menu allow you to define who should receive any tickets which has not been resolved prior to its due date (which were assigned to this specific user).
Assign the user with one or more Granted User Roles otherwise the user will not be allowed to perform any actions in the system.
For more information on how to create user roles, see User Roles.
In the Granted Targets tab, you can define which targets and scanners (if enabled) the user should have access to.
- Not all Targets Granted limits the target groups and targets a user can see and administrate. The target list feature should be used sparsely since it create an overhead when it comes to administrative task in the long run. The only time you should use this feature is when you would like to grant access to a whole IP range without having to define all targets within the system.
- Granted Scanners limits which scanners the user has access to within the system. If All Scanners is selected then the user will also automatically have access to scanners which are added afterwards.
- Once the user has been set up, click Save.
The Groups function enable you to bundle users together into simple groups to be presented in the group grid.
Roles cannot be applied to groups, roles can only be applied on a user level.
To create a new group, click the + New option, or right click and All folder in the Groups tree and choose New.
To create a new subgroup, select a main group and click the + New option, or right click the group name and select New in the menu.
Once a group is created, it can be populated with users.
To populate a group:
- Select the users by pressing Ctrl + Left click on each user in the User Account grid and drag them to the designated group.
A user can only be part of one group.
Moving Users Between Groups
Users can be moved freely between groups.
To move users to another group:
- Click the the group where the user resides in to list the group content in the User Account grid.
- Select the users by pressing Ctrl + Left click on each user you want to move. Then drag the user/users into the new group.
Users connect to a top level user will not be moved together with the top level user. Each user need to be moved individually or as a selected group.
To delete a group, select the group in the Groups section, and click – Delete option, or right click the group and select Delete in the menu.
Deleting a group do not delete the users within the group. They go back to All folder .
To create a user role:
- Click Main Menu > Settings > Manage User.
- In the Manage User Accounts window select User Roles tab and click + New.
- In the Maintaining User Role window, enter a Role Name.
- Select the various boxes to match the role being created.
- Click Save.
Maintaining User Role
Every user role needs to have a given name to identify the role.
User will not be permitted to do any changes or new creations when this option is enabled.
|LDAP/AD Group (HIAB only)||The LDAP/AD Group field is available if LDAP/AD is enabled on the HIAB. This user role is mapped to the defined role in LDAP/AD when the user login.|
Administrate Targets/Target Groups
Allows the user to administrate targets and groups in the Manage Targets view.
Determines if the user can define and set up new scan schedules.
Force Target Group in Scheduling
Enforces the user only to use the already defined groups in the scheduling section. No manual targets can be entered in the targets tab.
Administrate Scanning Policies
Determines if the user can create, modify and remove scanning policies within the system.
If the user can administrate scan scheduling he/she will also be allowed to stop scans if this setting is enabled.
Reporting Tools field gives a user, permission to view the reporting tools. If not enabled, reporting tools is not shown to the user.
Mark False Positives
Allow the user to mark a finding as a false positive.
Allow the user to mark vulnerabilities as accepted risks and/or change the risk level for a finding.
Allow the user to perform verification scans. No scans will be deducted from the license when using this feature.
|Receive Scan Results SMS Notifications||Enable the user to receive scan results as SMS.|
Remove Scan Result
Allow the user to remove reports.
Receive Scan Results by Email
Enable the user to receive reports by email.
Allow the user to see the Dashboard.
Compliance Scanning is only visible if it is included in your license.
Compliance Scan field gives a user, permission to view the Compliance scanning module.
If not enabled, it will not be shown to the user.
Allow the user to Create/Edit policies.
Allow the user to mark exceptions.
Allow the user to answer questions.
Allow the user to approve questions.
Web Application Scanning
Web Application Scanning is only visible if it is included in your license.
|Administrate Scoping||Allow user to administrate Scoping.|
|Access Reporting||Allow user to access reporting.|
|Remove Scan Results||Allow user to remove Scan results. Access Reporting needs to be selected for this role.|
This section is only visible if you have an Appsec license.
Grants access to the Appsec module for the sub user.
This section is only visible if you have an SWAT license.
Allows the user role to comment findings.
Allows the user role to submit verification requests.
Allows the user role to discuss findings with the Outpost24 support.
Allows the user role to change risk levels and mark findings as accepted risks .
|Submit scoping request||Allows the user role to submit Appsec scoping requests.|
PCI Management is only visible if PCI Compliance scan is included in your license.
Allow the user to create, modify, or remove any scopes in this module.
Allow the user to start and stop PCI scans.
Allow the user to view PCI reports.
If the user has Access Reporting this option allow the user to dispute findings from the report.
This section is only visible if you have an Managed Reports license.
Allow users to add comments to reports.
Comment Vulnerability Database
Allow the user to create and edit comments in the vulnerability database.
Allow the user to administrate accounts.
Administrate User Roles
Allow the user to administrate user roles.
Allow the user to administrate tickets.
Grant All Tickets
Give access to all internal tickets. (If Manage Tickets is selected).
Audit Log Management
Read Audit Logs
The user is able to read the auditing log.
Allow the user to view the License tab in Main Menu > Settings > Account.
HIAB Management (HIAB only)
HIAB Management only visible if it is included in your license.
Administrate HIAB Server
Allow the user to restart the HIAB and setup HIAB settings like backup and networking.
The Attributes tab is available only if they are set to active. See Attributes section in Account Settings document for information on how to set attributes.
The tabs in the lower half of the window varies depending on your license.