Scribd Logo
Upload

Welcome to Scribd!

  • Vancouver Platform Security 1-22-2024

    Uploaded by

    cgupta9990
    8 views8 pages
    The document discusses security considerations for Windows credentials used with the Vancouver Platform. It describes requirements for Discovery and Orchestration, such as installing a MID Server on Windows hosts. Windows credentials must enable sufficient permissions, like domain admin access, and support multi-domain configurations. The document also outlines credential fields in the Platform and considerations for workgroup vs. domain environments.

    Original Description:

    Original Title

    vancouver_platform_security_1-22-2024

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses security considerations for Windows credentials used with the Vancouver Platform. It describes requirements for Discovery and Orchestration, such as installing a MID Server on Windows hosts. Windows credentials must enable sufficient permissions, like domain admin access, and support multi-domain configurations. The document also outlines credential fields in the Platform and considerations for workgroup vs. domain environments.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    8 views8 pages

    Vancouver Platform Security 1-22-2024

    Uploaded by

    cgupta9990
    The document discusses security considerations for Windows credentials used with the Vancouver Platform. It describes requirements for Discovery and Orchestration, such as installing a MID Server on Windows hosts. Windows credentials must enable sufficient permissions, like domain admin access, and support multi-domain configurations. The document also outlines credential fields in the Platform and considerations for workgroup vs. domain environments.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 8

    Vancouver Platform security

    Vancouver Platform
    security
    Last updated: January 22, 2024

    PDF generated on January 22, 2024


    ©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement
    ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in
    the United States and/or other countries. Other company and product names may be trademarks of the respective companies with which
    they are associated.
    Vancouver Platform security

    Some examples and graphics depicted herein are provided for


    illustration only. No real association or connection to ServiceNow
    products or services is intended or should be inferred.
    This PDF was created from content on docs.servicenow.com. The web
    site is updated frequently. For the most current ServiceNow product
    documentation, go to docs.servicenow.com.

    Company Headquarters
    2225 Lawson Lane
    Santa Clara, CA 95054
    United States
    (408)501-8550

    PDF generated on January 22, 2024 2


    ©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement

    ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the
    United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are
    associated.
    Vancouver Platform security

    Windows credentials
    Windows credentials provide access to Windows computers. This
    credential type is available for Discovery and Orchestration.

    Credential requirements
    Discovery and Orchestration have the following requirements for
    Windows credentials:

    • Install a MID Server on a Windows host as a service.

    • Add Windows credentials to one of these locations:

    • An entry in the Credentials [windows_credentials]table

    • A MID Server service account to run as a specific Windows user or


    domain account.

    Granting proper permissions


    To provide sufficient permissions, Windows credentials must be one of the
    following:

    • A domain user with local administrator access on the target Windows


    hosts.

    • A local account that has administrator privileges and User Access


    Control (UAC) disabled on the same target host.

    • A user who meets the requirements of Windows probes and permissions


    (Discovery only).

    • A user who meets the requirements of the Orchestration activity to be


    run (Orchestration only).

    Note: No logon privileges are needed. Account does NOT need to


    be interactive.

    Security around granting privileged access can be enhanced by using


    JEA profiles to run Discovery. For more information, see Microsoft Just
    Enough Administration (JEA) for Discovery.

    PDF generated on January 22, 2024 3


    ©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement

    ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the
    United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are
    associated.
    Vancouver Platform security

    Workgroup computers
    To run Powershell commands to discover a Workgroup computer,
    configure the MID Server credentials for either of these users:

    • Built-in administrator account on the Workgroup computer.

    • Domain user on the Workgroup computer.

    Multi-domain configuration

    To enable Windows credentials to function across multiple domains,


    make sure to sure to use the correct name formats and MID Server
    configuration.

    Discovery and Orchestration support Windows domain credentials


    in both User Principal Name and Down-Level Logon Name
    user name formats. For example, Domain\UserName or
    UserName@example.domain.com. You can provide Windows workgroup
    credentials in the following format: WORKGROUP\UserName.

    Note: You can also provide a local account by using the . \ user
    name.
    These additional actions are required to enable credentials to function
    across multiple Windows domains.

    Condition Additional actions required

    MID Server host on the same


    None
    domain as the Windows target.

    Ensure that PowerShell 3.0 (or


    MID Server host on a different
    higher up to 5.1) is installed on the
    domain than the Windows target.
    MID Server host.

    MID Server host on a different


    domain than the Microsoft SQL See MSSQL server discovery .
    Server target.

    Windows credentials type


    These fields are available in the Credentials form for Windows:

    PDF generated on January 22, 2024 4


    ©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement

    ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the
    United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are
    associated.
    Vancouver Platform security

    Field Description

    Enter a unique and descriptive


    Name
    name for this credential.

    Enable or disable these credentials


    Active
    for use.

    Enter the user name to create


    in the Credentials table. Avoid
    leading or trailing spaces in user
    names. A warning appears if the
    User name
    platform detects leading or trailing
    spaces in the user name. For CIM
    discovery, the user must have the
    admin role.

    Password Enter the password.

    Enter the unique key configured


    for external credentials in the JAR
    file uploaded to the MID Server for
    an external credential system. The
    Credential ID field has a limit of 40
    Credential ID characters.

    This field is only visible when the


    External credential store check
    box is selected.

    Allow workflow creators to assign


    individual credentials to any
    activity in an Orchestration
    Credential alias workflow or assign different
    credentials to each occurrence
    of the same activity type in an
    Orchestration workflow.

    PDF generated on January 22, 2024 5


    ©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement

    ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the
    United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are
    associated.
    Vancouver Platform security

    Field Description
    To use the credential for
    discovering CIs not belonging to
    this CI type using Service Mapping
    and Discovery patterns, enter the
    table name for the CI type to
    which the CI belongs, for example
    cmdb_ci_apache_web_server. For
    more information, see Change
    credentials to non-default.

    Select this check box to use an


    external credential storage system.
    When you select this option the
    User name and Password fields are
    replaced with the Credential ID
    field. External credential storage is
    External credential store only available when the External
    Credential Storage plugin in
    activated.
    Note: Currently, the only
    supported external storage
    system is CyberArk.

    Select whether to apply these


    credentials to All MID servers in
    your network, or to one or more
    Applies to
    Specific MID servers. Specify the
    MID Servers that should use these
    credentials in the MID servers field.

    Select one or more MID Servers


    from the list of available MID
    Servers. The credentials configured
    MID servers
    in this record are available to
    the MID Servers in this list. This
    field is available only when you

    PDF generated on January 22, 2024 6


    ©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement

    ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the
    United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are
    associated.
    Vancouver Platform security

    Field Description
    select Specific MID servers from
    the Applies to field.
    Note: Selecting Specific
    Specific MID servers doesn’t
    affect mid server selection.
    It’s used only to decide
    which mid servers should have
    visibility to the credential.
    Specific MID servers isn’t
    supported in Orchestration
    activities.

    Order (sequence) in which


    Discovery tries this credential as
    it attempts to log on to devices.
    The smaller the number, the higher
    in the list this credential appears.
    Establish credential order when
    Order using large numbers of credentials
    or when security locks out users
    after three failed login attempts.
    If all the credentials have the
    same order number (or none), the
    instance tries the credentials in a
    random order.

    When active, the defined


    Windows MID Server Service
    credential represents the MID
    Account
    Server service account.

    Configure Windows credentials for the MID Server

    Configure the MID Server to use either the credentials of its own Windows
    service or credentials from the Credentials [discovery_credentials] table.

    PDF generated on January 22, 2024 7


    ©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement

    ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the
    United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are
    associated.
    Vancouver Platform security

    Before you begin

    Role required: admin

    Procedure

    1. Configure the MID Server to use credentials from the MID Server
    service account.

    a. Set the Configure Windows MID Server service credentials to a


    user who meets the permission requirements.

    b. Verify the user name meets the name format requirements.

    c. Fill in the fields on the form, as appropriate.

    d. Verify the credentials meet domain requirements.

    2. Configure the MID Server use credentials from the Credentials


    [discovery_credentials] table.

    a. Add individual Windows credentials to the Credentials


    [windows_credentials] table.

    • Verify each credential meets the permission requirements.

    • Verify each username meets the name format requirements.

    • Verify each credential meets the Windows domain


    requirements.

    b. (Optional) Configure the MID Server to use Powershell by setting


    the mid.use_powershell parameter to true.
    See Configuring MID Servers.

    c. Select the Windows MID Server Service Account check box to


    create a credential that represents the windows MID Server
    service account to run as a specific Windows user or domain
    account.

    PDF generated on January 22, 2024 8


    ©2024 ServiceNow. All rights reserved. Terms of Use Privacy Statement

    ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the
    United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are
    associated.

    You might also like