This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PSSessionConfiguration, JEA, and gMSA

Go to solution
Bowser
Engaged Sweeper II

‎06-01-2023 12:33 AM - last edited on ‎06-14-2023 07:40 PM by Community Manager

I recently learned about the power of PowerShell SessionConfigurations and Just Enough Administration (JEA). There are two things that could benefit Lansweeper scanning.

1. Scan and report on Get-PSSessionConfiguration. I'm deploying more and more SessionConfigurations to servers so users can connect using PowerShell Remoting but are only allowed to run specific commands; without adding them to Remote Desktop Users, Remote Management Users, or Administrators group. It would be useful knowing which computers have which SessionConfigurations. (IT Asset Inventory)

2. Scanning Windows devices without being Administrator. LAPS scanning is a great new feature! However, LAPS still uses a local Admin account, and our security policy blocks local accounts from connecting remotely. Bring out JEA! The Windows device would need a SessionConfiguration that allows an Active Directory non-admin account to connect to it. After connection that non-admin account runs as a virtual account using SYSTEM and the SessionConfiguration restricts what commands it can run. For example, the LansweeperScanning SessionConfiguration could allow all cmdlet's that match with Get-* (e.g., Get-Cim*, Get-Wmi*, Get-Process, etc.). This would require Lansweeper scanning service to use PowerShell remoting to scan computers. LsPush/LsAgent could also be used to optionally install the required SessionConfiguration. This would reduce risk because it's a non-admin account and only allowed to run specific cmdlets. (Cybersecurity & Vulnerabilities)

Finally, it would be awesome if Lansweeper supported a gMSA (Group-Managed Service Account) for scanning. Then I wouldn't have to put in a password in the web UI. I'd need to make the gMSA and allow the server running Lansweeper scanner permissions to get the gMSA password. Further reducing the use of passwords. 

1 ACCEPTED SOLUTION
Go to solution
Gilian
Product Team
Product Team

‎06-02-2023 03:36 PM

Hi @Bowser,
These ideas would really be beneficial for the configuration of Lansweeper so extra asset details are retrieved and asset and scan server security is increased.

PS Session Configuration: we're considering including a custom discovery section within the Lansweeper solution.
This would allow you to send specific read commands to your assets and capture these in custom discovery sections.

Just Enough Administration: great tip! While Lansweeper currently relies on RPC, remote registry and sometimes PowerShell (to keep full support with older operating systems), we're currently working on a next-gen version that focuses more on retrieving the data using Powershell where possible. Adding JEA to the final solution would really help out to have a scan server working according to a least privileged account.

gMSA: we evaluated adding gMSA support previously to Lansweeper but the foundations needed to be changed too drastically.
Hence we're evaluating including this in the next-gen version (mentioned in the section above)

Our current roadmap already has lots of content but custom discovery is at the top of our list to be reviewed.
Thank you for contributing these great ideas!

View solution in original post

2 REPLIES 2
Go to solution
Gilian
Product Team
Product Team

‎06-02-2023 03:36 PM

Hi @Bowser,
These ideas would really be beneficial for the configuration of Lansweeper so extra asset details are retrieved and asset and scan server security is increased.

PS Session Configuration: we're considering including a custom discovery section within the Lansweeper solution.
This would allow you to send specific read commands to your assets and capture these in custom discovery sections.

Just Enough Administration: great tip! While Lansweeper currently relies on RPC, remote registry and sometimes PowerShell (to keep full support with older operating systems), we're currently working on a next-gen version that focuses more on retrieving the data using Powershell where possible. Adding JEA to the final solution would really help out to have a scan server working according to a least privileged account.

gMSA: we evaluated adding gMSA support previously to Lansweeper but the foundations needed to be changed too drastically.
Hence we're evaluating including this in the next-gen version (mentioned in the section above)

Our current roadmap already has lots of content but custom discovery is at the top of our list to be reviewed.
Thank you for contributing these great ideas!

Go to solution
Mercedes_O
Community Manager
Community Manager

‎06-02-2023 01:16 PM

Thank you for sharing @Bowser  I have shared this internally and also tapping @IainCaldwell  into the chat

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now