Depending on your security policies and routines, you may schedule certain scans to run on a daily or periodic basis. It is a good practice to run discovery scan checks more often–perhaps every week or even several times a week, depending on the importance or risk level of these assets.

As a best practice, you may want to discover privileged accounts manually and check if you have missed including any account for password management. Generally, it is a good idea to scan during off-hours, when more bandwidth is free and work disruption is less likely.

The account discovery engine uses the concept of management accounts to discover accounts on integrated assets. It helps in reconciling whether the vault consists of all privileged accounts which can be useful in environments that contain a large number of assets and privileged accounts. Furthermore, filtering out dead assets and discovering new accounts from the discovery job helps reduce manual efforts and risk from unknown accounts.

If you schedule a scan to run on a repeating basis, note that a future scheduled scan job will not start until the preceding scheduled scan job is completed. If the preceding job is not completed by the time the next job is scheduled to start, an error message appears in the scan log.

This chapter consists of the following:

Supported platforms for account discovery

  • Windows Operating System ( Server/Desktop)

  • Linux/Unix Operating Systems

  • Oracle Database

  • MySQL Database

  • Microsoft SQL database

Prerequisites for discovering privileged accounts

The system uses management accounts for discovering other privileged accounts. Management accounts with required privileges can be part of the vault or can be separately configured in the system. Refer to section on Configuring credentials for more details. You can configure and provide as many management accounts as available in your platform environments.

Privilege requirement for executing Account Discovery Jobs

Category 

Type

Min privilege required for onboarding

Minimum privilege required for onboarding and resetting password

Operating system

  • Windows Active directory 

'Read only' administrator account

'Delegated Password Reset' privileges

'Read only' administrator account

Operating system

  • Windows Local

'Administrator' privilege

'Administrator' privilege

Operating system

  • RedHat

  • Solaris

  • AIX

  • HP-UX

  • ESX/ESXi

  • Ubuntu

  • SUSE

  • Fedora

  • SCO UnixWare

  • Vax/Open VMS

  • Debian

  • Oracle Enterprise

  • Tandem

  • CentOS

  • FreeBSD

  • Linux mint

  • Apple/macOSX

  • BSD

  • SCO Open Server

  • True64 Unix

  • VMware ESX/ESXi

'root' or 'root equivalent privilege

'root' or 'root equivalent privilege

Database

  • Microsoft SQL Server

'sys admin' privilege

'sys admin' privilege

Database

  • Oracle

'sys admin' privilege

'Alter user' privilege

Database

  • MySQL

'sys admin' privilege

'sys admin' privilege

The platforms list above will help you relate it with your own systems and further ahead help you configure credentials and schedule the jobs.

Steps for adding a discovery job

Attributes

Description

Job details


Job Title

Enter a unique title for your scan job.

Asset type

Select the desired asset type from the drop-down menu.

Asset category

Select the asset category from the drop-down menu.

Schedule type

Select a schedule type whether you would like to initiate this job once or schedule a recurring job.

If you select a recurring job, you can choose days this job must be executed on.

For example, you want to schedule a job every second day at 5:pm to scan your network.

Recur every: 2 days
Task Start: 01 Jan 2018
Schedule Start Time: 4.30 pm to 5.15 pm

Group Name

Select the groups on the Active Directory to be scanned.

Task Start

Select the date when the task begins

Schedule Time

You can either choose "Any" or schedule a proper time from when to start the task and when to end the task

Action


Onboard accounts

If you do not wish to onboard accounts discovered in a scan, you may set the Onboard Accounts option as 'No'. Refer to the section on Handling assets & accounts Manually for more details. 

If you wish to onboard  discovered accounts automatically to the Sectona PAM system, set Onboard Accounts option as 'Yes'. Please note that the password of the accounts will be reset when the accounts are on-boarded in the PAM by discovery. Refer to the section on Auto Onboarding discovered accounts for more details.

Exclude Account(s)If you want to exclude accounts from the account discovery, you can mention the names of the accounts separated by a comma.
Tags (optional)

You can associate an account with your desired single or multiple tags like Infosec, Banking Core Server, ATM Switches, etc.

Refer to section Applying conditions with tags for more information about adding context with tags.

Account CategorySelect an account category like "Interactive account" or "Service account."
Enforce Password Change (optional)You can disable this option by unchecking the Active checkbox to exclude the account from the scheduled password rotation job.

Owner (optional)

If you have listed owner information for all assets, please include it here.

Tick the Active checkbox and click on the Save button to add the account discovery job in the system.

Click on the Save + Run Now button to start the account discovery immediately.

One needs to start the service Schedule based discovery of account from the system for working of account been discovered

Viewing job status and history information

To monitor discovery job stats anytime, take the following steps:

  • Go to Manage and click on Account Discovery.

  • Click on thebutton of the discovery job and then click on View Discovery History.

  • You can view detailed history status along with actions performed by clicking on any of the jobs in the Start On column.

Disabling a scheduled job

To disable a job anytime, take the following steps:

  • Go to Manage and click on the Account Discovery.

  • Click on the job title of the discovery you wish to disable.

  • Uncheck the Active checkbox to disable the job from executing it next time.