Does SN discovery use NTLM2? Can SN discovery authenticate using kerberos?

mbeaver
Tera Contributor

‎07-07-2020 03:11 PM

Our enterprise security team wants us to use kerberos if possible to achieve higher defence against hackers and ransomware. I am having trouble finding appropriate documentation on this subject.

Labels:
  • 1,167 Views
2 REPLIES 2

Ashutosh Munot1
Kilo Patron
Kilo Patron

‎07-08-2020 07:19 AM

Hi,

I am not sure of this.


@doug.schulze 

Thanks,
Ashutosh

0 Helpfuls

Ryan128
Kilo Explorer

‎03-17-2021 06:13 PM

I would like to know this too.  My recommendation to my service team is going to be to "return the product".

My service team is asking to deploy this in the recommended (insecure) configuration which will result in NTLM hashes on each asset.  Service-Now needs to provide the capability to configure an agent that is deployed by GPO for periodic scanning.  As far as I am aware the best case implementation I can do is have CyberArk rotate system passwords at the end of the discovery scans?

The "powershell" that is remotely being executed as part of the CMDB discovery could just get a small wrapper on it and deploy via GPO to assets.

Rapid7/Nexpose has done this to avoid situations where you are leaving privileged hashes on a system.  If an attacker gets local admin on one asset that is scanned with the discovery creds they have access to every asset.  

0 Helpfuls