Permissions & Authentication
A more detailed discussion of how Liongard gains the permissions that it needs in order to do various types of inspections.
Liongard Agents run many different types of Inspectors against many different types of systems. As such, Agents and Inspectors authenticate to different systems in different ways depending on what management interfaces the system has available.
Cloud-Based API / Management Interface
When Liongard authenticates to a service with a public, web-facing API the authentication credentials are typically entered into the Liongard web interface where they are securely stored and used per-inspection job.
These Inspectors typically run through one of your Managed Cloud Agents since no privileged network access is required.
For Example...
- Webroot: Public-facing API authenticated using credentials entered into the Liongard web interface
- Microsoft 365: Microsoft Graph API (REST based)
- Amazon Web Services: Public-facing API authenticated using credentials entered into the Liongard web interface
Windows / Active Directory Authentication
When Liongard performs an inspection against a service via Windows or Active Directory's native authentication mechanisms, permissions come from the user that the Liongard Agent service is executing as.
When installed without being setup to "Run As" a particular Active Directory user, the Liongard Agent service installs as "Local System", meaning that it has permissions only against the local server on which the Agent is installed.
When installed to "Run As" an Active Directory user with appropriate permissions, the Agent can run inspections against other elements joined to the AD domain according to that user's permissions. See our Agent Service Permissions documentation for additional information.
For Example...
- Active Directory: PowerShell implicitly authenticated by the Liongard Agent service's user
- SQL Server in "Windows Authentication" mode: PowerShell implicitly authenticated by the Liongard Agent service's user
- Windows server in "remote inspection" mode: PowerShell implicitly authenticated by the Liongard Agent service's user
On-Device API / Management Interface
When Liongard authenticates to a service with an API hosted on a local device like a firewall or to another local management interface like SSH, the authentication credentials are typically entered into the Liongard web interface where they are securely stored and used per-inspection job.
These Inspectors typically run through an On-Premises Agent since local management interfaces are usually not accessible from the public internet.
For Example...
- Cisco ASA: Connects via SSH and authenticates based on credentials or certificates input to the Liongard web interface
- Sophos XG: Connects to an API hosted on the local device based on credentials input to the Liongard web interface
Public Source Data
When Liongard is pulling data from public sources such as DNS, WHOIS servers, and public web services, no authentication is required.
These Inspectors typically run through one of your Managed Cloud Agents since no privileged network access is required.
For Example...
- Internet Domain: Pulls data from public DNS and WHOIS servers without any authentication.
- SSL / TLS: Pulls certificates and associated information from public-facing web servers without any authentication.
Updated over 1 year ago