Security considerations for Snow Inventory in relation to Snow Atlas

2021-09-22

Introduction

This document mainly describes functionality in the latest versions of products that are installed in customer environments (referred to as on-premise products). Some functionality described in this document may work differently or not at all in previous versions. This document specify functionalities that connect on-premise products with Snow Atlas.

Snow Inventory collects data from computers in an IT environment and feed it to the SAM on Atlas solution.

The Snow Inventory Agent is the technology running on the client computers to collect the inventory data. It saves the collected data to compressed and encrypted snowpack files, which are then reported by establishing a connection to a configured endpoint, implemented by a Snow Extender or a Snow Inventory Service Gateway installation.

Certificates

Endpoint certificates

Endpoint certificates enable secure HTTPS communication between the endpoint and the agents. The certificate chain must be trusted by the computers on which the agents are run. Best practice is to have the endpoint certificate signed by a trusted third-party Certificate Authority (CA).

Client-side certificates

The endpoints can be configured to only accept connections from agents with authorized certificates. The list of thumbprints for authorized certificates is configured on the endpoint. This is the recommended configuration.

The endpoints can also be configured to accept connections from clients with any or no client certificate. This configuration is exposed to the risk of unauthorized clients reporting data, and is therefore not recommended.

The client-side certificate needs to be deployed together with the agent that is going to use it.

Transport Layer Security (TLS)

Endpoint

The endpoints support TLS versions 1.0, 1.1, 1.2, and 1.3.

Agent

Snow Inventory Agent supports TLS versions 1.0, 1.1, 1.2, and 1.3.

For customers with a strict TLS 1.2 environment, TLS 1.2 needs to be set as the default secure protocol in WinHTTP on Windows. For details, see the following Microsoft support article: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows

Encryption

AES-128 is used for encryption of snowpack files.

Oracle Scanner

Snow Inventory Oracle Scanner does not require root privileges. Elevated permissions (superuser) can be achieved by using sudo.

For more information, see Snow Inventory Agents for Oracle.

Anonymization of data

Snow Inventory Agent can be configured to anonymize and send inventoried computer data. The following data can be replaced by a SHA-1 hash value:

  • User names of logged-on users.

  • User names in software metering (i.e. users who have used applications on the computer).

  • the IP addresses assigned to the network interfaces of the computer.

To anonymize these types of data, add the following system settings to the agent configuration file:

privacy.hide_user=true

privacy.hide_ip=true

For more information, see User Guide: Configuration for Snow Inventory Agents.

PowerShell scripts

The Snow Inventory Agent for Windows has support for running Windows PowerShell scripts as part of the inventory scanning process:

  • PowerShell 5.1 – Both signed and unsigned scripts

  • PowerShell 5.0 – Signed scripts only

  • PowerShell 4.x – Both signed and unsigned scripts

  • PowerShell 3.x – Both signed and unsigned scripts

The built-in functionality uses the output of the Windows PowerShell scripts to create software or custom registry keys within the inventory result that is sent from the agent to the Inventory Master Server. This will enable scanning of additional information from software products, but can also be used for custom tasks such as identifying which users are local administrators on each machine.

For more information, see PowerShell script integrity mode.