Online Help

Segment audit credentials

This article describes how to set up credentials for accessing computers and devices within the segment. Credentials can be configured for the following platforms: Windows, Linux and macOS, Hypervisor, SNMP, AWS, Azure.

IMPORTANT: All credentials you enter here are encrypted and never leave your local network. AlloyScan never stores passwords or secrets in the cloud.

Windows credentials

These credentials are used for auditing Windows computers. The audit account you define must be a member of the local Administrators group on each Windows client computer, either directly or through membership in a Windows domain group.

Consider using a domain administrator's account. Note that Windows computers must belong to the same domain as the computer running the audit service.

TIP: Avoid using real user accounts. Instead, we recommend that you create a special domain user solely for the purpose of auditing your domain (the "audit account").

ClosedLearn about controls and options

  • Title : The name (title) for the credential record. It will appear in the list of available Windows audit credentials.

  • Login : The login name for the audit account. To specify a domain account, we recommend using this format:
    DomainName\LoginName

  • Password: The password for the specified audit account.

Linux and macOS credentials

These credentials are used to audit Linux and macOS computers . Credentials must allow logging on to these computers.

Consider using an account with root rights, i.e., the root account or the account that can run the dmidecode command with administrative rights. Otherwise, AlloyScan will not be able to collect SMBIOS hardware information on Linux computers. Collecting the list of services (daemons) on macOS computers also requires root rights. If you need this information, you should also use the root account or configure the launchctl command to run with elevated (root) privileges under a non-root account.

For connecting to Linux and macOS computers via SSH, AlloyScan uses Plink-a command-line network connection tool which is a part of the PuTTY product, distributed under the free MIT license. Plink is included in the AlloyScan installation package; the executable file name is plink.exe. For more information on PuTTY and Plink, see the following website: https://www.chiark.greenend.org.uk/~sgtatham/putty/.

ClosedLearn about controls and options

  • Title : The name (title) for the credential record. It will appear in the list of available Linux and macOS credentials.

  • Port: By default, AlloyScan accesses client Linux and macOS computers over the standard TCP port 22. If you want to specify a non-standard TCP port that the SSH server running on client computers listens on, enter its number.

  • Login : The login name.

  • Password: The account password.

  • Private Key: This field is read-only. It displays information about the uploaded private key file.

  • Browse: Click this button to choose your private key file.

  • Clear: Clears the Private Key field.

  • Use sudo: Select this option if the account requires sudo to run commands with administrative privileges.

  • Sudo password: Enter the password required by sudo, if applicable.

Hypervisor credentials

These credentials are used to audit ESXi/vSphere and Citrix hypervisors. Credentials must allow logging on to these hypervisors. Consider using an account with administrative privilege and SSH access to the host system.

ClosedLearn more about controls and options

  • Title : The name (title) for the credential record. It will appear in the list of available Hypervisor credentials.

  • Port: By default, AlloyScan accesses client hypervisors over the standard TCP port 22. If you want to specify a non-standard TCP port that the SSH server running on client computers listens on, enter its number.

  • Login : The login name.

  • Password: The account password.

  • Private Key: This field is read-only. It displays information about the uploaded private key file.

  • Browse: Click this button to choose your private key file.

  • Clear: Clears the Private Key field.

  • Use sudo: Select this option if the account requires sudo to run commands with administrative privileges.

  • Sudo password: Enter the password required by sudo, if applicable.

SNMP credentials

These credentials are used to collect inventory data about networked printers, scanners, hubs, routers, and other devices. AlloyScan detects and identifies those network devices via SNMP.

ClosedLearn more about controls and options

  • Title : The name (title) for the credential record. It will appear in the list of available SNMP credentials.

  • Under Version v1/v2c, specify the following information for community-based SNMPv1 or SNMPv2c:

    • Community: The SNMP community.

      NOTE: Most SNMP v1 and v2c devices are shipped with the community string set to "public". It is standard practice for system administrators to change the community strings so that unauthorized users cannot access information about the internal network.

  • Under Version v3, specify the following information for user-based SNMPv3:

    • User Name: The SNMP user name.

    • Security Level: The SNMP security level:

      • No Authentication, No Privacy: Uses a user name for authentication and transmits credentials in clear text.

      • Authentication, No Privacy: Provides packet authentication and message integrity, but no encryption. Select the authentication algorithm (MD5 or SHA) in the Protocol list and type in the pass phrase.

      • Authentication, Privacy: Provides the maximal security by combining authentication, message integrity, and encryption. Under Authentication, select the authentication algorithm (MD5 or SHA) and type in the pass phrase. Under Privacy, select the encryption algorithm (DES or AES) and type in the pass phrase.

AWS credentials

AWS credentials allow the specified audit service to access and audit the specified AWS resources using a dedicated IAM user or role. For the minimal permissions required for the IAM user or role, see AWS minimal permissions.

ClosedLearn about controls and options

  • Title: The name (title) for the credential record. It will appear in the list of available AWS credentials.

  • Access key ID: The access key ID for the IAM user or role.

  • Secret access key: The secret access key for the IAM user or role.

Azure credentials

Azure credentials allow the specified audit service to access and audit the specified Microsoft Azure resources using a dedicated service principal. For the minimal permissions required, see Azure minimal permissions.

ClosedLearn about controls and options

  • Title: The name (title) for the credential record. It will appear in the list of available Azure credentials.

  • Tenant ID: The unique identifier of your organization’s Azure AD tenant (Microsoft Entra ID).

  • Client ID: The application (client) ID of the service principal.

  • Client secret: The client secret associated with the service principal.