Skip to main content

Security considerations in Snow Inventory

2021-09-22

Introduction

This document describes functionality in the latest versions of products. Some functionality described in this document may work differently or not at all in previous versions.

Snow Inventory discovers computers in an IT environment. The results are displayed in Snow Inventory Admin Console. Computers that are not yet inventoried can easily be identified by using the built-in discovery views in the console. All network equipment and mobile devices can be discovered and displayed as discovered devices in the console.

Snow Inventory provides customers with the ability to keep their Snow Inventory Agents up to date with the latest product releases. Updates for agent versions and new configuration settings for different supported operating systems can be centrally managed using Snow Inventory Admin Console.

The Snow Inventory Agent is the technology running on the client computers to collect the inventory data. It saves the collected data to compressed and encrypted snowpack files, which are then reported by establishing a connection to a configured endpoint, implemented by a Snow Extender or a Snow Inventory Service Gateway installation.

See also Security Considerations in Snow License Manager 9 and Snow Inventory 6.

Certificates

Server-side certificates

Server-side certificates enable trusted HTTP communication between the server and the agents. The certificate chain must be trusted by the computers on which the agents are run. Best practice is to have the server-side certificate signed by a trusted third-party Certificate Authority (CA).

Client-side certificates

Client-side certificates enable the server to allow list agents that are trusted. The client-side certificate is a shared secret that needs to be distributed along with each of the Snow Inventory Agents.

Custom encryption keys

The Snow Inventory Agent encrypts the inventory result, called snowpack file, by using a default crypto key. However, a customer can choose to use one, or several of their own keys. For that purpose, Snow can provide a tool for customers that want to use their own keys for encryption and decryption of the snowpack files.

Transport Layer Security (TLS)

Snow Inventory Server uses the allowed ciphers and TLS of the underlying servers. For more information on how to define which ciphers and TLS versions to use, see https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls.

Server

Snow Inventory Server supports TLS versions 1.0, 1.1, 1.2, and 1.3.

Agent

Snow Inventory Agent supports TLS versions 1.0, 1.1, 1.2, and 1.3.

For customers with a strict TLS 1.2 environment, TLS 1.2 needs to be set as the default secure protocol in WinHTTP on Windows. For details, see the following Microsoft support article:

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows

Encryption

AES-128 is used for encryption of snowpack files.

Oracle Scanner

Snow Inventory Oracle Scanner does not require root privileges. Elevated permissions (superuser) can be achieved by using sudo.

For more information, see Snow Inventory Oracle Scanner.

Anonymization of data

Snow Inventory Agent can be configured to anonymize and send inventoried computer data. The following data can be replaced by a SHA-1 hash value:

  • Usernames of logged-on users.

  • Usernames in software metering (i.e. users who have used applications on the computer).

  • the IP addresses assigned to the network interfaces of the computer.

To anonymize these types of data, add the following system settings to the agent configuration file:

privacy.hide_user=true

privacy.hide_ip=true

For more information, see Agent configuration file.

PowerShell scripts

The Snow Inventory Agent for Windows has support for running Windows PowerShell scripts as part of the inventory scanning process:

  • PowerShell 5.1 – Both signed and unsigned scripts

  • PowerShell 5.0 – Signed scripts only

  • PowerShell 4.x – Both signed and unsigned scripts

  • PowerShell 3.x – Both signed and unsigned scripts

The built-in functionality uses the output of the Windows PowerShell scripts to create software or custom registry keys within the inventory result that is sent from the agent to the Inventory Master Server. This will enable scanning of additional information from software products, but can also be used for custom tasks such as identifying which users are local administrators on each machine.

For more information, see Running PowerShell scripts as part of the scanning process.

In this section: