Discovering systems

You can automatically populate Privileged Access Service with computers, network devices, and accounts by creating discovery profiles and running discovery jobs. Discovery profiles describe the type of information you want to discover— Windows and UNIX computers, servers, and workstations only or network devices as well. You can define a profile to use the following discovery methods:

  • Active Directory method - Scans only Active Directory joined systems (Windows and UNIX workstations and servers).
  • Port scanning method - Scans network devices (for example routers) and UNIX/LINUX/Windows system that are not joined to Active Directory, in addition to the Active Directory joined systems.
  • EC2 discovery method - Scans AWS EC2 instances and optionally enrolls the system with the Centrify Client.

By default, discovery jobs ignore previously discovered systems that have been deleted to avoid rediscovering the same objects. The deleted systems are listed in Discovery > Excluded Systems in the Systems area. You can remove systems from this list if you want them to be rediscovered.

The History page allows you to view activity for previous and current discovery jobs. You can use the History page to learn more about the items added to the Privileged Access Service.

Note:   Passwords for discovered accounts on domain-joined Windows systems do not need to be manually updated if system and domain policies are configured for local account password reconciliation. See Configuring Windows local account reconciliation, for configuration details.

Port scanning discovery

Port scanning includes two levels of discovery:

  1. Basic discovery -- Privileged Access Service first probes a few well-known ports to determine the basic system type – generic SSH or windows.
  2. Detailed discovery -- Then we use the specified discovery account to run a detailed discovery. This discovery gets more system information, such as the accounts associated with application pools, services, and scheduled tasks. The detailed discovery requires that you specify an account with local administrative rights when you create the profile. See Adding accounts for port scan discovery.

The procedures for a port scan discovery include:

  1. System discovery pre-requisites
  2. Adding accounts for port scan discovery
  3. Creating a port scan discovery profile
  4. Specifying systems discovery actions
  5. Running a systems discovery job
  6. Assigning systems profile management permissions

Active Directory discovery

The discovery profile account you specify must have sufficient permissions to perform computer, domain, service, and account discovery. At a minimum, the discovery profile account must have:

  • Read permissions on the domains to be discovered
  • Local administrator permissions on computers to be discovered – If it does not have local administrator permissions, then you can discover only basic system information (such as the system type).

The procedures for an Active Directory discovery include:

  1. System discovery pre-requisites
  2. Creating an Active Directory discovery profile
  3. Specifying systems discovery actions
  4. Running a systems discovery job

EC2 discovery

EC2 discovery imports AWS EC2 instances into Privileged Access Service as systems. Optionally, you may enroll the system to the discovered system using the Centrify Client, and auto-configure the Use My Account feature and Linux sudo privileges.

The procedures for an EC2 discovery include the ability to: