Discovery Overview
Discovery is the process where Secret Server scans an environment to find accounts and associated resources called dependencies. Once accounts are found, they can be used to create new secrets in Secret Server. Users with the "administer discovery" role permission can either manually import accounts or can create an automated process to do so. Using discovery does not stop users from manually creating their own secrets.
Some typical accounts that discovery can find include Windows local admin, Windows domain, and Unix non-daemon. Some typical dependencies discovery can scan for include scheduled tasks running as a domain user, application pools running as a domain user, and services running as a domain user.
In a Hurry?
We suggest reading (in order):
- Discovery Glossary
- Introduction to Discovery Sources, Scanners, and Templates
- Running and Interpreting Active Directory Discovery
Discovery Benefits
Importation of Network Credentials
By using discovery, your Secret Server offsets the burden of keeping track of computers and accounts on your network. This can be especially beneficial when getting started for discovering and importing accounts in bulk, as well as having Secret Server find accounts and create secrets whenever a new machine or account is provisioned.
Protection Against Backdoor Accounts
When Secret Server is configured to discover new accounts, it provides added protection by regularly running discovery on your network to identify those accounts. Secret Server adds the new accounts to its records and resets the accounts password to values that meet your security policy. Consequentially, if someone is setting up backdoor admin accounts on the network, they cannot use those accounts very long before they are imported into Secret Server and their passwords are changed with Remote Password Changing (RPC).
Discovery Types
Active Directory Discovery
Secret Server AD discovery scans for AD machines, AD user accounts, local Windows accounts, and dependencies on an AD domain. First, SS discovers machines from your domain. Next, SS scans each machine for local Windows accounts and dependencies that depend on domain accounts. By default, SS scans for local accounts, domain accounts, scheduled tasks, Windows services, and IIS application pools. You can discover additional accounts and dependencies by creating PowerShell scanners. PowerShell scanners are an advanced topic described in the Extensible Discovery section.
ESX/ESXi Discovery
Secret Server provides a wizard to help configure ESX/ESXi discovery. You name the discovery Source, define the host ranges of the desired IP addresses, and choose a secret to use as credentials when scanning.
AWS Discovery
Secret Server can scan Amazon Web Services (AWS) for accounts that can access the cloud resource. Two types of secrets can be discovered and managed through Secret Server:
-
AWS Access Key: Keys used for programmatic integration with AWS.
-
AWS Console Account: User login accounts for AWS.
Google Cloud Platform Discovery
Secret Server can manage Google Cloud Platform (GCP) service accounts and VM instances. This feature allows users to run discovery to pull and manage VM Instances, as well as import and manage GCP service accounts.
Unix Discovery
Secret Server provides a wizard to help configure Unix discovery. You name the discovery Source, define the host ranges of the desired IP addresses, and choose a secret to use as credentials when scanning. The default command sets that Secret Server ships with discovers machines and accounts in most Unix environments.
By default, the "Find Non-Daemon Users (Basic Unix)" command set is used first. If a built-in account is discovered, you must modify the discovery source to use the "Find All Users (Basic Unix)" command set. You can create new command sets by clicking the Configure tab on the Discovery Sources page.
Extensible Discovery
You can customize discovery by changing parts of it to use PowerShell. The information a discovery scanner outputs is defined by its scanner template. For standard templates, the input and output information types are fixed. Extensible discovery allows you to customize or replace the unmanaged account, IP address and OU, account, and dependency discovery steps above. Extensible discovery does still have limitations on what information is passed between discovery scanners. For more information, see Extensible Discovery.
Discovery Performance
Please see our Discovery Best Practices to learn about optimizing discovery performance.
Example Discovery Process
A typical automated discovery process for Active Directory domains, running on an interval, looks like this:
-
Discovery matching runs. The discovery matcher creates a link between existing active secrets and any existing secrets in Secret Server based on their machine names, accounts and dependencies. The matcher is automatic. When matches are found, the corresponding existing discovery results appear as "managed" in the discovery network view with a link to the existing secret or dependency.
-
Discovery rules run and attempt to match any unmanaged discovery results to the rule's parameters. If a rule matches the results, discovery automatically imports the results using the settings in the discovery rule. Once finished, discovery begins.
-
The Find Host Ranges scanner (using the Windows Discovery base scanner) runs with an Active Directory Domain input template. The scanner determines which OUs are to be scanned and populates its Organizational Unit output template with a list of those OUs. The output template will be used by the following Find Machine scanner and also by the Find Local Accounts scanner, which does not require machine information.
-
The Find Machine scanner (using the Windows Discovery base scanner) examines OUs from its Organizational Unit input template via LDAP and creates a list of machines with which it populates its Windows Computer output template. This is the list of computers to run a dependency scan on. The Find Dependencies scanner uses this instance of the output template as its input template.
-
The Find Local Accounts scanner (using the File Load Discovery base scanner) examines OUs from its Organizational Unit input template via LDAP and creates a list of all AD admin accounts with which it populates its Active Directory Account output template. This is the list of discovered admin accounts.
-
The Find Dependencies scanner (using the Windows Discovery base scanner) examines a list of machines from its Windows computer input template using various technologies. For example, application pools use Microsoft Web Administration (WMA) or, failing that, Windows Management Instrumentation (WMI). Services use WMI, and scheduled tasks use Windows' task scheduler interfaces. The Find Dependencies scanner can return any number of output templates as desired. These include: Com+ Application, Computer Dependency (Basic), PS Dependency, Remote File, SQL Dependency (Basic), SSH Dependency (Basic), SSH Key Rotation Dependency, Windows Application Pool, Windows Scheduled Task, and Windows Service.
The discovered dependencies for local accounts are displayed at Admin > Discovery > Discovery Network View > Local Accounts. Returned accounts for AD users are displayed at Admin > Discovery > Discovery Network View > Domain > Cloud Accounts.
Manual Discovery
You can also run discovery manually by going to Admin > Discovery and clicking the Run Now button and selecting Discovery Scan. We recommend waiting for any automatic discovery to idle before starting a manual discovery run. A discovery scan runs the first four of the automated steps above. When you click the "Run Now" button on the Scan Computers tab, the last two are run. These steps are the most time intensive steps because many machines may be scanned.