DeepSurface requires access to an administrator account on all general-purpose operating systems (*BSD, Linux, MacOS, Windows) in scope for scanning. In the case of credentialed scans, this means DeepSurface must be configured with credentials for a local or domain user who is a member of the host's Administrator group on Windows; for UNIX derivatives (*BSD/Linux/MacOS), a root user or a user who has root access via sudo is required. In the case of agent deployments, the DeepSurface agent is installed to run with a privileged account and no specific access rights configuration is required.
DeepSurface gathers information from a wide – and ever-growing – variety of digital artifacts, some of which require elevated privileges to access. The following are examples of valuable information collected that require elevated privileges:
RiskAnalyzer goes to great lengths to uniquely identify hosts using locally obtained identifiers, helping avoid confusion in scan results if multiple vulnerability scanners have scanned a single system or a system has multiple IP addresses, duplicate IP addresses, multiple MAC addresses, etc. In some cases the identifiers collected include hardware/BIOS identifiers that are only available to privileged users.
Scans include analysis of SSH public/private key pairs in order to determine which users have access to log in to accounts on other hosts. Typically these files are only readable by the specific user accounts they’re configured for, or an administrative user.
Scans include analysis of RDP usage patterns, helping identify which users likely have access to remote Windows systems. This information is cached in registry keys and profile directories that are only accessible to their owners or administrators.
RiskAnalyzer enumerates cached password hashes (such as MSCACHE passwords) that, in some situations, could be stolen if a host is compromised and subsequently used to target domain accounts. This information is available only to administrators.
User behavior information, as it relates to client-side software utilization, is collected to provide a dramatically improved understanding of how vulnerabilities in browser, email client, document viewing/editing, and similar software could be exploited in practice. This information is typically stored in user profile directories that can only be accessed by their owners or an administrator.
On UNIX derivatives that are joined to Windows domains, access to the configuration files used to define the behavior of this integration are sometimes restricted to administrators.
DeepSurface RiskAnalyzer collects detailed metadata about each running process on every operating system. On UNIX derivatives, this information is often limited for non-root users.
Detailed listening port information is collected by RiskAnalyzer to help associate running processes to those TCP and UDP services, as well as the service accounts they are executed with. This information is sometimes restricted for non-root users on UNIX derivatives.
RiskAnalyzer scans database systems (such as Microsoft SQL Server, MySQL, or PostgreSQL) to gather access rights information and to better understand which applications would be put at risk if certain users are compromised. While it is possible to configure a security scanning service account with rights to retrieve this information from each database host, this typically creates a management burden that doesn't scale within security teams.
In addition to all of the specific data elements collected above, note that, in contrast to UNIX derivatives, Windows operating systems do not allow scripted remote command execution of any kind without administrative access by default.
For all of these reasons, the DeepSurface development team made the decision to require deployments to have administrative privileges, as the alternative would result in a product with dramatically reduced value and/or significantly increased management costs.