Credentials Requirements for Discovery
For the Tripl-i Scanner Agent to perform deep, authenticated scans of your infrastructure, it requires appropriate credentials for your target systems. This guide outlines the necessary credentials and best practices for managing them securely.
Credential Management and Security
Credential management is a critical aspect of the discovery process. The Tripl-i Scanner Agent is designed with security as a priority.
- Local Storage: Credentials are configured within the Credentials tab of the Tripl-i Scanner Agent application.
- Strong Encryption: All credentials are encrypted using the Windows Data Protection API (DPAPI). This means they are encrypted at rest and tied to the specific user account or machine running the agent.
- No Central Storage: Credentials are never sent to or stored on the central Tripl-i platform, ensuring they remain within your network boundary.
Requirements by Target System
Below are the specific credential requirements for each type of system you wish to scan.
Windows Systems (via WMI)
To collect a full inventory of Windows servers and workstations, the agent requires an account with administrative privileges on the target machines.
- Required Privileges: Local Administrator
- Recommended Account: For ease of management across a domain, using a Domain Administrator account or a dedicated service account that is a member of the local administrators group on all target machines is recommended.
- Username Format:
- For domain accounts:
DOMAIN\usernameorusername@domain.com - For local accounts:
.\username(when scanning a non-domain machine)
- For domain accounts:
Linux/Unix Systems (via SSH)
To scan systems running Linux or other Unix-like operating systems, the agent requires an SSH-enabled user account.
- Required Privileges: An account that can authenticate via SSH.
- Recommended Privileges: For a complete inventory (including hardware details, software packages, and system configuration), an account with
rootorsudoprivileges is highly recommended. - Authentication Methods: Both password-based and SSH key-based authentication are supported. For key-based authentication, ensure the private key is accessible to the scanner agent.
Network Devices (via SNMP)
For discovering and inventorying network hardware like switches, routers, and firewalls.
- SNMPv1/v2c: A valid Community String with read access.
- SNMPv3: A user account with appropriate security level (e.g.,
authPriv) for authenticated and encrypted communication. - Recommendation: Use SNMPv3 wherever possible, as it is significantly more secure than older versions.
VMware vCenter
For discovering your virtualized environment, including ESXi hosts, clusters, and virtual machines.
- Required Privileges: A user account for the vCenter server.
- Recommended Account: A dedicated service account with Global read-only permissions is sufficient for discovery and is a security best practice. An administrator account is not required.
SQL Server Databases
SQL Server database discovery uses the same credentials as Windows WMI scanning. No separate SQL credentials are required.
- Authentication Method: Windows Authentication - The scanner uses the WMI scanning account to authenticate to SQL Server.
- Required Configuration: The WMI scanning account must have a SQL Server login created from the Windows account.
SQL Server Permission Levels
The amount of data collected depends on the permissions granted:
| Permission Level | What's Discovered |
|---|---|
| Basic (public only) | Instance name, version, edition |
| Standard | + Memory config, connections, services, encryption |
| Full | + All databases, backup status, linked servers |
Recommended SQL Server Permissions
For comprehensive database discovery, grant the following permissions to your scanning account:
| Permission | Purpose |
|---|---|
VIEW SERVER STATE | Server-level metrics, connections, encryption status |
VIEW ANY DATABASE | List all databases on the instance |
VIEW ANY DEFINITION | Linked server discovery |
db_datareader on msdb | Backup history and dates |
Setting Up SQL Server Permissions
Run the following SQL commands on each SQL Server instance to configure the scanning account:
-- Connect to master database
USE master;
GO
-- Create login from Windows account (if not exists)
CREATE LOGIN [DOMAIN\ScanAccount] FROM WINDOWS;
GO
-- Grant server-level permissions
GRANT VIEW SERVER STATE TO [DOMAIN\ScanAccount];
GRANT VIEW ANY DATABASE TO [DOMAIN\ScanAccount];
GRANT VIEW ANY DEFINITION TO [DOMAIN\ScanAccount];
GO
-- Grant msdb read access for backup history
USE msdb;
GO
CREATE USER [DOMAIN\ScanAccount] FOR LOGIN [DOMAIN\ScanAccount];
ALTER ROLE db_datareader ADD MEMBER [DOMAIN\ScanAccount];
GO
Replace DOMAIN\ScanAccount with your actual scanning service account.
For detailed information, see the SQL Server Database Discovery Reference.
Security Best Practices
Follow these best practices when configuring credentials for discovery.
- Use the Principle of Least Privilege: Always provide the minimum level of access required. For example, use a read-only account for vCenter discovery.
- Create Dedicated Service Accounts: Instead of using named user accounts (e.g., a personal administrator account), create dedicated service accounts for scanning. This improves auditability and security.
- Limit Credential Scope: Within the scanner agent's credential configuration, associate credentials with specific IP ranges. This prevents the agent from attempting to use a credential on an unintended network segment.
- Implement Credential Rotation: Adhere to your organization's security policy for rotating passwords, community strings, and SSH keys. Remember to update them in the scanner agent when they change.
- Monitor Authentication Logs: Regularly review scan logs for authentication failures. A high number of failures could indicate an incorrect password, an expired key, or a network access issue.