Feature Request - credential management

[mikebeal]

How many of us have used Spiceworks? Consider how you go into the credential manager and add all the various credentials. Then the scanner will try the different credentials until either one works, or they all fail. Great system! Any previous Unitrends users will recognize the same system. Even a switch management utility from many years ago had that same process. I've seen it so often I assumed it was common practice by now, but compare that with Veeam's "per-server" system for managing non-default credentials. Ooh! Veeam, serious black eye there.

I'm trying to backup hundreds of VMs, various OSs, with various credentials. I can configure one default that will work on maybe 40% of the servers. That leaves an incredible amount of manual work to get backups working the way I want. It would be WONDERFUL if you could improve this situation.

[Gostev]

Did you ever consider standardizing a service account across all your machines? I mean, only having it standardized across 40% seems unusual, and makes such an infrastructure hard to manage. You're actually the first customer to come with this request in 12 years, out of over 600'000 active installations... so this alone tells something.

Also, this approach of trying every saved credentials against every machine to see which one "sticks" has a number of security implications. Any enterprise security team will definitely have a huge problem with this, as it means storms of invalid logons to audit, account lockouts, malicious appliance concerns (any machine that will appear will get a logon attempt with every saved credentials), etc.

May be there are ways to improve our credentials managements for environments such as yours, but the above approach seems very wrong indeed.

[mikebeal]

Valid points, though I disagree.

If it were a good security practice to have a single account that could compromise the entire network, tools like LAPS wouldn't exist. You also wouldn't have so many other systems that already implement this approach very successfully. I think it's LESS secure, not MORE secure, to use a single account everywhere.

As for the account lockouts, the way this is implemented is you configure the credentials in the order you want them tried. So you order them most common to least common. The first time through, you will get a lot of alerts and errors. Once valid credentials are detected, those credentials are remembered for that system. So you won't get the alerts and errors on every run--only the first run. If you edit the backup--say you add a server--you may see access issues on the new server only that first time, and only if it's not using the most common (first listed) account.

If nothing else, this is so much easier to setup. Why not add this convenience for your customers? I just don't see any downside to it. If you want to use one account everywhere, you only add one account. If you have that one-off system that doesn't match everything else, this is an easier way to get it working correctly. Honestly, I am stunned that I'm the first one to request this. However, from your statistics, I don't expect this to change. I would just submit that if you haven't tried this method, you should. It's much better.