→ 🚀What's New? Explore Lansweeper's Fall 2024 Updates! Fall Launch Blog !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Bowser
Engaged Sweeper II

I recently learned about the power of PowerShell SessionConfigurations and Just Enough Administration (JEA). There are two things that could benefit Lansweeper scanning.

1. Scan and report on Get-PSSessionConfiguration. I'm deploying more and more SessionConfigurations to servers so users can connect using PowerShell Remoting but are only allowed to run specific commands; without adding them to Remote Desktop Users, Remote Management Users, or Administrators group. It would be useful knowing which computers have which SessionConfigurations. (IT Asset Inventory)

2. Scanning Windows devices without being Administrator. LAPS scanning is a great new feature! However, LAPS still uses a local Admin account, and our security policy blocks local accounts from connecting remotely. Bring out JEA! The Windows device would need a SessionConfiguration that allows an Active Directory non-admin account to connect to it. After connection that non-admin account runs as a virtual account using SYSTEM and the SessionConfiguration restricts what commands it can run. For example, the LansweeperScanning SessionConfiguration could allow all cmdlet's that match with Get-* (e.g., Get-Cim*, Get-Wmi*, Get-Process, etc.). This would require Lansweeper scanning service to use PowerShell remoting to scan computers. LsPush/LsAgent could also be used to optionally install the required SessionConfiguration. This would reduce risk because it's a non-admin account and only allowed to run specific cmdlets. (Cybersecurity & Vulnerabilities)

Finally, it would be awesome if Lansweeper supported a gMSA (Group-Managed Service Account) for scanning. Then I wouldn't have to put in a password in the web UI. I'd need to make the gMSA and allow the server running Lansweeper scanner permissions to get the gMSA password. Further reducing the use of passwords. 

1 ACCEPTED SOLUTION
Gilian
Product Team
Product Team

Hi @Bowser,
These ideas would really be beneficial for the configuration of Lansweeper so extra asset details are retrieved and asset and scan server security is increased.

PS Session Configuration: we're considering including a custom discovery section within the Lansweeper solution.
This would allow you to send specific read commands to your assets and capture these in custom discovery sections.

Just Enough Administration: great tip! While Lansweeper currently relies on RPC, remote registry and sometimes PowerShell (to keep full support with older operating systems), we're currently working on a next-gen version that focuses more on retrieving the data using Powershell where possible. Adding JEA to the final solution would really help out to have a scan server working according to a least privileged account.

gMSA: we evaluated adding gMSA support previously to Lansweeper but the foundations needed to be changed too drastically.
Hence we're evaluating including this in the next-gen version (mentioned in the section above)

Our current roadmap already has lots of content but custom discovery is at the top of our list to be reviewed.
Thank you for contributing these great ideas!

View solution in original post

2 REPLIES 2
Gilian
Product Team
Product Team

Hi @Bowser,
These ideas would really be beneficial for the configuration of Lansweeper so extra asset details are retrieved and asset and scan server security is increased.

PS Session Configuration: we're considering including a custom discovery section within the Lansweeper solution.
This would allow you to send specific read commands to your assets and capture these in custom discovery sections.

Just Enough Administration: great tip! While Lansweeper currently relies on RPC, remote registry and sometimes PowerShell (to keep full support with older operating systems), we're currently working on a next-gen version that focuses more on retrieving the data using Powershell where possible. Adding JEA to the final solution would really help out to have a scan server working according to a least privileged account.

gMSA: we evaluated adding gMSA support previously to Lansweeper but the foundations needed to be changed too drastically.
Hence we're evaluating including this in the next-gen version (mentioned in the section above)

Our current roadmap already has lots of content but custom discovery is at the top of our list to be reviewed.
Thank you for contributing these great ideas!

Mercedes_O
Community Manager
Community Manager

Thank you for sharing @Bowser  I have shared this internally and also tapping @IainCaldwell  into the chat

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now