- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2017 09:38 AM
Hi,
Windows team in our organization is hesitant to provide the local admin privileges to the service account that we are going to use for the discovery of Windows servers.
Basic Windows server attributes, Softwares installed, processes running, Network Adapters are part of the discovery requirement.
Without local admin privileges for the service account, what attributes and application dependency mapping info are we going to miss in the discovery.
Regards,
Chandra
Solved! Go to Solution.
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2017 11:40 AM
Without local admin privileges for the service account, what attributes and application dependency mapping info are we going to miss in the discovery.
Quite a number. Show them the discovery patterns and probes used to interrogate a windows platform so that they understand there are a few privileged commands there.
Windows team in our organization is hesitant to provide the local admin privileges to the service account that we are going to use for the discovery of Windows servers.
If they're managing this kit... aren't they the ones performing the discovery?
This is always a contentious issue, and it stems from the fact that those trying to capture these CIs that are brought under configuration control differ from those actually managing the CIs - causing a clash.
Simply put: if they don't want to enable discovery on their kit, then make them responsible for manually keeping the CMDB up to date with kit in their area of responsibility. If they want to create a service account that enables discovery read-only access to windows attributes, they can easily enable auditing and check what's being run then verify it's safe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2017 11:41 AM
thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2017 01:54 PM
You need local admin privilege to run netstat commands.
Just to clarify: privilege escalation isn't need to run this command, but one of the probes runs "netstat -b" - it seems this particular option is privileged.
(I didn't fully understand how it was written in the docs until trying it out)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2017 11:40 AM
Without local admin privileges for the service account, what attributes and application dependency mapping info are we going to miss in the discovery.
Quite a number. Show them the discovery patterns and probes used to interrogate a windows platform so that they understand there are a few privileged commands there.
Windows team in our organization is hesitant to provide the local admin privileges to the service account that we are going to use for the discovery of Windows servers.
If they're managing this kit... aren't they the ones performing the discovery?
This is always a contentious issue, and it stems from the fact that those trying to capture these CIs that are brought under configuration control differ from those actually managing the CIs - causing a clash.
Simply put: if they don't want to enable discovery on their kit, then make them responsible for manually keeping the CMDB up to date with kit in their area of responsibility. If they want to create a service account that enables discovery read-only access to windows attributes, they can easily enable auditing and check what's being run then verify it's safe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2021 03:03 AM
Hi Chandra, did you ever reach a conclusion to this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2021 08:54 AM
Hey, Fredrik -
I'm going to assume that as you're asking you've got a similar challenge. Since this question was posted, JEA for Windows Discovery has been introduced (though I can't remember when exactly it came in, I don't think it was a solution three years ago).
It allows you to use credentials that are useless until validated against a profile on the target which is far more secure than giving admin access. In practice, even using the ServiceNow "starter profile" gives you a solid Discovery against a target, and your Infrastructure team can extend its' privileges as they see the need for more data.
https://docs.servicenow.com/bundle/quebec-it-operations-management/page/product/discovery/concept/microsoft-jea-discovery.html
As a callout before you begin, it does use WinRM rather than WMI so you will need to make sure 5985/6 is open rather than 135 on your targets, and there's some extra MID Server parameters that go in there but it's all nicely documented by ServiceNow.
Cheers,
Sam
