CloudSphere Virtual Appliances collect inventory and performance data from the endpoints using appropriate Windows and Linux (or Unix) credentials (or certificates.) Security approval for some of the permissions or privileged accesses may take weeks. Hence, we recommend that you determine the level of access required as per the guide. This will ensure the successful discovery of the candidate endpoint without issues.
Credential Privilege for Windows endpoints:
-
We recommend that you use a Local Admin or Domain Admin account.
-
If your Windows Administrator cannot provide a Local Admin or Domain Admin account, they can choose to provide a Service Account. CloudSphere does not require administrative credentials to collect inventory and performance metrics. Your administrator can provide a Service Account with the least privileges, however, they will need to enable the following:
-
Access to the protocols and services for your Windows inventory (RPC, SMBv2 or SMB v3, WMI).
-
Read access to the WMI tables and Registry entries for scanning the target windows device(s). To learn more, check out Service Account Privileges to access on Windows endpoint.
-
-
Test your Service Account to ensure that it has sufficient privileges to scan and collect information from the target Windows device. Reference for validating WMI - Validate CloudSphere Credential has the right permissions to access WMI.
Credential Privilege for Unix endpoints:
Similar to Windows collection, to effectively collect discovery data from the Linux/Unix assets, sudo elevated privileges are required. The CloudSphere virtual appliance will SSH and run commands against the target discovery assets to pull back relevant data points.
-
Service Account MUST have Elevated privileges or sudo.
-
The service account requires a shell and home dir.
-
We support both passwords and ssh keys.
If a Linux Administrator wants to provide the least privilege to the service account, the following information will be essential to convey to the administrator the minimum commands that the appliance uses to gather the data. It is essential that the Unix administration team allows the service account to run the required commands without which the scan will fail. Reference Sudo/elevated privilege access for Unix flavors.
Now it is time to move to Step 5: Endpoint Considerations (Windows & Linux Requirements).