8/27/24, 9:45 PM BeyondInsight / Password Safe - BeyondTrust Discovery Agent scan account permissions

Home  Knowledge  Knowledge Search  KB0017149

KB0017149 - Latest Version  Actions 

BeyondTrust Discovery Agent scan account permissions

•
 21d ago •  1064 Views •     

When performing an authenticated network-based assessment with BeyondTrust Discovery Agent (BDA), local admin or root
privileges must be used. For the BDA to accurately assess the information on a remote system, BDA needs to have
unrestricted access to all areas of the remote system or device.

These areas include but are not limited to:

Remote registry access (Windows)
Remote WMI access (Windows)
Access to the file structures for all operating systems
Enumeration of Services, Processes, Ports, Protocols, Shares, Installed Applications, Certificates, Users, Users Groups,
User and Group Permission, and more. (all operating systems and platforms)

BEYONDTRUST DOES NOT OFFER A SET OF LEAST PRIVILEGE SETTINGS FOR A SCANNING ACCOUNT, SINCE
SCANNING IS SO DYNAMIC. PROVIDING A LIST OF HARD-CODED PRIVILEGES COULD GREATLY IMPACT THE
SCANNER'S ABILITY TO PERFORM CHECKS WHICH COULD REQUIRE PERMISSIONS NOT INCLUDED IN A LEAST
PRIVILEGE ACCOUNT. TO ENSURE ALL CURRENT AND FUTURE CHECKS ARE PERFORMED, AN UNRESTRICTED
LOCAL ADMIN OR SIMILAR ACCOUNT IS REQUIRED.

https://beyondtrustcorp.service-now.com/csm?id=kb_article&sys_id=77e0461747078ed0b77b3ddbd36d438e&table=kb_knowledge 1/5
8/27/24, 9:45 PM BeyondInsight / Password Safe - BeyondTrust Discovery Agent scan account permissions

Windows
Please refer to Configuring Windows Hosts for Discovery Scanning.

Linux, Unix, and SSH devices

With regards to Unix and Linux systems, the scan account will require SUDO privileges to perform such tasks as user
enumeration and software list.

The sudo rule should be similar to the following:

Scan_account ALL=(ALL:ALL) ALL

This sudo rule above means that the scan_account user has unlimited privileges and can run any command on the system.

The Discovery Agent leverages interactive SSH commands to enumerate data from Linux targets, therefore pty sessions are
required. The no-pty option will prevent the scan from functioning.

For SSH devices, it is recommended to consult the vendor's documentation regarding admin or privileged accounts if sudo or
root accounts are not available options on the device.

Databases
The scan account will need permissions within the database to enumerate users, enumerate databases, and enumerate logins.

Oracle: dba_users; dba_role_privs; dba_roles

MSSQL: sys.database_principals; sys.databases; dbo.syslogins

MySQL: mysql.user

Enumerate Users: sys.database_principals

Enumerate Databases: name; database_id; create_date; user_access_desc; state_desc from sys.databases

https://beyondtrustcorp.service-now.com/csm?id=kb_article&sys_id=77e0461747078ed0b77b3ddbd36d438e&table=kb_knowledge 2/5
8/27/24, 9:45 PM BeyondInsight / Password Safe - BeyondTrust Discovery Agent scan account permissions

Enumerate Logins: dbo.syslogins

Copy Permalink

Was this article helpful? Yes No

Rate this article     

Related Articles

How to troubleshoot the Discovery Agent scanner not working



No valid scan target found



Unable to enumerate a Cisco device - Bad IP address or hostname unkown command or Computer name unable to find Computer


Discovery Scanner cannot connect to target system



Configuring Windows hosts for Discovery scanning



Also in Configuration & Best Practices

https://beyondtrustcorp.service-now.com/csm?id=kb_article&sys_id=77e0461747078ed0b77b3ddbd36d438e&table=kb_knowledge 3/5