The most important protocols WMI (Windows Management Instrumentation) and Remote Registry are not known to be the most efficient protocols. However they are for most agent-less discovery products the sole source of information. When running within a 100MBit or 1Gbit ethernet local area network, accessing WMI or registry information is not an issue. However, when it comes to the remote sites that are connected through low bandwidth connections, this can cause problems. We made some tests with remote computers where a simple registry access could take up to 30 seconds. Imagine, you need to enumerate and read through hundreds of registry items in order to read the software items installed on a computer! Then a discovery for one computer can easily last 45 minutes or more! Of course, this is not acceptable.
There are agent based discovery products that circumvent this problem by installing so called “agents” on the target computers. This approach has advantages, but also some drawbacks. While agents have full access to a computer’s resources (since they are running locally) and therefore can discover every piece of information that the computer provides, they can be time consuming and difficult to deploy. Upgrading agents can also cause some hassle. Some devices (such as routers, switches and printers) do not even allow the installation of proprietary agents.
JDisc Discovery is a hybrid discovery product. While it is agent-less by default, it provides a powerful option called remote login for Windows computers. When the user enables this option, then JDisc deploys a discovery agent to the target computer while the target computer is scanned. When the scan finishes, then the agent automatically destroys itself and all temporary files. The agent has some unique capabilities:
- It gets deployed automatically without any manual interaction
- It can copy files from and to the target computer in a secure and encrypted manner
- It can execute any command and capture its output
- The agent destroys itself when the scan has been completed
It is pretty easy to enable remote login for Windows. Simply open the discovery settings dialog and switch to the “Protocols” tab. Enable remote login for Windows by changing the “Windows” combo box in the upper area to “Windows Remote Login”.
But what does happen exactly when you enable this option? When a Windows computer gets discovered, then
- JDisc tries to get administrative access to the computer via the SMB protocol
- If that succeeds, then JDisc deploys and starts the agent on the target computer
- Now, JDisc can make use of the agent to execute native commands on the computer or to copy collection binaries from the discovery station to the target computer.
- Finally, when the scan is finished, the agent destroys itself and removes all temporary files.
There are several advantages when using the remote login agent:
- WMI uses several different TCP/IP ports to community with the target computer. When there are firewalls blocking the traffic, then the remote WMI connection usually fails with a “The RPC server is unavailable” error. For agent-less discovery tools, that do not offer a similar technology as JDisc does, that means: End of discovery, no Data! However JDisc needs for its remote login capability only one open port (Port 445) and it tunnels remote registry and WMI access through the agent.
- Remote registry access is only possible, when the remote registry service is up and running. Through JDisc’s remote login technology, you can even read registry entries when the remote registry service is not running.
- Local firewalls (that are especially enabled on Windows 7 by default) can block WMI traffic and thus agent-less discovery tools are blind. JDisc can tunnel WMI request through port 445 via its remote login agent.
- WMI and especially remote registry access can get very slow when it is not in the same LAN. Especially requests over wide area networks can get very slow. JDisc’s remote login speeds this up by performing the requests locally on the target computer and then transmitting the result in an efficient and compact way to the discovery server. We exeperienced a speed improved of eight up to ten times!
JDisc offers different settings for WMI and registry tunneling:
- Select “Use when native access fails” (this is the default), if you would like to use the remote login tunneling only when the native protocols fail (e.g. due to firewall issues).
- Select “Use always” to let JDisc Discovery use the remote login tunnel for WMI or registry access regardless of the native protocol status.
- Select “Disabled” if you would not like to use the tunnels for WMI or remote registry.
Consulsion: JDisc Discovery’s remote login capability is a key differentiator to traditional agent-less discovery products. Access WMI information although the WMI ports get blocked by a firewall and dramatically increase the speed of computers that are connected through a wide are network!