Credentials Requirements for Discovery
For the NopeSight Scanner Agent to perform deep, authenticated scans of your infrastructure, it requires appropriate credentials for your target systems. This guide outlines the necessary credentials and best practices for managing them securely.
Credential Management and Security
Credential management is a critical aspect of the discovery process. The NopeSight Scanner Agent is designed with security as a priority.
- Local Storage: Credentials are configured within the Credentials tab of the NopeSight Scanner Agent application.
- Strong Encryption: All credentials are encrypted using the Windows Data Protection API (DPAPI). This means they are encrypted at rest and tied to the specific user account or machine running the agent.
- No Central Storage: Credentials are never sent to or stored on the central NopeSight platform, ensuring they remain within your network boundary.
Requirements by Target System
Below are the specific credential requirements for each type of system you wish to scan.
Windows Systems (via WMI)
To collect a full inventory of Windows servers and workstations, the agent requires an account with administrative privileges on the target machines.
- Required Privileges: Local Administrator
- Recommended Account: For ease of management across a domain, using a Domain Administrator account or a dedicated service account that is a member of the local administrators group on all target machines is recommended.
- Username Format:
- For domain accounts:
DOMAIN\usernameorusername@domain.com - For local accounts:
.\username(when scanning a non-domain machine)
- For domain accounts:
Linux/Unix Systems (via SSH)
To scan systems running Linux or other Unix-like operating systems, the agent requires an SSH-enabled user account.
- Required Privileges: An account that can authenticate via SSH.
- Recommended Privileges: For a complete inventory (including hardware details, software packages, and system configuration), an account with
rootorsudoprivileges is highly recommended. - Authentication Methods: Both password-based and SSH key-based authentication are supported. For key-based authentication, ensure the private key is accessible to the scanner agent.
Network Devices (via SNMP)
For discovering and inventorying network hardware like switches, routers, and firewalls.
- SNMPv1/v2c: A valid Community String with read access.
- SNMPv3: A user account with appropriate security level (e.g.,
authPriv) for authenticated and encrypted communication. - Recommendation: Use SNMPv3 wherever possible, as it is significantly more secure than older versions.
VMware vCenter
For discovering your virtualized environment, including ESXi hosts, clusters, and virtual machines.
- Required Privileges: A user account for the vCenter server.
- Recommended Account: A dedicated service account with Global read-only permissions is sufficient for discovery and is a security best practice. An administrator account is not required.
Security Best Practices
Follow these best practices when configuring credentials for discovery.
- Use the Principle of Least Privilege: Always provide the minimum level of access required. For example, use a read-only account for vCenter discovery.
- Create Dedicated Service Accounts: Instead of using named user accounts (e.g., a personal administrator account), create dedicated service accounts for scanning. This improves auditability and security.
- Limit Credential Scope: Within the scanner agent's credential configuration, associate credentials with specific IP ranges. This prevents the agent from attempting to use a credential on an unintended network segment.
- Implement Credential Rotation: Adhere to your organization's security policy for rotating passwords, community strings, and SSH keys. Remember to update them in the scanner agent when they change.
- Monitor Authentication Logs: Regularly review scan logs for authentication failures. A high number of failures could indicate an incorrect password, an expired key, or a network access issue.