Within any organization we understand that one set of credentials is unlikely to have access to all domains and devices. Movere gives you the option to specify which credentials should be used and in which domains.
Using the ‘Manage Credentials’ option, you can add each set of credentials that the Movere Console should use to gain access to the device(s) you are attempting to scan or the SQL database(s) you are attempting query. To add credentials, click on the ‘Add’ button then enter the relevant account details:
NOTE: You will need to specify the account type entered, i.e. Windows or SQL. If you have a VCSA in your environment, then the credentials entered on the vCenter Appliances tab will also appear on this tab. Movere requires read-only access to query SQL server data. While SQL Server Admin (sa) credentials can be entered, they are typically only used by customers wishing to query SQL Servers residing in domains outside of the domain the Movere Console is being run from. If Windows credentials are being entered, then you must specify the domain the user account belongs to, e.g.:
Correct: domain\username | Incorrect: username
The password for each account must be entered twice and must match. The account is not validated as part of this step, and while the password can be updated in the event of the user changing their password, the username cannot be changed without re-entering the password despite the account not being validated. This is important to note as many organizations enter several sets of user credentials into the Movere Console. If the username is incorrectly entered, then the user who entered that account will need to open the Movere Console again to correct the error.
NOTE: No credentials are stored in plain text or uploaded to the cloud.
What Prevents Movere from Successfully Querying SQL Based Data?
Starting with SQL Server 2012, Microsoft removed ‘sysadmin’ privileges from the NT
AUTHORITY\SYSTEM account. Movere leverages this account by default to gather SQL Server based data like System Center Configuration Manager or SharePoint. If you are attempting to retrieve data from a SQL Server version 2012 or above, then the system account will need to be granted ‘db_datareader’ (read only) access to the database(s) you are seeking to query or Movere will need to leverage one of the accounts added to the ‘Manage Credentials’ tab that already has at least ‘read only’ access or can be granted ‘read only’ access.
IMPORTANT: If you choose to use a specific user or service account to extract SQL based data, then in addition to having at least read only access, that account MUST be added to the ‘Manage Credentials’ list even if that account is the one being used to run the Movere Service. Apart from the NT AUTHORITY\SYSTEM account, the Movere Service will only attempt to query SQL using the credentials added to the managed credentials list. Only by adding the account to the ‘Manage Credentials’ list and mapping it to the domain in which the device you are scanning resides, will Movere use that account to access SQL. The only exception to this is to perform a manual local scan. Using this option, Movere will leverage the credentials of the person running the scan. To use alternative credentials, start Movere using the ‘Run as different user’ option.
The screenshot below demonstrates how to grant the account ‘UL\movere_svc’ db_datareader (read only) access:
NOTE: The account has been given read only access to each of the databases we are seeking to query with Movere as well as the ‘master’ and ‘msdb’ database which house server specific items like databases on the server, CPUs visible to SQL, log shipping, mirroring, availability groups, etc.
Now that the credentials to be used have been entered into the Movere Console, you will need to map them to the domain(s) they apply to. The domains available to map will reflect the choices made on the ‘Domains’ tab. If applicable, one account can be set as the default across all targeted domains. There is no need to map SQL credentials to domains. They will be used only when connecting to SQL Server instances, irrespective of the domain they reside in.
IMPORTANT: You cannot run a scan without entering at least one set of credentials on the ‘Manage Credentials’ tab.
All user to domain mappings are written to the ‘.config’ files of the Movere Service, Movere Console and Bot(s) in an encrypted format. Movere does not store credentials in plain text and no credentials are uploaded to the cloud.
How are user credentials added to the Movere Console encrypted, then decrypted on the targeted endpoint(s)?
The credentials entered in the Movere Console are encrypted using a symmetrical key algorithm known to both the Movere Console and the Bots. The exact algorithm and variables used to create the key are highly confidential. This process has been reviewed independently by third parties, and is not considered a risk, as the bot’s dissolve on the targeted endpoint once they have completed their scan.
How does Movere know which credentials to use when targeting by IP address?
Before scanning, Movere attempts to resolve the IP address back to a fully-qualified device name. Success depends on the customer’s network configuration, and when it is successful, Movere will use the credentials as assigned to that domain in the Movere Console. If the IP address does not resolve, then the credentials of the user running the scan will be used. Movere will not cycle through the credentials list in the hope of gaining access as this could lock out these accounts.
NOTE: Movere does not support the use of multiple Linux credentials at this time. Only one Linux credential, i.e. a service or root account or SSH Private Key, can be entered into the Console and leveraged for Linux scans.