How are device credentials stored and managed in NPM, and what security considerations apply?

• A. Credentials are stored in plaintext in log files.
• B. Credentials are stored securely in the Orion DB; use encryption, least privilege, and restrict credential access; prefer SNMPv3 and Windows WMI credentials with care.
• C. Credentials are never stored.
• D. Credentials can be shared openly among admins.

Answer: (B)

Credentials are kept centrally in the Orion database within a protected credential store and are stored in encrypted form to protect them at rest. This design prevents credentials from being scattered in logs or on devices, and access is governed by the platform’s security model, enforcing least privilege so only authorized users or services can view or use them. When NPM polls devices, it uses these stored credentials rather than exposing them.

Security considerations emphasize encryption at rest, strict access controls, and auditing who can view or modify credentials, along with regular rotation. For network devices, prefer SNMPv3 because it provides authentication and encryption, unlike older SNMP versions. For Windows devices, WMI credentials can be used but should be limited in scope, rotated, and kept under tight access controls. Avoid sharing credentials openly among admins or storing them in plaintext or logs.