Discover accounts of Windows and Unix machines

This topic presents the work flow to discover Windows and Unix domain machine accounts using the CPM Scanner.

Before you begin

  1. Learn about Supported target machines.

  2. Learn about Permissions required for running an Account Discovery scan.

  3. Configure the scanner, set Unix/Linux configuration, and start & stop the scanner - see Configure the CPM Scanner

Step 1: Run a discovery scan

To run a scan, you must have the required permissions. See Permissions required for running an Account Discovery scan.

Scan Windows machines

  1. In the Privilege Cloud Portal, click Accounts > Pending & Discovery, and then click Discovery Management.
  2. On the Discovery Management page, click New Windows Discovery.
  3. On the New Windows Accounts Discovery page, enter the following information:

    1. Domain. Specify the domain you want to scan, in FQDN format. Up to 170 characters.
    2. Select the account to run the scan (typically, this is a domain administrator account). Select one of the following options:

      Select from Vault

      Use an account that is already defined in the Vault

      1. Click Click to select an account from the Vault.

      2. Select the account from the list, and then click Select account.

      Ensure that the CPM selected for the scan has access to the Safe to which the account belongs.

      Specify Account

      Specify an account manually

      Enter the user and password.

      The user must have read permissions in the OU and all sub-OUs to scan.

    3. In OU to Scan, enter the distinguished name of the OU you want to scan (the Browse button is not available for Privilege Cloud). You can enter only one OU.

      For example: dc=example,dc=com

      The Privilege Cloud Portal connects to the Active Directory using the user credentials you specified.

      If Connect to the Active Directory is selected, the Privilege Cloud Portal connects to the Active Directory using a secure connection.

    4. Set the scan to be either one time or recurring.
    5. Click Done.

      The scan is activated.

  4. The initial state of the scan is Pending. Click the Refresh button to update the state.

    One time scans are performed as soon as the scanner finishes current discoveries.

    Recurrent discoveries are added to the list of pending discoveries and will be performed on the date and time.

    The length of time for a scan depends on the number of resources you defined.

Scan Unix machines

  1. Before creating a discovery process for Unix accounts and SSH keys, create the CSV file that contains a list of all the Unix/Linux machine addresses that will be scanned. These addresses can be listed as IP addresses, machine host names or machine FQDN (full DNS names).

     

    Example of a csv file:

    192.0.2.0

    192.0.2.1

    192.0.2.2

    192.0.2.3

    For a full list of supported Unix/Linux machines, see Supported target machines

  2. In the Privilege Cloud Portal, click Accounts > Pending & Discovery, and then click Discovery Management.
  3. On the Discovery Management page, click New Unix Discovery.
  4. On the New Unix Accounts Discovery page, enter the following information:
    1. In Which file contains the list of machines, click Browse, then select the CSV file that lists the Unix accounts.

    2. In Which user will scan the machines, enter the user name of the user running the scan.

    3. In What is the user’s default password, enter the user's password.

    4. In Which CPM scanner to use, select the CPM that will scan for Unix accounts. The CPM will scan only machines that it can physically access.

    5. To scan for SSH keys and their trusts, select Scan SSH Keys.

    6. In What recurring pattern to set for this Discovery, select whether you want this scan to be recurring or one time, and set the date and time.

    7. Click Done.

      One time scans are performed as soon as the scanner finishes current discoveries.

      Recurrent discoveries are added to the list of pending discoveries and will be performed on the date and time.

      The length of time for a scan depends on the number of resources you defined.

 
  • You can stop discovery scans before they complete.
  • You can delete discovery scans once they are finished.

Step 2: Analyze pending accounts

After you run a scan, analyze the pending accounts and SSH keys list for onboarding.

To analyze pending accounts:

  1. In the Privilege Cloud Portal, click Accounts > Pending & Discovery, and then click Pending Accounts.

    The grid displays pending accounts discovered by scans and external scanners using the AddPendingAccounts Web Service.

  2. Use the filters in the left pane to filter the accounts in the grid, and use the column headers to sort the accounts for an easier review process.
  3. Click the account in the grid to display the Account Preview pane, which includes additional information to that displayed in the grid.
  4. After you decide which account you want to onboard, proceed to Step 3: Onboard accounts.

Step 3: Onboard accounts

You can onboard accounts and SSH keys that are displayed in the Pending Accounts page so that you can manage them automatically.

If an account contains dependencies, the dependencies are automatically onboarded with the account. A newly discovered dependency could potentially be non-legitimate or malicious. Therefore it is recommended to review and approve each newly discovered dependency to prevent such dependencies from being onboarded automatically by the system. When a discovery finds new dependencies associated with a domain account that was previously onboarded or already exists in the system, by default, the dependencies will automatically be onboarded and the account will be disabled for automatic CPM management.

When you are onboarding multiple accounts that share the same SSH key, the private SSH key will only be associated with one account. After onboarding, associate these accounts with the same group so that they can all use the same SSH key.

To onboard accounts:

  1. In Privilege Cloud Portal, click Accounts Pending & Discovery.
  2. On the Pending Accounts page, select the accounts, and then click Onboard Accounts.

    If you select multiple accounts, make sure that they are all associated with the same platform.

  3. In Store in Safe, select a Safe or create a new one. To create a Safe, see Add a new Safe.

     

    For a Safe to display in the list you must:

    • Be a member of the Safe
    • Have the Add accounts permission

    Internal Safes are not displayed.

  4. From the Assign Platform drop-down list, select the platform.

  5. In the Password section, select one of the following:

    Automatically reconcile password

    The passwords are reconciled automatically after they have been onboarded.

    This option is only enabled for platforms that are configured for account reconciliation.

    Set a default password

    Specify the password that will be set in the selected accounts, and then confirm it.

    This sets the passwords for the accounts in Privilege Cloud, it does not reset actual passwords on target systems. For more information about synchronizing passwords, see Reconcile passwords.

  6. Click Onboard, and when the process completes, click Done.