Segment audit credentials
This article describes how to set up credentials for accessing computers and devices within the segment.
Credentials can be configured for the following platforms: Windows, Linux and macOS, Hypervisor, or SNMP.
-
Windows
Windows credentials are used for auditing Windows computers. The audit account you define must be a member of the local Administrators group on each Windows client computer, either directly or through membership in a Windows domain group.
We recommend using a domain administrator's account. Note that in order to create such audit account, domain administrator permissions are required. Alternatively, you can specify a local account, provided that this account exists on every computer you intend to audit.
NOTE: When providing Windows audit credentials, avoid referring to real user accounts. Instead, we recommend that you create a special domain user solely for the purpose of auditing your domain (the "audit account").
Read about the Windows Audit Credentials window:-
Name: The name for the credential record. The name you provide will appear in the list of available audit credentials, which you can choose in the Select Audit Credentials window.
-
User Name: The account name associated with the credentials.
-
Password: The password for the specified account.
-
Domain: For domain accounts, enter the domain name.
If you intend to use a local account, keep the default
<Local Computer>
value. Note that any local account you specify must exist on every computer you wish to audit. -
Test Login - click this button to verify that the account can log in to the specified domain.
NOTE: To promote responsible credential management and best practices in security, this feature is applicable only when the computer where Alloy Discovery is installed resides within the same domain as the one being tested or in a trusted domain. This ensures that sensitive domain credentials are not accidentally exposed or tested in environments where they shouldn't be.
-
-
Linux and Mac
Linux and Mac credentials are used to audit Linux and macOS computers . Credentials must allow logging on to these computers.
We recommend that you provide credentials for an account with root rights, i.e., the root account or the account that can run the
dmidecode
command with administrative rights. Otherwise, Alloy Discovery will not be able to collect SMBIOS hardware information on Linux computers. Collecting the list of services (daemons) on macOS computers also requires root rights. If you need this information, you should also use the root account or configure thelaunchctl
command to run with elevated (root) privileges under a non-root account.For connecting to Linux and Mac computers via SSH, Alloy Discovery uses Plink-a command-line network connection tool which is a part of the PuTTY product, distributed under the free MIT license. Plink is included in the Alloy Discovery installation package; the executable file name is plink.exe. For more information on PuTTY and Plink, see the following website: https://www.chiark.greenend.org.uk/~sgtatham/putty/.
Read about the Linux and Mac Audit Credentials window:-
Name: The name for the credential record. The name appears in the grid of available audit credentials that you choose in the Select Audit Credentials window.
-
Protocol: This field is read-only. Connection to the Linux and Mac computers is always established through the Secure Shell protocol (SSH).
-
Port By default, accesses client Linux and Mac computers over the standard TCP port 22. If you want to specify a non-standard TCP port that the SSH server running on client computers listens on, enter its number.
-
Username: The account name.
-
Password: The account password.
-
Private Key: This field is read-only. It displays information about the private key file uploaded to the database.
-
Browse: Click this button to choose your private key file.
-
Clear: Clears the Private Key field.
-
Use custom command line parameters: Select this check box if you want to manually specify Plink command line parameters.
-
Parameters: This field becomes available when you select the check box above. It contains parameters of the Plink command line. The default command line parameters may look like this:
-P "$PORT" -l "$USER_NAME" -pw "$PASSWORD" "$HOST"
In this example,
"$PORT"
,"$USER_NAME"
,"$PASSWORD"
, and"$HOST"
are placeholders for command line parameter values, corresponding to the dialog box fields. For more information on placeholders, see below.The default parameters may include port (-p), user name (-l), password (-pw) or private key (-i). You can edit the command line as needed. For a complete list of Plink parameters, please refer to http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html#plink.
You can configure a custom command line in two ways:
-
You can specify parameter values directly in the command line (e.g. -p "22"). In this case, you are not required to fill out the dialog box fields. However some parameters, such as private key and host, cannot be specified in this way.
-
You can use placeholders instead of specific values (e.g. -p "$PORT"). The actual values for placeholders are taken from the corresponding dialog box fields, which you must fill out. Note that the values for the private key and host must always be passed as placeholders. The value for the $HOST placeholder is determined automatically for each audited computer, hence there is no corresponding dialog box field.
NOTE: Currently, Alloy Discovery does not support SSH authentication via the Pageant authentication agent. As a possible solution, you can specify your private key file directly in the audit credentials.
-
-
Insert Placeholder: Inserts a placeholder into the Parameters field.
-
-
ESXi/vSphere/Citrix
ESXi/vSphere/Citrix credentials are used to audit ESXi/vSphere and Citrix hypervisors. Credentials must allow logging on to these computers. We recommend that you use an account with administrative privilege. For Citrix hypervisors, audit credentials must allow logging to the computers using the SSH protocol.
Read about the ESXi/vSphere/Citrix Audit Credentials window:-
Name: The name for the credential record. The name appears in the grid of available audit credentials that you choose in the Select Audit Credentials window.
-
Protocol: This field is read-only. Connection to the Linux and Mac computers is always established through the Secure Shell protocol (SSH).
NOTE:Alloy Discovery establishes connection to Linux and Mac computers using the Secure Shell protocol (SSH) over a TCP port. Therefore, it is required that the SSH server is running on each client computer and listening on a dedicated TCP port.
-
-
SNMP
SNMP credentials are used to collect inventory data about networked printers, scanners, hubs, routers, and other devices. Alloy Discovery detects and identifies those network devices via SNMP.
Read about the SNMP Audit Credentials window:-
Name: The name for the credential record. The name appears in the grid of available audit credentials that you choose in the Select Audit Credentials window.
-
Under Version v1/v2c, specify the following information for community-based SNMPv1 or SNMPv2c:
-
Community: The SNMP community.
NOTE: Most SNMP v1 and v2c devices are shipped with the community string set to "public". It is standard practice for system administrators to change the community strings so that unauthorized users cannot access information about the internal network.
-
-
Under Version v3, specify the following information for user-based SNMPv3:
-
User Name: The SNMP user name.
-
Security Level: The SNMP security level:
-
No Authentication, No Privacy: Uses a user name for authentication and transmits credentials in clear text.
-
Authentication, No Privacy: Provides packet authentication and message integrity, but no encryption. Select the authentication algorithm (MD5 or SHA) in the Protocol list and type in the pass phrase.
-
Authentication, Privacy: Provides the maximal security by combining authentication, message integrity, and encryption. Under Authentication, select the authentication algorithm (MD5 or SHA) and type in the pass phrase. Under Privacy, select the encryption algorithm (DES or AES) and type in the pass phrase.
-
-
-