Share This:

Introduction

Traditionally, we have supported two types of Windows proxies:

  • Credential - Windows credentials are stored in the appliance and passed to the Cred Proxy during scanning as required
  • Active Directory - The proxy's service runs under an AD account, and is able to scan targets that trust that domain/account without any credentials being stored in the appliance

 

Windows scanning has been problematic for some, because of security concerns: in order have really useful data, you have to assign Administrator permissions to the proxy, and this is considered too risky. Some customer mitigations have included:

  • Running a Credential proxy and the credentials managed by a credential manager (currently CyberArk, other integrations in progress)
  • Running Windows scanning infrequently, in a tightly controlled time window, where the account is otherwise disabled.

 

An alternative which we have not hitherto documented is to use group Managed Service Accounts (introduced in Windows Server 2008R2). I would be interested to hear your thoughts on how you manage the security implications of Windows scanning; do you think gMSA use would help manage this problem?

 

It is expected that full support for gMSA will be made in the next major release for proxies/outposts as part of DRUD1-27034.

 

Thanks to Roland Appleby for much of the material in this post.

 

Instructions

These were tested with Discovery 11.3.0.5 and Windows Server 2019. PowerShell commands should be run under Administrator or equivalent.

 

Obtain KDS root key for your domain

On the Domain Controller, run the following PS command:
Get-KdsRootKey

 

If this shows that you have a KDS root key, skip the next step.

 

Run the following PS command to create the root key:
Add-KdsRootKey -EffectiveImmediately

 

You will then need to wait 10 hours before continuing.

 

Create a domain security group for the proxy host

On the Domain Controller, run the following PS command:
New-ADGroup "BMC Discovery Proxy" -GroupCategory Security -GroupScope Global -Path "DC=npgs,DC=bmc,DC=com"

 

(Modify the path as required for your domain, and here the Security Group Name has been chosen as "BMC Discovery Proxy")

 

Add your proxy host to this security group with this PS command:
Add-AdGroupMember -Identity "BMC Discovery Proxy" -Members PROXYSERVER$

 

where PROXYSERVER is the proxy server host.

 

Create the gMSA

On a Domain Controller, run the following PS command:
New-ADServiceAccount -Name "bmc-disco-proxy" -DnsHostName "bmc-disco-proxy.bmc.com"  -PrincipalsAllowedToRetrieveManagedPassword "BMC Discovery Proxy"


(note that "BMC Discovery Proxy" here must match the Security Group Name created above)

 

Install the gMSA on the proxy host

Reboot the proxy host to ensure that it is up to date with respect to the group membership.

 

Run this PS command on the proxy host:
Install-AdServiceAccount "bmc-disco-proxy"

 

where the name of the gMSA given here is arbitrary. You should see the new gMSA:

 

Add the gMSA to the local administrators group on the proxy host

Run this PS command on the proxy host:
Add-LocalGroupMember -Group "Administrators" -Member "npgs\bmc-disco-proxy$"

 

 

where "npgs" is the name of the AD domain. Alternatively, use the Windows UI tools.

 

Configure the Discovery Proxy to run as the gMSA account

These steps assume that you already have an Active Directory proxy installed. Stop the proxy service (if running) and change how the service logs on:

 

 

The account name should be of the form "npgs\bmc-disco-proxy$", where "npgs" is the AD domain. The password fields should be left blank. I have found that once set, this tab is greyed-out and that I couldn't change the account without deleting and re-creating the proxy service.

 

Grant the gMSA account permissions to discover hosts in the domain

The gMSA account needs to have the appropriate permissions to allow the Discovery Proxy access to the hosts in the domain that it is scanning. This can be done by either adding the gMSA account to an appropriate Domain Administrators group, or by adding the gMSA account to the local Administrators group on each machine individually.

 

It should now be possible to scan Windows hosts in the domain once a Discovery appliance has been configured to use the proxy.