Last updated: March 2026
Nessus Scan Configuration Best Practices (2026)
A well-configured Nessus scan finds real vulnerabilities without crashing production systems or flooding your network. The key settings are: use credential scanning for the most accurate results, set a targeted port range rather than scanning all 65,535 ports every time, enable safe checks, and run discovery scans before vulnerability scans. This guide covers every important configuration option with recommended values.
Legal notice: Only scan systems you own or have explicit written authorization to test. Unauthorized scanning is illegal in most jurisdictions.
Scan Types Overview
Nessus offers several scan template types. Choose the right one for your goal:
| Scan Type | Use Case | Depth | Speed |
|---|---|---|---|
| Host Discovery | Find live hosts on a subnet | Low | Fast |
| Basic Network Scan | General-purpose vulnerability scan | Medium | Medium |
| Advanced Scan | Full control over all settings | High | Slow |
| Web Application Tests | HTTP/HTTPS web app vulnerabilities | Web-focused | Medium |
| Credentialed Patch Audit | Find missing patches (requires SSH/Windows creds) | Very high | Slow |
| Policy Compliance | CIS/DISA STIG compliance checking | Compliance | Slow |
| Malware Scan | Detect malware indicators | Medium | Medium |
Recommended starting point: Use Basic Network Scan for most assessments. Upgrade to Advanced Scan when you need to tune specific plugin families or scan policies.
Step 1: Discovery Settings
Before running a full vulnerability scan, configure how Nessus discovers hosts.
Scan the Right Targets
In the Settings → Basic → Targets field:
# Single host
192.168.1.100
# IP range
192.168.1.1-254
# CIDR notation
192.168.1.0/24
# Mixed (comma-separated)
192.168.1.0/24, 10.0.0.1-50, 172.16.0.100
Host Discovery Method
In Discovery → Host Discovery:
- Ping methods: Enable ICMP, TCP SYN (port 443), and UDP pings for the most reliable host detection
- Uncheck "Consider unresponsive hosts as dead" if scanning hosts behind firewalls that block ICMP
- For internal networks: all ping methods enabled
Step 2: Port Scan Configuration
Port Range Selection
In Discovery → Port Scanning → Port scan range:
| Option | Ports Scanned | Best For |
|---|---|---|
default |
~4,790 common ports | Quick assessments |
1-65535 |
All TCP ports | Thorough assessments |
Custom (e.g., 22,80,443,8080-8090) |
Specific services | Targeted scans |
Best practice: Use default for regular scans. Use 1-65535 for security assessments where complete coverage is required. Full port scans take 3-10x longer.
Scan Speed
In Discovery → Port Scanning → Scan speed:
- Slow: Reduces load on targets; use for fragile or legacy systems
- Normal: Default; suitable for most environments
- Aggressive: Faster but may cause issues on sensitive systems or trigger IDS alerts
Best practice: Use Normal or Slow for production systems. Use Aggressive only in dedicated lab environments.
Step 3: Credential Scanning
Credentialed scans are the single biggest improvement you can make to scan accuracy. Without credentials, Nessus can only see what an external attacker sees. With credentials, it logs into each host and checks installed software versions, patch status, configuration files, and local security settings.
Credentialed scans find: - Missing OS and application patches - Local user account policies - Weak file permissions - Misconfigured services visible only from inside
SSH Credentials (Linux / macOS)
In Credentials → SSH:
- Authentication method: Password or Public Key
- Username: A user with
sudoaccess (for elevated checks) - If using password: enter the password in the Password field
- If using SSH key: paste the private key content
Sudo escalation (recommended):
Escalation account: root
Escalation password: (sudo password if different)
sudo command: /usr/bin/sudo
Check "Elevate privileges with" → sudo to allow Nessus to run privileged commands via sudo su.
Windows Credentials (SMB / WMI)
In Credentials → Windows:
- Username: Domain or local admin account
- Password: Account password
- Domain: Leave blank for local accounts; enter domain name for domain accounts
Requirements on target Windows systems:
# Enable remote registry (for registry-based checks)
net start RemoteRegistry
# Ensure admin share access
# Windows Firewall: Allow File and Printer Sharing
Best practice: Create a dedicated scanning account with local administrator rights rather than using the domain admin account.
Step 4: Plugin Configuration (Safe Checks)
Enable Safe Checks
In Assessment → General → Safe Checks: Enable (recommended for production)
Safe checks prevent Nessus from running plugins that could crash services, fill logs, or cause denial-of-service conditions. Always enable safe checks when scanning production systems.
Disable safe checks only in isolated lab environments where service disruption is acceptable and you need maximum coverage.
Plugin Families
In Plugins, you can enable or disable entire plugin families:
| Family | Recommendation |
|---|---|
| General | Always enabled |
| Port Scanners | Always enabled |
| Service Detection | Always enabled |
| Default Unix Accounts | Enable — finds default passwords |
| Default Windows Accounts | Enable |
| Web Servers | Enable if scanning web servers |
| Denial of Service | Disable for production scans |
| Backdoors | Enable — finds malware indicators |
| Brute Force | Enable with caution — may trigger lockouts |
Step 5: Scan Policy Templates
Save Policies for Reuse
Rather than configuring each scan from scratch, save your settings as a Policy:
- Go to Policies → New Policy
- Choose a template and configure all settings
- Save the policy
- When creating new scans, select User Defined and pick your saved policy
This ensures consistency across scans and saves time for recurring assessments.
Recommended Policy Profiles
"Quick Internal Scan" policy:
- Ports: default
- Credentials: SSH + Windows
- Safe checks: Enabled
- Scan speed: Normal
- Use case: Regular weekly internal network scans
"Full Assessment" policy:
- Ports: 1-65535
- Credentials: SSH + Windows + SNMP
- Safe checks: Enabled
- Scan speed: Slow
- Use case: Quarterly comprehensive assessments
"Web Application Audit" policy: - Template: Web Application Tests - Enable: CGI scanning, web form testing - Credentials: HTTP credentials if available - Use case: Web server and application assessments
Step 6: Scheduling Scans
Set Up Recurring Scans
In Scan Settings → Schedule:
- Toggle the schedule On
- Set Frequency: Daily, Weekly, Monthly, or Custom
- Set Start Time — schedule during low-traffic hours (e.g., 02:00 AM)
- Set Timezone — critical for accurate scheduling across locations
Best practices: - Schedule vulnerability scans during maintenance windows or off-peak hours - Run host discovery scans more frequently (daily) and full vulnerability scans less frequently (weekly or monthly) - Stagger scans across subnets rather than scanning all at once to avoid network congestion
Step 7: Reducing False Positives
False positives waste analyst time. Several configurations reduce them:
Configure Hostname Resolution
In Discovery → Host Discovery: Enable DNS resolution. Without it, Nessus may report vulnerabilities against wrong hosts or generate duplicate entries for the same system.
Use Credentialed Scans
Credential scanning dramatically reduces false positives. Nessus can confirm whether a patch is installed rather than guessing based on banner information. Banner-based detection (without credentials) frequently reports vulnerabilities that are already patched.
Plugin Tuning
For recurring false positives on specific plugins:
- Open the scan results
- Right-click the finding
- Select Mark as False Positive — this suppresses it in future reports
To globally suppress a plugin:
- Go to Settings → Suppressed Rules
- Add a rule to suppress a specific plugin ID across all scans
Network Segment Exclusions
Add known safe management IPs or monitoring systems to the exclude list to prevent noisy results:
# In Targets field, use exclusion syntax:
192.168.1.0/24 !192.168.1.254
This scans the whole /24 but excludes 192.168.1.254 (e.g., a network switch management IP).
Step 8: Exporting Reports
Export Formats
After a scan completes, click Export in the scan results:
| Format | Use Case |
|---|---|
| Executive summaries, client deliverables | |
| CSV | Import into spreadsheets, SIEM tools, ticketing systems |
| HTML | Web-based standalone report |
| Nessus (.nessus) | Import into another Nessus instance |
PDF Report Configuration
When exporting PDF:
- Select Detailed Vulnerabilities By Host for technical reports
- Select Executive Summary for management-level reports
- Filter by severity (e.g., export only Critical and High)
- Include remediation summary for actionable reports
# Export via Nessus API (for automation)
curl -k -X GET \
-H "X-Cookie: token=YOUR_TOKEN" \
"https://localhost:8834/scans/SCAN_ID/export?format=pdf" \
-o nessus_report.pdf
CSV Export for Automation
CSV exports contain one vulnerability per row and are ideal for: - Importing into ticketing systems (Jira, ServiceNow) - Trend analysis across multiple scans - SIEM integration (Splunk, QRadar)
FAQ
Q: How long does a Nessus scan typically take?
A: Scan duration depends on target count, port range, and plugins enabled. A Basic Network Scan of a /24 network (254 hosts) with default ports typically takes 20-60 minutes. A full port scan (1-65535) of the same network can take several hours. Credentialed scans add 20-40% to scan time but produce much more accurate results.
Q: Will Nessus scans crash production systems? A: With "Safe Checks" enabled, Nessus avoids destructive plugins. However, aggressive scanning can still impact network performance. Always schedule scans during maintenance windows for critical systems and test your scan policy in a lab before production use.
Q: What should I do if I forget my Nessus admin password?
A: Use the nessuscli command-line tool to reset it: sudo /opt/nessus/sbin/nessuscli chpasswd admin. See the full Nessus Password Reset Guide for step-by-step instructions.