Microsoft Just Enough Administration (JEA) for Discovery

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read

    • Microsoft JEA improves security by allowing non-administrator users limited access to run the specific commands, scripts, and executables necessary for Discovery. This enables the MID Server to collect information about a Windows machine without requiring full administrator privileges on the target.

    Microsoft JEA enables role-based administration through PowerShell Remoting, which uses Windows Remote Management (WinRM) to manage communication and authentication. This framework provides a secure and reliable method for managing computers that use the HTTP protocol. PowerShell Remoting uses two total ports (5985, 5986) for HTTP and HTTPS which is easier to secure than the multiple ports used in WMI dynamic port mapping. For more information about Microsoft JEA, see Just Enough Administration.

    Overview of the connection between the ServiceNow Instance, the MID Server, and the JEA Endpoint and Windows Server being discovered.

    Requirements for Discovery with JEA

    • A ServiceNow instance running on the Rome release or later.
    • The MID Server and target server must be part of a Windows domain.
    • The JEA credentials with non-administrator rights must be domain level credentials.
    • PowerShell 5.0 or Windows Management Framework 5.1 must be installed on the target Windows machines.
    • PowerShell Remoting must be enabled on the target Windows machines.
    Note:
    For security enhancement, starting from Rome there is a new profile called JEA v2. Microsoft does not recommend specifying any other language mode than NoLanguage in the JEA profile. JEA v2 explicitly sets the session type to RestrictedRemoteServer and the language mode to NoLanguage to prevent users running arbitrary scripts at the endpoint and bypassing security restrictions. ServiceNow no longer supports the existing sample profile in KB0782125. Follow the instructions in KB0965705 to set up and deploy JEA v2 profiles.

    JEA Profiles

    Discovery with JEA requires profiles composed of a PowerShell Sessions Configuration and one or more PowerShell Role Capabilities files. You can create multiple PowerShell Role Capability files and multiple user groups to assign the roles to different groups as necessary. A sample profile is provided in KB0965705 as a reference implementation and to serve as a starting point. The configuration file in the KB supports all out-of-the-box horizontal Windows patterns at the time it was created. ServiceNow is not responsible for the JEA profile deployment and setup on remote machines.

    Microsoft has detailed documentation at the following links:

    Basic Discovery with the sample JEA Profile

    The sample JEA profile provided in KB0965705 was configured to discover many basic CIs and attributes. The profile can be modified and should only serve as a baseline for Discovery with JEA.

    Basic Discovery finds the following key attributes of Windows servers (cmdb_ci_win_server) or Windows desktops (cmdb_ci_computer):
    • Hostname
    • DNS Name
    • Serial Number
    • Operating System
    • OS Version
    • OS Service Pack
    • Disk Space
    • RAM
    • CPU Core Count
    • CPU Count
    • CPU Manufacturer
    • CPU Type

    It includes the following CIs:

    • Network Adaptors (cmdb_ci_network_adapter)
    • File System (cmdb_ci_file_system)
    • Storage Devices (cmdb_ci_disk)
    • Software Installed (cmdb_software_instance)
    • Running Processes (cmdb_running_process)
    • Memory Modules (cmdb_ci_memory_module)
    • Serial Numbers (cmdb_serial_numbers)
    • TCP/IP Connections (cmdb_tcp)
    • CI IPs (cmdb_ci_ip_address)
    • DNS Names for CIs (cmdb_ci_dns_name)
    • Windows Clusters (cmdb_ci_win_cluster, cmdb_ci_win_cluster_node, cmdb_ci_win_cluster_resource)
    • Tracked Configuration Files (cmdb_ci_config_file_tracked)

    The following application CIs can also be discovered:

    • MSSQL DB on Windows (cmdb_ci_db_mssql_instance)
    • MySQL DB on Windows (cmdb_ci_db_mysql_instance)
    • Oracle DB on Windows (cmdb_ci_db_ora_instance)
    • WebSphere on Windows (cmdb_ci_app_server_websphere)

    The following probes and patterns are used for Discovery with the sample profile:

    • Windows - Classify (probe)
    • Windows OS - Servers (pattern)
    • Windows OS - Desktops (pattern)
    • Windows - Installed Software (probe)
    • Windows - ADM (multiprobe)
    • My SQL server On Windows (pattern)
    • MSSql DB On Windows (pattern)
    • Oracle DB on Windows (pattern)
    • Windows - WebSphere - Cell (probe)
    • Windows - WebSphere - Web Applications (probe)
    • Windows - WebSphere - Web Services (probe)

    Prepare the instance for Discovery with JEA

    To configure the ServiceNow® instance for Discovery with Microsoft Just Enough Administration (JEA), define the Windows credential with the domain name and set the MID Server configuration parameters appropriately.

    Before you begin

    Role required: discovery_admin or admin

    Procedure

    1. Navigate to All > Discovery > Credentials and click New.
    2. Select Windows Credentials from the list of available credential types.
    3. Create the credentials for the non-administrator, using this format for the User name: domain\user name.
    4. Submit the record.
    5. Navigate to All > MID Server > Servers.
    6. Select a MID Server to configure from the list of MID Servers.
    7. Select the Configuration Parameters related list.
    8. Set the following MID Server config parameters as indicated:
      1. mid.windows.management_protocol: This parameter is required for Discovery with JEA.
        Its default value is WMI, but it must be set to WinRM on MID Servers using Discovery with JEA.
      2. mid.powershell.jea.endpoint: This parameter is required for Discovery with JEA.
        This parameter specifies a JEA endpoint name which the MID Server connects to on remote hosts. The endpoint name is created when registering a configuration file, and should not be confused with the name of the configuration file itself. The setting affects the entire MID Server, including any WinRM remote sessions created by Discovery on the MID Server which go to that endpoint.

        For example, the PowerShell command Register-PSConfiguration -name JEA_DISCO_V2 -path <session_configuration_file> sets the endpoint name to JEA_DISCO_V2. In that case, mid.powershell.jea.endpoint must be updated to JEA_DISCO_V2.

    9. Optional: Use the following MID Server property and System property to troubleshoot issues:
      1. mid.probe.collect_debug_info: This is an optional MID Server property to collect debug information.
        When this property is set to true, the MID Server collects credential debug info and puts it in the payload of ECC input message. It doesn't affect how JEA works.
      2. glide.discovery.log_debug_info: This is an optional system property to collect debug information.
        When this property is set to true, the discovery sensor extracts the debug info from ECC input message and writes it to the discovery log table, so the debug information is visible when inspecting discovery status.