Best Practice: Windows Environment (106 Views)
Reply
Occasional Advisor
mcataldo
Posts: 10
Registered: ‎12-18-2013
Message 1 of 2 (106 Views)
Accepted Solution

Best Practice: Windows Environment

I'm evaluating SiteScope to monitor a Windows environment (web/data/DC, etc...).  My monitoring server is a domain machine.  Should the SiteScope service run as a special domain account?  Or, should I configure a "Credential Preference" against a unique account and have server access use the credential preference.  Is one option more/less secure than the other.  Knowing password rotation rules in Windows Server 2008/2012 what option is easiest to manage while remaining as secure as possible.  If the SiteScope service starts as a domain account will it natively have visibility into all of the machines in the domain?

 

Any help would be greatly appreciated.

Please use plain text.
HP Expert
Gunnar_L
Posts: 298
Registered: ‎05-22-2012
Message 2 of 2 (103 Views)

Re: Best Practice: Windows Environment

Hi,

 

Here is explanation on why I prefer to use remotes connections instead use a service account:

 

  • We have observed Windows doesn’t handle connection properly over a period of time, when credentials are not passed. Mainly when cached connection is dead, and re-connect doesn’t work as expected. On the other hand, SiteScope asking Windows to re-connect using specific credentials works pretty well.

  • Second, Windows doesn’t handle the permission inheritance over a period  of time, where-as SiteScope using Remotes passes the specific credentials and hence it is definitely can connect to remote.

    • Without Remotes, Connection gets the credentials/permission of the process Creating connection, which is nothing but SiteScope.exe and SiteScope.exe inherits the permission from SiteScope service, 3 level of permission inheritance. Hence, we have observed connection errors, especially when connections gets dropped and needs to reconnect and these errors sometimes refers to permission when Remotes are not being used. With Remotes, credentials are always passed and hence, there is no inheritance and if connection gets dropped, SiteScope will ask Widows to re-connect using specific permission.

  • Though it has been observed with several customer, with smaller installation, Service credentials work perfectly without any issue, but for customer, with large number of Remotes Servers being monitored, run into issues.

     

    Best Regards,

Gunnar López
HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation