System discovery pre-requisites
The following are parts of system discovery pre-requisites:
- Active Directory discovery requirements
- Port scanning discovery requirements
- Additional Windows discovery
The first phase of the Active Directory discovery method looks for systems that are joined to Active Directory. Typically these are Windows systems but there may be Unix systems as well (requirements for Unix systems are detailed below). The target systems do not need to be online for this first phase of discovery and no special requirements are needed.
Active Directory discovery requirements for Unix
UNIX systems are joined to Active Directory with the Centrify Authentication Service. A Centrify Infrastructure Services Agent must be installed on the Unix system. That agent is used to join the AD/LDAP for discovery when finding Unix systems. Systems are discovered by performing LDAP queries to Active Directory.
The first phase of the Port Scanning discovery method is done by checking for open TCP ports on a target system. The systems must be online and the systems may or may not be joined to Active Directory. Once open ports are found, attempts are made to connect to the system. By default, one of the specified discovery accounts must be able to authenticate to the target system.
For Windows systems, read-only remote registry access is required along with the following:
- Open firewall.
- Ensure remote registry service is running.
- Group Policies.
- Discovery account must be a local admin.
Note: One way to achieve this for systems that are joined to Active Directory is to use a discovery account that is a member of Domain Admins.
- The Centrify Connector you use for discovery through port scanning must be on version 18.6 or newer. By default, all connectors are used for discovery. Contact Centrify Support to specify the use of specific connectors for discovery.
- Port scanning requires IPv4 addresses.
For Unix and other systems that have SSH enabled, there are no special requirements. By default, systems that have no known connection credentials are ignored. However, if the "Import systems detected without known credentials" and "Ignore if system name not found in DNS" options are selected, a successful DNS reverse lookup on the system's IP address is required to add the discovered system.
For either the Active Directory or Port Scanning methods of discovery, the second phase of discovery may optionally be configured to find additional information about Windows systems:
- Discovery of local accounts.
- Discovery of Windows services, scheduled tasks, and IIS Application Pools along with their associated accounts.
Discovery of local Windows accounts
To discover local accounts on a remote machine, the discovery engine needs to make remote calls to the Security Account Manager (SAM) database of the target system. On Windows desktop systems such as Windows 10, the discovery account may not have such permissions by default and you may need to update the Local Security Policy to enable this access. The specific policy setting is located under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Restrict clients allowed to make remote calls to SAM.
Centrify recommends that you either add the discovery account to this list by clicking the "Edit Security...." button or add the "Authenticated Users" group to this list.
The following requirements are specific to Windows:
- As part of the detailed discovery, Privileged Access Service reads the following registry locations: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- To remotely read these registry locations from the target machine, confirm the following:
- The "Remote Registry" service must be enabled on the target system.
- Certain firewall ports must be opened for the remote registry read to work properly. You can typically add a Windows firewall exception for the "Remote Service Management" group to achieve this.
- The first four registry keys referenced above must be added to the list of "remotely accessible registry paths" using either the local or domain group policy that applies to the target machine.
- In general, you need to have local administrative privileges to remotely read registry from a system. However, you can work around that by enabling certain Group Policy settings that will allow remote access to the registry paths specified in the third pre-requisite.
- Since it may not be possible to manually enable the "Remote Registry" service or add firewall exception to each of the systems, you can bulk-apply these settings through group policy.
- The discovery account must have local administrative rights on each of the systems being probed for Privileged Access Service to perform a detailed discovery (discover services, scheduled task, and IIS application pools).
- Additionally, the firewall rules named “Remote Service Management” and “Remote Scheduled Tasks Management” must be enabled. If you do not have these rules enabled, you cannot perform a detailed discovery on the target system.
- In addition to the pre-requisite for running a detailed discovery, discovering IIS application pool requires a few specific ports configurations. See Port requirements for IIS applications pools.
A detailed discovery allows you to get more detailed information, such as the accounts associated with IIS application pools, services, and scheduled tasks.
Discovery of Windows services, scheduled tasks, and IIS application pools
To discover Windows services, scheduled tasks, and IIS application pools, perform the following steps.
- Open the Windows Firewall control panel.
- Select Inbound Rules, then click New Rule.
- Select Custom as the Rule type, then click Next.
- Select The program path, then type or browse to specify the path to the DllHost.exe process.
For example, you might specify a path similar to %systemroot%\system32\dllhost.exe, then click Next.
Set the protocol and port information as follows, then click Next:
- Select TCP as the protocol type.
- Select RPC Dynamic Ports for the Local port.
- Select All Ports for the Remote port.
Modify the scope to specific IP addresses, if needed. You can leave scope unmodified (unrestricted). For heightened security and if your connectors are configured with static IP addresses, list the IP of all of your connectors.
- Click Next.
Select Allow the connection, then click Next.
Select Domain, then click Next.
Type a name for the new inbound firewall rule, then click Finish.
Discovery of UNIX Local Accounts
For either the Active Directory or Port Scanning methods of discovery, the second phase of discovery may optionally be configured to find local accounts on the system. The discovery account must be able to login to the target system and does not need to be a privileged account.