SECRET SERVER FEATURE: Discovery
Find Unknown and Unmanaged Privileged Accounts
Overview of Discovery
The first step to a comprehensive PAM strategy is ensuring you have complete visibility of all privileged accounts across your organization.
When you don’t know every privileged account and where those privileged accounts exist, you are leaving backdoor accounts in place that allow users to bypass proper controls. External threats may create privileged accounts for later access that can go undetected for months.
Automatic Discovery makes it easy to find all privileged accounts so you can set policies to manage them appropriately. Secret Server can automatically find privileged accounts and map existing secrets. Continuous Discovery alerts you when unexpected accounts are found. Rule-based imports can import the unmanaged accounts you find into Secret Server.
For more information on configuring Discovery, read through our Delinea Documentation.
Discover Local and Active
Directory Privileged Accounts
Secret Server can scan your network for local admin / Active Directory accounts and pull information into Secret Server’s secure repository. For example, Secret Server can scan your network, find every laptop and then take control of the local admin account by changing the password (applying your organization’s password policy) and controlling future access to those credentials in the Secret Server repository.
What unknown and unmanaged privileged accounts exist in your environment? Take a look at Delinea’s Free Privileged Account Discovery Tool for Windows
Advanced Discovery
Discovery Rules
Rules play a critical role in automating the identification, import, and management of privileged accounts, passwords, API keys, and other credentials in your environment. Discovery rules reduce the burden on your team and help enforce policy and manage secrets.
Scriptable Discovery
Discovery can also be extended using PowerShell to find privileged accounts in your IT environment if Secret Server doesn’t have an out-of-the-box connector. Discovery scanners can run custom PowerShell scripts and our built-in scanners for Active Directory, Unix, and VMWare ESXi. You can use one or more built-in or custom scanners at each step of the discovery process: host range discovery, machine discovery, local account discovery, and dependency discovery. As a result, you can now determine which dependencies are scanned for each Active Directory domain rather than globally on the Discovery Configuration page.
Service Account Dependency and Management
Many services are dependent on or related to other applications. It is critical to map those dependencies because changing one service account can impact another. Proper management of service accounts is often a neglected activity since updating or changing credentials is risky. Changes can affect running services within a chain of dependencies, causing unforeseen disruptions. It’s difficult, if not impossible, for many to map and keep track of business services that rely on these accounts, causing potential outages.
As part of Secret Server’s Discovery and service account management capabilities, you’ll be able to see which services, tasks, and app pools are tied to service accounts. That way, you won’t inadvertently break any critical connections or business processes when you rotate service account passwords.
Service Account Discovery
Discovery reduces manual errors in managing service accounts, sets up an audit trail, and simplifies the management process.
With Discovery, you can:
- Find all the service accounts on your network
- Determine where each service account is being used (including new usages since the last scan)
- Import all service accounts into the Secret Server repository for management and auditing
Use Secret Server’s Discovery to identify your service accounts and implement continuous discovery to curb service account sprawl. This helps ensure your service account landscape's full, ongoing visibility, which is crucial to combating cybersecurity threats.
Cloud Discovery
Amazon Web Services Discovery
Privileged accounts for AWS resources are created quickly and may be abandoned just as quickly. With such a fluid process, it’s difficult for security teams to stay on top of how many privileged accounts have access to AWS, make sure they’re set up properly, and remove them when they’re no longer needed. To match the fluid nature of these accounts, continuous AWS account discovery is an essential cloud security control PAM teams teams have at their disposal.
Google Cloud Discovery
Security and IT administrators can easily identify active resources in Google Cloud. Secret Server connects to Google Cloud infrastructure to detect running Windows and Linux instances and identify accounts being used on those resources. Once you know which accounts are used, you can secure Google Cloud Platform IAM service accounts with Secret Server controls such as secret creation and key rotation.
Cloud Identity Discovery
Cloud Identity Discovery finds and secures even more privileged credentials in complex, multi-cloud environments. It continuously scans all major cloud service providers, such as Google, Amazon and Microsoft, to discover new accounts, changes in existing administrative privileges and shadow administrators. It then alerts to issues and vaults credentials into Delinea Secret Server. For more information on Cloud Identity Discovery, visit our feature page here.
Inventory
The identification and vaulting of all privileged assets through Discovery provides a management layer that enables users to view and launch into computers across your environment while providing the flexibility of different primary views, computer view or secrets view, to align with multiple workflows.
The Inventory feature increases the efficiency of managing machines and enhances the ability to launch, manage, and navigate across your environment. The asset view is restricted and controlled; only users who have view computer permissions will have access to view the computer grids and their details.