How to utilize PAM's Windows Remote Target Connector to discover local Services and Scheduled Tasks
Article ID: 106123
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
PAM SAFENET LUNA HSM
CA Privileged Access Manager (PAM)
Issue/Introduction
The new Windows Remote Target Connector (supported since PAM 3.1) can be used as an alternative to the Windows Proxy. The Windows Remote Target Connector functions much like the Windows Proxy, but does not require installation (agent-less) on each target server.
I have created Target Account with Windows Remote Connector as the application type, the account belongs to local Administrators group and password can be verified, but Services or Scheduled Tasks tabs are empty. How should I configure so that I can discover local Services and Scheduled Tasks on target Windows server, so I can manage the account's password used by them?
I have created Target Account with Windows Remote Connector as the application type, the account belongs to local Administrators group and password can be verified, but Services or Scheduled Tasks tabs are empty. How should I configure so that I can discover local Services and Scheduled Tasks on target Windows server, so I can manage the account's password used by them?
Environment
PAM 3.1 or later
Windows 2008, 2012, 2016 servers
Windows 2008, 2012, 2016 servers
Resolution
To be able to discover local Services or Scheduled Tasks you have to use the first Windows Remote Account to do account discovery. Once you discovered new local accounts, manage them and local Services or Scheduled Tasks belong to the accounts will be appeared on the accounts' Services and Scheduled Tasks tab.
Follow the following steps.
1. On the target Windows Server, change logon account of the Service or create Scheduled Task for the account you want to manage.
For example, I have seng user account and I change SNMP Trap service logon account to this account.
This account has also a scheduled task, named MySengTask.
2. Create Windows Remote Target Application and select both Discover Services and Discover Tasks boxed in Account Discovery tab.
In Windows Remote tab, you can either select Local Account or Domain Account. If you select Domain Account you need to fill in additional parameter related to the Domain.
3. Create the first Windows Remote Account (which has enough privilege to discover local Services and Scheduled Tasks). Check the Discovery Allowed box in Password tab and make sure Password can be verified.
4. Go to Credentials > Discovery and create Scan Profile and select the target Windows server.
5. Run the Scan Profile and once completed, select Discovered Account tab
6. Select the account who owns the local Service and Scheduled Task and click Manage button. Select Update both the Password Authority Server and the target system and key in the correct password and click OK button. When "Do you want to manage this account?" prompt appear, click Yes.
7. Now open the newly created Target Account and you will see you discovered local Service in Services tab and Scheduled Task in Scheduled Tasks tab.
Follow the following steps.
1. On the target Windows Server, change logon account of the Service or create Scheduled Task for the account you want to manage.
For example, I have seng user account and I change SNMP Trap service logon account to this account.
<Please see attached file for image>
This account has also a scheduled task, named MySengTask.
<Please see attached file for image>
2. Create Windows Remote Target Application and select both Discover Services and Discover Tasks boxed in Account Discovery tab.
<Please see attached file for image>
<Please see attached file for image>
In Windows Remote tab, you can either select Local Account or Domain Account. If you select Domain Account you need to fill in additional parameter related to the Domain.
<Please see attached file for image>
3. Create the first Windows Remote Account (which has enough privilege to discover local Services and Scheduled Tasks). Check the Discovery Allowed box in Password tab and make sure Password can be verified.
<Please see attached file for image>
<Please see attached file for image>
4. Go to Credentials > Discovery and create Scan Profile and select the target Windows server.
<Please see attached file for image>
5. Run the Scan Profile and once completed, select Discovered Account tab
<Please see attached file for image>
6. Select the account who owns the local Service and Scheduled Task and click Manage button. Select Update both the Password Authority Server and the target system and key in the correct password and click OK button. When "Do you want to manage this account?" prompt appear, click Yes.
<Please see attached file for image>
7. Now open the newly created Target Account and you will see you discovered local Service in Services tab and Scheduled Task in Scheduled Tasks tab.
<Please see attached file for image>
<Please see attached file for image>
Additional Information
Please refer Online Documentation about Windows Remote Target Connector for more details.
Attachments
Feedback
Yes
No
Powered by
