EcoStruxure IT forum
Schneider Electric support forum about installation and configuration for DCIM including EcoStruxure IT Expert, IT Advisor, Data Center Expert, and NetBotz
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-28 04:21 AM
Hi team,
we have a customer with IT Optimize deployed with IT Advisor and his security department has detected an issue in IT Optimize.
IT Optimize is trying to connect to a discovered server with the Windows IT Optimize local user, that we used to install IT Optimize in the server. Even when you have discovered the server with an specific user for this server depending on the protocol, IT Optimize is trying to connect with the local user in the server instead the user that we used for the discovery.
The customer has deleted the discovered server and also the discovery search, and IT Optimize is still trying to connect to this server.
The local user is itouser and the IP of the IT Optimize is 172.20.17.133 in this picture:
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-30 09:55 AM
Adding some details for your security team as well.
When WMI protocol is used with ITO, the connection is made from the WMI interface on the ITO server to the target server (the discovered server). The connection to the local WMI interface on the ITO server is made with the user specified during the ITO installation, this is the reason that user account must be a windows user with local admin rights and has to be allowed to run as a service. Once connected to the local ITO server, the user makes the remote connection via the WMI interface to the discovered server using the discovery credentials specified. So the credentials used for logon to a discovered server should be the credentials specified in the discovery, the user initiating the connection from the ITO server may show up as the user used to run the ITO services.
This might explain why your security team is seeing that user.
But, if the discovered server is deleted from ITO, we expect the polling of the discovered server to stop.
Regards
Greg Sterling
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-28 04:26 AM
Hello Javier
If I may ask, what method did the customer use to delete the asset?
I assume they unassociated the server from the device in DCO or ITA, but then did they delete the asset from the unassociated items? If they did, the server should no longer appears in the inventory list on the ITO server (if you browse to https://<ito-server-ip>:8090/ and view the inventory page.
Regards
Greg Sterling
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-28 04:39 AM
Hi Greg,
the server xxxxx101 does not appear in the list of discovered servers:
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-28 02:24 PM
I will try to test this on Thursday to see if I can replicate the behavior.
Which version of ITO are you using?
Regards
Greg Sterling
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 08:14 AM
Hi Greg,
the IT Optimize version is: ITO Server Version 7.5.6.0.999
and IT Advisor 9.0.4
Regards
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-30 09:45 AM
Hello Javier
I attempted to duplicate the condition you are reporting and so far have been unable to. When I delete discovered servers from ITO they so far have stopped polling the previously discovered server.
The cache/list of servers ITO polls is refreshed when ITO is restarted, if you reboot your ITO server, do the logins the target server stop?
Regards
Greg Sterling
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-30 09:55 AM
Adding some details for your security team as well.
When WMI protocol is used with ITO, the connection is made from the WMI interface on the ITO server to the target server (the discovered server). The connection to the local WMI interface on the ITO server is made with the user specified during the ITO installation, this is the reason that user account must be a windows user with local admin rights and has to be allowed to run as a service. Once connected to the local ITO server, the user makes the remote connection via the WMI interface to the discovered server using the discovery credentials specified. So the credentials used for logon to a discovered server should be the credentials specified in the discovery, the user initiating the connection from the ITO server may show up as the user used to run the ITO services.
This might explain why your security team is seeing that user.
But, if the discovered server is deleted from ITO, we expect the polling of the discovered server to stop.
Regards
Greg Sterling
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-08-19 03:46 AM
Hi Greg,
the customer confirms that the problem was solved 3 weeks ago. Thanks for your support.
Regards
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.