Privileged Account Discovery for Windows

Similar documents
Privileged Account Discovery for UNIX

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Discovery Guide. Secret Server. Table of Contents

To install the SMTP service:

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

How To - Implement Single Sign On Authentication with Active Directory

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Mobile device management

support HP MFP Scan Setup Wizard 1.1

Version Devolutions inc.

Active Directory integration with CloudByte ElastiStor

Setting Up Scan to SMB on TaskALFA series MFP s.

Novell ZENworks Asset Management 7.5

Windows Firewall must be enabled on each host to allow Remote Administration. This option is not enabled by default

IIS, FTP Server and Windows

Malwarebytes Enterprise Edition Best Practices Guide Version March 2014

SMART Vantage. Installation guide

INSTALLATION GUIDE. Snow License Manager Version 7.0 Release date Document date

Integrating LANGuardian with Active Directory

MailStore Outlook Add-in Deployment

AdminToys Suite. Installation & Setup Guide

Remote Desktop Services Overview. Prerequisites. Additional References

Toolbox 3.3 Client-Server Configuration. Quick configuration guide. User manual. For the latest news. and the most up-todate.

Microsoft XP Professional Remote Desktop Connection

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

Windows Firewall Exceptions Configuring Windows Firewall Exceptions for Docusnap

Troubleshooting Guide

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

FastPass Password Manager Version 3.5.1

PC Power Down. MSI Deployment Guide

OnDemand. Getting Started Guide

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Advanced Event Viewer Manual

How to Configure Microsoft System Operation Manager to Monitor Active Directory, Group Policy and Exchange Changes Using NetWrix Active Directory

Snow Active Directory Discovery

Using DC Agent for Transparent User Identification

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

Installation and Configuration of Aadhaar Enrolment Client

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Windows XP Service Pack 2 Windows Firewall Group Policy Setup for Executive Software Products

How To Install The Snow Active Directory Discovery Service On Windows (Windows) (Windows 7) (Powerbook) (For Windows) (Amd64) (Apple) (Macintosh) (Netbook) And (Windows

Core Protection for Virtual Machines 1

2 Working with a Desktop GeoDatabase

IISADMPWD. Replacement Tool v1.2. Installation and Configuration Guide. Instructions to Install and Configure IISADMPWD. Web Active Directory, LLC

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

Configure and enable remote access for windows operating system

Propalms TSE Quickstart Guide

Scan to SMB(PC) Set up Guide

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

NETWRIX CHANGE NOTIFIER

NetIQ Advanced Authentication Framework - MacOS Client

WhatsUp Gold v16.3 Installation and Configuration Guide

Configuring an Etherspeak SIP Trunk in Microsoft Lync 2013

Web-Access Security Solution

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

Basic Exchange Setup Guide

Installing and Configuring Active Directory Agent

How to Connect to Berkeley College Virtual Lab Using Windows

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Version 3.8. Installation Guide

TSScan - Usage Guide. Usage Guide. TerminalWorks TSScan 2.5 Usage Guide. support@terminalworks.com

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Configuring Windows Server Clusters

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

Paranet Solutions Network Discovery Client. Paranet Professional Services

Installation and Configuration Guide

SCCM Client Checklist for Windows 7

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

1 Disabling Access to USB Mass Storage Devices

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

NETWRIX ACCOUNT LOCKOUT EXAMINER

Installation Guide: Delta Module Manager Launcher

Contents Introduction... 3 Introduction to Active Directory Services... 4 Installing and Configuring Active Directory Services...

Quick Scan Features Setup Guide

Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

System Area Management Software Tool Tip: Agent Deployment utilizing. the silent installation with Active Directory

How to monitor AD security with MOM

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Secret Server Installation Windows Server 2012

ContentWatch Auto Deployment Tool

Team Foundation Server 2012 Installation Guide

Burst Technology bt-loganalyzer SE

SysAid Remote Discovery Tool

Sample Configuration: Cisco UCS, LDAP and Active Directory

Network/Floating License Installation Instructions

Audit Policy Subcategories

Professional Mailbox Software Setup Guide

How to Configure Terminal Services for Pro-Watch in Remote Administration Mode (Windows 2000)

Z-Term V4 Administration Guide

ONLINE BACKUP MANAGER MS EXCHANGE MAIL LEVEL BACKUP

4cast Client Specification and Installation

Dell Spotlight on Active Directory Deployment Guide

RDS Online Backup Suite v5.1 Brick-Level Exchange Backup

Creating client-server setup with multiple clients

TROUBLESHOOTING INFORMATION

Transcription:

Prerequisites The Windows Free Discovery Tool supports the following operating systems and frameworks: Windows 7, 8, 8.1, and 10.NET Framework 4.5.1 or higher Domain Credentials In order to scan for service accounts, the account entered must be a domain account that is in the Administrators group on the target machines. Using a domain admin account to run the tool will often be sufficient for scanning your network. The instructions below can be used in either case to ensure your account has the appropriate privileges to run a successful scan. 1. Open the Group Policy editor for your domain policy. 2. Go to Computer Configuration > Preferences > Control Panel Settings. 3. Right-click Local Users and groups and select New > Local Group. 4. Leave the Action value set as Update. 5. For Group name:, use the drop-down menu to select Administrators (Built-in). Page 1

6. Click Add and search for the account you will use for Discovery scanning. 7. Click OK to save your changes. The next time the group policy updates across your environment, the Discovery Account will be part of the Local Administrators group. Now, it s also important to configure Group Policy to limit the logon privileges of that account, for best security: 8. In the Group Policy editor for your domain policy, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Page 2

9. Add your Discovery account to the Deny log on locally and Deny log on through Remote Desktop Services policies at right. Ports 10. Optional: make sure that the account is not part of the Remote Desktop Users group. The Discovery scan makes use of several ports to connect to the target Windows machines and scan for local and service account usage. Traffic Type Ports Used RPC Dynamic Port Range* 1025-5000, 49152-65535 Microsoft DS 445 epmap 135 *The RPC Dynamic Port ranges are a range of ports utilized by Microsoft's Remote Procedure Callback (RPC) functionality. This port range varies by operating system. For Windows Server 2008 or greater, this port range is 49,152 to 65,535. This entire port range must be open for RPC technology to work. It also varies separately for Exchange servers, see this article. For information about changing the RPC port range, please see the following Microsoft Knowledge Base item 1 and Microsoft Knowledge Base item 2. To see your ipv4 dynamic range on a given machine, type netsh int ipv4 show dynamicport tcp on the command line. Page 3

Walkthrough After downloading the Discovery Tool, unzip it and run ThycoticPrivilegedAccountsDiscoveryForWindows.exe. Domain Credentials In the first step, you will need to enter credentials and the fully-qualified domain name (FQDN) of the domain you d like to scan. Use the credentials you configured in the Prerequisites section. These will be used for scanning but are not saved by the privileged account scanner tool. After you click Next, if the domain cannot be reached or the credentials are incorrect, you will receive the error Cannot connect to domain with supplied credentials. Domain Credentials Scan Settings Scan Settings For running the scan, you can choose to discover accounts in either the full domain or a specific OU. Scanning a specific OU will limit the number of computers the tool will investigate. You also have the option to scan for local Windows accounts, AD service accounts, or both. Local Windows Accounts will scan and report on local Windows accounts. AD Service Accounts will find domain service account usage in Windows application pools, scheduled tasks, and services. Choosing just one option will be a faster scan, however, choosing both will give you the most complete picture of your privileged account health. Page 4

Discovering Accounts Before starting the scan, review the number of computers the discovery tool retrieved from Active Directory based on what OU or domain you chose to scan. Once you have confirmed that the settings look correct, click Start Scan. While the scan runs, you will see the number of computers scanned progress. You can stop the scan at any point and generate the reports based off of the accounts discovered so far. Note The time to complete the scan will vary based on network latency, number of machines, and how many machines actually exist. Testing in a large environment resulted in a scan of approximately 1,000 Windows machines in slightly under an hour. Results Once the scan is completed, you can generate the executive summary report and the detailed CSV reports. Just enter a company name and click Generate Reports. Page 5

The reports will be created in a folder you choose and include the following files: File (Local Accounts)ThycoticWindowsAccountAnalysis.csv (Service Accounts)ThycoticWindowsAccountAnalysis.csv ThycoticWindowsAccountAnalysis.html ThycoticWindowsAccountAnalysis.pdf Description Detailed inventory of local accounts discovered Detailed inventory of service accounts discovered Summary report of findings Summary report of findings FAQs Q: Why doesn t the inventory report show results for all machines in my domain? A: If there were any issues scanning to a machine, such as network connectivity, insufficient permissions, or closed ports the machine will not show up in the results. You can investigate the scan log located in the Privileged Discovery tool folder in the log subfolder, which will contain errors for machines that couldn t be scanned. Q: How long will it take to scan my domain? A: The time to discover accounts will vary depending on network latency and number of machines that respond. A test environment of approximately 1,000 Windows machines took 50 minutes. We recommend testing out your scan first on a smaller OU to get a sense of time and results before scanning a larger OU or your full domain. Q: The PDF report has inconsistent margins or page breaks. A: Depending on some display drivers, or screen resolutions, you may see a margin in the PDF report. Either run the scan from a different machine or use the HTML version. The HTML file is the exact same information as the PDF. Q: Why would I scan for just local or service accounts? A: Scanning for just local accounts or service accounts will be faster. If your primary concern is local account issues or finding service accounts, you can just choose one type and generate the corresponding reports. Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information