Discovery Basics
Setting up KeeperPAM for Discovery
Overview
In this guide, you will learn how to discover resources within your target infrastructure using Discovery.
Prerequisites
Prior to using Discovery, make sure to have the following:
An active license of KeeperPAM
Activate Enforcement Policies on the Admin Console to enable discovery
Deploy a Keeper Gateway using the latest version
Discovery Enforcement Policies
On the Admin Console, the following Enforcement Policies affect the user's ability to run Discovery jobs.
Can run discovery
Allow users to run discovery jobs
Discovery can also be enabled on the Keeper Commander CLI using the enterprise-role command:
Installing the Keeper Gateway
The Keeper Gateway is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. This service is installed on a Docker, Linux or Windows environment in each of the networks under management.
Populating PAM User records
Before running a Discovery job, it is recommended to create PAM User records for any administrative credentials you expect to use. Save these credentials as PAM User record types within the Shared Folder that is associated with your Application and Keeper Gateway.
PAM Configuration
To get started with Discovery, you need a PAM Configuration set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.
Network Discovery
Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.
Network ID
Unique ID for the network
This is for the user's reference
Ex: My Network
Port Mapping
If non-standard ports are being used, this ensures that discovery will find the resources.
Example: ssh=2222 rdp=3390
AWS Discovery
AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.
In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.
Below is the PAM Configuration data required for a successful discovery.
AWS ID
Identifier selected by user
This is just used for reference.
Access Key ID
Access Key only when required
If instance role is applied to the Gateway, this is not required.
Secret Access Key
Secret Key only when required
If instance role is applied to the Gateway, this is not required.
Region Names
A list of AWS region names separated by newlines. Discovery will only find resources that match.
Example: us-west-1 us-east-2
Port Mapping
If non-standard ports are being used, this ensures that discovery will find the resources.
Example: ssh=2222 rdp=3390
Azure Discovery
Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.
In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.
Below is the PAM Configuration data required for a successful discovery.
Azure ID
A unique id for your instance of Azure
Required, This is for the user's reference
Ex: Azure-1
Client ID
The application/client id (UUID) of the Azure application
Required
Client Secret
The client credentials secret for the Azure application
Required
Subscription ID
The UUID of the subscription (i.e. Pay-As-You-GO).
Required
Tenant ID
The UUID of the Azure Active Directory
Required
Resource Groups
A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.
Discovery Workflow
The basic workflow for running Discovery jobs is the following:
Set up a Keeper Gateway with associated Shared Folders
Populate the shared folders with any administrative credentials as PAM User record types
Run a discovery job on the target infrastructure
Process the results to discover PAM Machine, PAM Databases and PAM Directory resources
Run additional discovery jobs to locate user accounts within each found resource, utilizing credentials provided to the job.
Services and Scheduled Tasks
When discovery is performed on a Windows machine, Keeper will automatically determine if a PAM User should be directly associated with any running services or scheduled tasks. When rotation is performed on any user accounts, Keeper will then update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.
To learn more and set up this capability, see the Service Management page.
Activating PAM Features
After a Discovery process has been completed, you can edit the vault records to activate advanced features such as Rotation, Connections, and Tunnels.
Next Steps:
Last updated
Was this helpful?