Discovery on Non-Domain Joined or Unix Targets

Overview

When running Discovery on non-domain joined targets or Unix targets, there are two methods of finding local administrator credentials to authenticate to the target:

The two methods can be used together.

  • Specify a secret with an expected default password - recommended for performing an initial scan if you have a known password or key for a privileged account.
  • Specify a Secret Search Filter - recommended when you cannot use a default password because each machine’s account password is unique.
    A Secret Search Filter dynamically searches for a secret with a name or folder location that corresponds to the target scanned. If a matching secret is found, Secret Server will authenticate to the target using the administrator credentials in the secret.
To use a secret search filter, the administrator account names must exist as secrets in Secret Server and they must follow a regular naming pattern.
The discovery secret search filter is available in Secret Server 10.0.000006 and newer.

Setting Credentials on a Discovery Scanner

  1. From the left menu-bar, hover over Discovery and select Sources, the page will open by default on the Sources tab:

  2. Select one of the enabled discovery sources as shown above, and inside that page, click on the Scanners tab:

  3. Select a scanner from the ones available, a details page will popup on the right side of the screen where you will see the Edit Scanner option:

  4. Select the Edit Scanner option and here you will see different settings for that scanner. Under Credentials, choose among the following options:

    • Click Add Secret to specify a default credential.
    • Click Add Secret Search Filter to specify an existing secret search filter.

Secret Server will try the secrets and secret search filters in sequence until it finds a match.

Creating a Secret Search Filter

If you decided to create a secret search filter, perform the following:

  1. In the search bar type Discovery secret search filters, this will cause the Scanner definition page to appear:

  2. Select Create Secret Search Filter and the following options will appear:

  3. Specify all the mandatory* settings along with any others you need, as described below:

    • Secret Name Pattern: Specifies the pattern that Secret Server will search for. The search is dynamic based on the target. For example, if scanning a machine named appserver01, Secret Server will also search for a secret named appserver01\system.
    • State: Enabled or not.
    • Folder: Specifies the folder to search within.
    • Secret Template: Specifies the template that returned secrets should be based on.
    • Include Subfolders: Specifies that the search should include the specified folder as well as subfolders.
    • Expect Single: Specifies that only one result should be returned. If more than one is returned, Secret Server will log an error to the discovery log.
    • Allow Partial Match: Specifies that secret names will be returned if they partially match the pattern. By default the secret name must be an exact match to the secret name pattern.

  4. Click Save when all your settings have been speciffor exampled and go back to your discovery source, ie. back to the Edit Scanner page.

  5. Click Add Secret Search Filter and select the filter you just created.

Now, when scanning a machine, Secret Server will try a default credential, and then it will try the secret returned by the search filter.