Account Permissions for Discovery

Unix

Local Accounts

The scanning account needs to be able to connect over SSH and read the contents of /etc/passwd. If discovery needs to take over an account then the scanning account will also need the ability to run sudo passwd <username>

SSH Public Keys

The scanning account needs to ability to login and execute sudo without a password prompt.

Please see Discovering SSH Public Keys for more information.

ESXi

The scanning account needs "Shell Access" and the "Query VRM Policy" permission.

Local Windows Accounts

The scanning account needs the "Access This Computer From the Network" permission (and possibly one more) on the endpoint:

  1. Open the local group policy editor (gpedit.msc).

  2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  3. Double-click the Access this computer from the network policy. The properties for the policy appears.

  4. Ensure the scanning account is one of the listed users. If not, click the Add User or Group button to add it.

    Modifying this policy may overwrite or remove access to the device for remote processes. This policy is not usually configured by default, so any existing inherited permissions could be overwritten.
  5. Look at the following list of operating systems and updates to determine if any of them match your system:

    • Windows 10, version 1607 and later
    • Windows 10, version 1511 with KB 4103198 installed
    • Windows 10, version 1507 with KB 4012606 installed
    • Windows 8.1 with KB 4102219 installed
    • Windows 7 with KB 4012218 installed
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2 with KB 4012219 installed
    • Windows Server 2012 with KB 4012220 installed
    • Windows Server 2008 R2 with KB 4012218 installed
    For more information on this security issue, see Network access: Restrict clients allowed to make remote calls to SAM.
  6. If you found a match, do the following too:

    1. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

    2. Double-click the Network access: Restrict clients allowed to make remote calls to SAM policy. The policy properties appear.

    3. Click the Edit Security button to select an account for the Security descriptor text box. The Security Setting for Remote Access to SAM dialog box appears.

    4. Ensure the scanning account is present (if not add it).

    5. Click the account in the Group or user names list. The permissions for that account appear.

    6. Ensure the Allow check box next to the Remote Access permission is selected.

    7. Click the OK button.

The discovery account must be part of the local admin's group to be able to pull back any local accounts.

Windows Services, Scheduled Tasks, App Pools, and COM+ Applications

There are special considerations for discovering service accounts running COM+ Applications, please see COM+ Dependency Scanner.

To scan for service accounts, the account entered must be a domain account that is in the Administrators group on the target machines. Follow the instructions below in either case to ensure your account has the appropriate privileges to run a successful scan:

  1. Open the group policy editor for your domain policy.

  2. Go to ComputerConfiguration > Preferences > Control Panel Settings.

  3. Right-click Local Users and groups and select New > Local Group.

  4. Leave the Action dropdown list set to Update.

  5. Click to select Administrators (Built-in) in the Group Members dropdown list.

  6. Click the Add… button.

  7. Search for the account you will use for discovery scanning.

  8. Click the OK button to save your changes. The next time the group policy updates across your environment, the discovery account will be part of the local administrators group.

  9. For strong security, configure the group policy to limit the logon privileges of that account:

    1. Open the group policy editor

    2. For your domain policy, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

    3. Add your discovery account to the Deny log on locally policy.

    4. Add your discover account to the Deny log on through Remote Desktop Services policy.

    5. (Optional) Ensure the account is not part of the remote desktop users group.