Skip to main content

Hello Everyone, 

I can understand the logic behind the automatic password rotation of local functional account even if we have new server onboarded using same first functional account credentials, but it is untested. i am trying to test it and update it once done.

 

Regarding the Local scan account i actually do not have any idea that how can we manage it (Using enable scanner on managed account i know but what if we have onboarded 100 servers and now we need to scan 100 more and the scan account is using old credentials on remaining 100 servers also if i need to perform the scanning on old scanned assets?)

There are lots of questions in my mind regarding the management of local scan accounts.

Please feel free everyone to share your recommendations………………………….

When using a local functional account, every host then gets a unique password.  In password safe under the functional account configuration, that is where the first password would get set.  After the system is onboarded, that individual managed system has a unique functional account password.  From there on, you must go to the managed system to update that specific functional account password, should you ever need to.

For Local scan account, I’ve found the best way is to pick a server and a scan account name.  That account name must be the same on all the other hosts.  Once the “master” host has the account onboarded, enable that account for scanning.  When you onboard every other server, sync the password of the scan account to the “master” host.  This way, you can have one credential for scanning all the assets with only one scan job.  If you don’t sync the passwords, then there is a unique scan account for each host requiring a unique scan job for every host.

Hi Mike,

Thank you for your input!

Yes, we can utilize the password sync option. However, what happens if we have new local servers that also need to be onboarded after password rotation is enabled? In such cases, we wouldn’t be able to rely on the master password.

Can we consider the following approach?

  1. Create a local scan account via Discovery > Credentials to onboard new Linux local servers.
  2. Set up a smart rule to manage the passwords of all Linux scan accounts once the servers are onboarded and managed.

I believe this approach would handle password rotation effectively.

For any new Linux server onboarded using the Discovery scan account credentials, the following tasks would need to be performed manually:

  • Enable the managed scan account as the scan credentials for that managed system.
  • Sync the scan account password with the master scan account.

Please let me know your suggestions on this. Additionally, it would be helpful if we could have an option in the managed account smart rule to automatically enable as scan credentials and sync credentials.

Looking forward to your thoughts!

Reply


Badge Earners

  • BCSE: Privileged Remote Access
    Kragballehas earned the badge BCSE: Privileged Remote Access
  • BCA: Password Safe
    kgujashas earned the badge BCA: Password Safe
  • BCIE: Password Safe
    kgujashas earned the badge BCIE: Password Safe
  • BCIE: Password Safe
    Vinoth Rajahas earned the badge BCIE: Password Safe
  • BCA: Remote Support
    Pablo Salashas earned the badge BCA: Remote Support
Show all badges
Terms & ConditionsCookie settings