Account Permissions for Discovery
Unix
Local Accounts
The scanning account needs to be able to connect over SSH and read the contents of /etc/passwd
. If discovery needs to take over an account then the scanning account will also need the ability to run sudo passwd <username>
SSH Public Keys
The scanning account needs to ability to login and execute sudo
without a password prompt.
ESXi
The scanning account needs "Shell Access" and the "Query VRM Policy" permission.
Local Windows Accounts
The scanning account needs the "Access This Computer From the Network" permission (and possibly one more) on the endpoint:
-
Open the local group policy editor (gpedit.msc).
-
Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
-
Double-click the Access this computer from the network policy. The properties for the policy appears.
-
Ensure the scanning account is one of the listed users. If not, click the Add User or Group button to add it.
Modifying this policy may overwrite or remove access to the device for remote processes. This policy is not usually configured by default, so any existing inherited permissions could be overwritten. -
Look at the following list of operating systems and updates to determine if any of them match your system:
- Windows 10, version 1607 and later
- Windows 10, version 1511 with KB 4103198 installed
- Windows 10, version 1507 with KB 4012606 installed
- Windows 8.1 with KB 4102219 installed
- Windows 7 with KB 4012218 installed
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2 with KB 4012219 installed
- Windows Server 2012 with KB 4012220 installed
- Windows Server 2008 R2 with KB 4012218 installed
For more information on this security issue, see Network access: Restrict clients allowed to make remote calls to SAM. -
If you found a match, do the following too:
-
Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
-
Double-click the Network access: Restrict clients allowed to make remote calls to SAM policy. The policy properties appear.
-
Click the Edit Security button to select an account for the Security descriptor text box. The Security Setting for Remote Access to SAM dialog box appears.
-
Ensure the scanning account is present (if not add it).
-
Click the account in the Group or user names list. The permissions for that account appear.
-
Ensure the Allow check box next to the Remote Access permission is selected.
-
Click the OK button.
-
Windows Services, Scheduled Tasks, App Pools, and COM+ Applications
To scan for service accounts, the account entered must be a domain account that is in the Administrators group on the target machines. Follow the instructions below in either case to ensure your account has the appropriate privileges to run a successful scan:
-
Open the group policy editor for your domain policy.
-
Go to ComputerConfiguration > Preferences > Control Panel Settings.
-
Right-click Local Users and groups and select New > Local Group.
-
Leave the Action dropdown list set to Update.
-
Click to select Administrators (Built-in) in the Group Members dropdown list.
-
Click the Add… button.
-
Search for the account you will use for discovery scanning.
-
Click the OK button to save your changes. The next time the group policy updates across your environment, the discovery account will be part of the local administrators group.
-
For strong security, configure the group policy to limit the logon privileges of that account:
-
Open the group policy editor
-
For your domain policy, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
-
Add your discovery account to the Deny log on locally policy.
-
Add your discover account to the Deny log on through Remote Desktop Services policy.
-
(Optional) Ensure the account is not part of the remote desktop users group.
-