Supported target machines

This topic lists the target machines that can be scanned using Accounts feed discovery.

Windows accounts and dependencies

Discovery processes can detect the following Windows accounts and dependencies.

Accounts:

  • Local accounts
  • Domain accounts

Dependencies:

  • Windows Services accounts
  • Scheduled Tasks accounts
  • IIS Application Pools accounts
  • IIS Directory Security (Anonymous Access) accounts
  • COM+ Applications accounts
 

When scanning a specified domain, the discovery automatically retrieves information about discovered accounts that is stored in trusted domains without requiring additional permission. Specifically, the discovery only retrieves information about Windows Services dependencies and Scheduled Tasks dependencies from trusted domains.

Active Directory versions

  • Microsoft Active Directory 2012, 2016, 2019, 2022
 

Discovery does not support scanning Active Directory domain controllers.

Credentials required for scanning

Scanning Location

Required Credentials

Active Directory

Read permissions in the OU to scan and all sub-OUs

Target machines

Domain Administrator, or

Equivalent Domain User:

  • User with read permissions on the Active Directory

  • User with local administrative rights for Windows on the target machine

    • User with permissions to logon remotely to the target machine

 

The domain user must belong to the Administrators group or to a group nested within the Administrators group.

Windows server versions

  • Windows 2012
  • Windows 2016
  • Windows 2019
  • Windows 2022

Windows client versions

  • Windows 8
  • Windows 10

Target servers for discovering dependencies

  • Windows 2012/2012R2
  • Windows 2016
  • Windows 2019
  • Windows 2022
 

To discover IIS Application Pool accounts, IIS Directory Security (Anonymous Access) accounts and COM+ Applications accounts, IIS 7.5 or 8.5 must be installed.

Protocols

The following protocols are supported when accessing the Active Directory:

  • LDAPs (default)
 

To support LDAPS in discoveries, this protocol must be configured in the Active Directory.

  • LDAP

Network protocols

  • Windows File and Printer Sharing
  • Windows (WMI)

To enable the Windows (WMI) Protocol in your environment:

  • Make sure the Windows Management Instrumentation service startup type is set to Automatic.

For more information about the ports that CyberArk uses to access remote machines, see Standard Ports used for Accounts Discovery.

Unix accounts

Accounts detected by the discovery process

  • Local accounts

  • SSH Keys and their trusts

Credentials required for scanning local accounts

You must have at least one of the following privileges:

Privilege

Enables users to retrieve...

root or user with uid=0

All account details

sudoers for the "cat /etc/passwd" command

The minimum details required to create a pending account (user name and address)

sudoers for the following commands:

  • cat "/etc/shadow"

  • cat "/etc/passwd"

  • cat "/etc/security/passwd" (AIX)

  • cat "/etc/security/lastlog"  (AIX)

  • cat /etc/group

  • cat "/etc/sudoers"

  • lastlog | grep -v '*'

  • hostname –s

  • ls -d /etc/[A-Za-z]*[_-][rv]e[lr]* | grep -v 'lsb\|os\|system'

  • test -f "{0}"; echo $?

All account details

Credentials required for scanning SSH Keys

 

In order to scan Unix machines for SSH keys, your CyberArk license must include SSHKM. For more information, contact your CyberArk representative.

You must have at least one of the following privileges:

Privilege

Enables users to retrieve...

user with uid=0

All account details

sudoers for the "cat /etc/passwd" command

The minimum details required to create a pending account (user name and address)

sudoers for the following commands:

  • Linux: uname, ls, test, cat, lastlog, getent, grep, wc, find, xargs, ssh-keygen, echo, rm, date, hostname, ifconfig

  • AIX: uname, ls, test, cat, lsdev, grep, wc, ssh-keygen, echo, rm, istat, hostname, ifconfig

  • Solaris: uname, echo, test, cat, getent, grep, psrinfo, wc, find, xargs, ssh-keygen, ls, rm, truss, hostname, ifconfig

All account details

Unix platforms

  • RHEL 7-8.2

  • Solaris Intel and Solaris SPARC 9, 10, 11

  • IBM AIX 5.3, 6.1, 7.1

  • VMWare ESXi 5.0, 5.1

  • SUSE Linux 11, 12

  • Fedora 18, 19, 20

  • CentOS 7

  • Oracle Enterprise Linux 5, 6, 7

Supported Sudo replacements solutions

  • CA Privileged Identity Manager/ControlMinder – This solution contains the sesudo command

  • Centrify Access Manager/DirectAudit - This solution contains the dzdo command.