IT Optimize discovery security issue

jzurera · ‎2021-07-28

Hi team,

we have a customer with IT Optimize deployed with IT Advisor and his security department has detected an issue in IT Optimize.

IT Optimize is trying to connect to a discovered server with the Windows IT Optimize local user, that we used to install IT Optimize in the server. Even when you have discovered the server with an specific user for this server depending on the protocol, IT Optimize is trying to connect with the local user in the server instead the user that we used for the discovery.

The customer has deleted the discovered server and also the discovery search, and IT Optimize is still trying to connect to this server.

The local user is itouser and the IP of the IT Optimize is 172.20.17.133 in this picture:

gsterling · ‎2021-07-30

Adding some details for your security team as well.

When WMI protocol is used with ITO, the connection is made from the WMI interface on the ITO server to the target server (the discovered server). The connection to the local WMI interface on the ITO server is made with the user specified during the ITO installation, this is the reason that user account must be a windows user with local admin rights and has to be allowed to run as a service. Once connected to the local ITO server, the user makes the remote connection via the WMI interface to the discovered server using the discovery credentials specified. So the credentials used for logon to a discovered server should be the credentials specified in the discovery, the user initiating the connection from the ITO server may show up as the user used to run the ITO services.

This might explain why your security team is seeing that user.

But, if the discovered server is deleted from ITO, we expect the polling of the discovered server to stop.

Regards

Greg Sterling

See Answer In Context

gsterling · ‎2021-07-28

Hello Javier

If I may ask, what method did the customer use to delete the asset?

I assume they unassociated the server from the device in DCO or ITA, but then did they delete the asset from the unassociated items? If they did, the server should no longer appears in the inventory list on the ITO server (if you browse to https://<ito-server-ip>:8090/ and view the inventory page.

Regards

Greg Sterling

jzurera · ‎2021-07-28

Hi Greg,

the server xxxxx101 does not appear in the list of discovered servers:

gsterling · ‎2021-07-28

I will try to test this on Thursday to see if I can replicate the behavior.

Which version of ITO are you using?

Regards

Greg Sterling

jzurera · ‎2021-07-29

Hi Greg,

the IT Optimize version is: ITO Server Version 7.5.6.0.999

and IT Advisor 9.0.4

Regards

gsterling · ‎2021-07-30

Hello Javier

I attempted to duplicate the condition you are reporting and so far have been unable to. When I delete discovered servers from ITO they so far have stopped polling the previously discovered server.

The cache/list of servers ITO polls is refreshed when ITO is restarted, if you reboot your ITO server, do the logins the target server stop?

Regards

Greg Sterling

gsterling · ‎2021-07-30

Adding some details for your security team as well.

When WMI protocol is used with ITO, the connection is made from the WMI interface on the ITO server to the target server (the discovered server). The connection to the local WMI interface on the ITO server is made with the user specified during the ITO installation, this is the reason that user account must be a windows user with local admin rights and has to be allowed to run as a service. Once connected to the local ITO server, the user makes the remote connection via the WMI interface to the discovered server using the discovery credentials specified. So the credentials used for logon to a discovered server should be the credentials specified in the discovery, the user initiating the connection from the ITO server may show up as the user used to run the ITO services.

This might explain why your security team is seeing that user.

But, if the discovered server is deleted from ITO, we expect the polling of the discovered server to stop.

Regards

Greg Sterling

jzurera · ‎2021-08-19

Hi Greg,

the customer confirms that the problem was solved 3 weeks ago. Thanks for your support.

Regards