SPP supports Windows systems. For more information, see How to: Configure Windows Assets in Safeguard.
NOTE: Microsoft has started hardening DCOM servers which may change your configuration decisions. For more information, see https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26414 and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.
To prepare Windows systems for SPP
-
Create a service account on the asset and assign it a password:
-
Directory Configuration
If the Windows system is joined to a domain that will be managed in SPP, you can use a directory account, such as a Microsoft Active Directory account to manage the asset. Enable the Password Never Expires option; once you add the asset to SPP, you can have the service account password auto-managed to keep it secure.
-OR-
-
Local Configuration
If the Windows system is not joined to a domain, then use a local service account that has been granted sufficient permissions.
-
- Grant the service account sufficient permissions to change account permissions to allow changing account passwords. For more information, see Minimum required permissions for Windows assets.
-
Configure the system's firewall to allow the following predefined incoming rules:
- Windows Management Instrumentation (DCOM-In)
-
Windows Management Instrumentation (WMI-In)
- NetLogon Service (NP-In)
These rules allow incoming traffic on TCP port 135 and TCP SMB 445, respectively.
- Ensure the following ports are accessible:
-
Port 389 is LDAP for connections. LDAP port 389 connections are used for Active Directory Asset Discovery and Directory Account Discovery.
- Port 445 SMB is used to perform password check and changes.
- In some cases, RPC ephemeral ports are required to be accessible for SPP to perform Service Discovery on the Windows platform (for example, Windows Server 2019 requires the ports, however Windows Server 2012 does not). For more information, see Service overview and network port requirements for Windows.
-
-
Change the local security policy:
Before SPP can reset local account passwords on Windows systems, using a service account that is a non-built-in administrator, you must change the local security policy to disable the User Account Control (UAC) Admin Approval Mode (Run all administrators in Admin Approval Mode) option. For more information, see Change password or SSH key fails.
For additional information on ports, see Safeguard ports.