Encryption and security of discovery credentials

Community Alums · ‎06-23-2015

I am having a really hard time coming to grips with the security surrounding our discovery credentials. In turn our Chief Security Officer is throwing up road blocks in regards to credentials that have access to the servers.

Does anyone have more information regarding this topic in particular these questions.

I understand that the Credentials are stored in the servicenow cloud platform with 3DES Encryption. Which is very strong and at present, several magnitudes to large to be broken computationally. But as stated in the Wiki they are decrypted at the servicenow end with an instance encryption key. Where is this key stored? If there was a breach at the servicenow end what is in place to prevent an infiltrator using the encryption key and the stored credential to decrypt it themselves and then compromise our security with an account that has local admin access to all our machines, servers , networking equipment, etc?

Is there a middle ground opportunity whereby we can enable read only access to our servers through a locked down account? I have attempted to follow the wiki partially in this area but it has left us with inconsistent access to the test servers and with certain elements of discovery not working.

epam · ‎06-24-2015

Hi, Matthew.

As far as I know, the encryption key is built into the Service Now program (and not stored in the instance databases, scripts, etc.) and is not visible through the user interface at any time. So there is no way to get access to this key from an instance even with admin role.

In case you still want extremely increase your credentials security level, you may think about the External Credential Storage plugin.

Community Alums · ‎06-29-2015

After further thinking though and looking at the probes etc. By having an account on the servicenow platform at all that is capable of performing actions on the servers. You are potentially open to an attack vector.

If I add user ServerLocalAdmin to my servicenow platform.

If I then add that user as a localadmin via gpo to all my servers.

If I then grant access to the mid server section of servicenow to anyone. So all Servicenow admins by default and anyone working with the Mid server for discovery in anyway.

All those users now have full powershell access to all the servers. In the same way that there is a probe to perform a netstat function. could I also not write my own probe to run the command to format a disk? Then set that probe as part of a discovery and run it against all IP's in the Business and now I have caused major system disruption and all I had to do was compromise one of several users passwords. Or access one of their logged in sessions for servicenow which they can log into from anywhere in the world?

That level of possibility to be compromised at present is far too high for our security team. Coupled with the fact staff who will be administering and updating discovery schedules and probes are not in the same security level as our systems team. Is this a case of agentless discovery not being suitable for us if we cannot make these compromises?

epam · ‎06-30-2015

Of course, the user with admin role can do a lot of things with your devices the mid-server can access. The best way to prevent a "run the command to format a disk" situation is a set a "read-only" rules for the mid-server user (for each of the computers) to allow the mid-server just discover the necessary information.

Community Alums · ‎07-01-2015

Hi epam thanks for taking time to reply to me though i remain a little confused.

Servicenow documentation states that the mid server user or one of it's associated credentials should be either a local or domain admin.

Are you saying the mid server user in service now should be set as read only. Or are you saying that the user that the mid server is running as in our environment should be added to our servers as a local admin but with some form of read only mode? If the first one then I still don;t think this addresses our security concerns. If the second one then I'm struggling to find any info from Microsoft about this feature?

again thank you for your time, i understand you do not get paid to help others out on forums so appreciate the help.