cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Mercedes_O
Community Manager
Community Manager

How do you use Lansweeper to scan your entire network without relying on domain admin credentials, while still maintaining a strong security posture? What access controls and best practices do you follow? 

Share your comments below.

9 REPLIES 9
DostlBa
Engaged Sweeper

Actually, I just signed up to ask nearly the same question. We are evaluating different discovery solutions to identify unknown (!) devices.

Security "says no" to central admin accounts for all devices.

Installing an agent is the option for *known* devices. But we would not be able to identify unknown devices. The scenario here would be: manually register during staging, install an agent and get all the details via the agent.

(How) is Lansweeper able to discover / probe e.g. network segments and systems just IP adresses and perhaps open ports?

Are there whitepapers / demos / manuals out there that show how it works?

Thanks!

Tim_N
Lansweeper Employee
Lansweeper Employee

Hey! Welcome @DostlBa -- 

So a few ideas...

* if your security team lets you scan other sources, we might be able to bypass a few challenges. For example, if you use Intune or Airwatch, you can scan assets through one of those.

* Another could be to add a script-based scanning like LsPush (LsPush vs. LsAgent scanning agent - Lansweeper Community). This can be triggered via a GPO/logon script upon each login or schedule. 

* For your virtual servers, you can scan them through VMWare. 

* We also have "Asset Radar" which can be configured to add all asset it "sniffs" out in your network. There is some configuration needed in order to sniff all networks--we can discuss this if needed. 

We often hear of Security teams being concerned about entering credentials. Remember, the credentials ONLY need local admin rights (for Windows). Meaning, you can use a dedicated username that is only available on local machines. If you use "Legacy LAPS", you can configure Lansweeper to do the asset discovery those credentials as well. 

I know I went a little off topic, but there are ways that we can be creative to watch and discover on your network. 

Finally, if your security team is concerned about password management; all passwords are always stored and encrypted on your environment... we do not store credentials in the cloud platform. If needed, we can help you understand more about our security posture within the platform. 

I hope this helps to get you thinking around a few ideas. This is not an uncommon request. There are many on this forum that have experienced the same thing 😊

Keep us posted on how it goes. 

 

Tim N.
Lansweeper Employee
Mister_Nobody
Honored Sweeper II

We don't use domain admins account into LS:

  1. We use lspush during user session start via GPO Policy.
  2. We use lspush/lsagent to scan non-domain computers.
  3. We create separate accounts for computers and server and set their to LS creds for scannin target.
Tim_N
Lansweeper Employee
Lansweeper Employee

@Mister_Nobody this is another great strategy. 

One benefit of using LsPush at login is that you can track EVERY USER that logs into that machine. Then, you know your user information is accurate when looking at the asset list.

{For those that don't know, the active user will only be displayed from when that asset was scanned. So, if you scan 1x per day, only that one user who was logged on during the scan will be displayed. What Mister_Nobody is doing will provide the up-to-date active user.}

I also like how you combine the agents (point #2) as well as scan the assets with a dedicated credential (step #3). You have this covered well. 

Thanks for sharing! 

 

Tim N.
Lansweeper Employee
Hendrik_VE
Champion Sweeper III

We solely rely on LsPush for scanning our +1500 (industrial) Windows devices.

Main advantages:

  • Only 1 port needs to be opened in the FW between the Windows device and the scanning server (we have very segregated networks)
  • Unlike LsAgent, no software needs to be installed on the Windows devices when using LsPush. Installing 'unsupported' software on industrial devices could cause warranty issues with the (industrial device) vendor.
  • LsPush is triggered either using a scheduled task (once daily) or using our Antivirus management portal (which can be used to deploy scripts and trigger the LsPush executable).
  • As these industrial devices our not part of any domain, we don't have domain credentials and using LsPush we don't need any credential to be configured on the device or stored in Lansweeper.
Jacob_H
Lansweeper Employee
Lansweeper Employee

omg hey Hendrik 🙂  - I use a mix of lspush, lsagent, and one svc acct for workstations, one svc account for servers - and of course set pw to expire in a short interval (not that it really matters anymore) -  I just can't live without active scanning - for catching all the stuff that joins the domain (including linux, esxi, whatever you can join hehe) -   I prefer using asset radar when possible, but also like to tap into a a passive listener or network tap so I don't have to go scanning subnets -  because as we know, with Industrial and Medical devices (i.e. "Fragile" devices) you don't want to just go sweeping willy-nilly

Tim_N
Lansweeper Employee
Lansweeper Employee

@Hendrik_VE That's a great idea. I didn't consider warranty issues on industrial systems, this is a good call out for others as well. 

Thanks for sharing your strategy. 

Tim N.
Lansweeper Employee
RandomITDude232
Engaged Sweeper II

So we give it local admin creds on most of our machines, but if a system requires a domain admin cred. We are using the LSAgent to get that information. That way we don't risk the user being too elevated, and we ensure our security team that we can get the info without violating policy. The agents are amazing for getting you the inventory data when elevated creds and sometimes no creds at all are your only option for servers. Honestly, we get buy okay with simple admin level.

Oh, I like that idea @RandomITDude232 -- I like that you use the agents for those without admin rights. 

Maybe this is a little too personal... about your local admin creds, do you use Legacy LAPS to do this or are you guys using a single local credential? 

I think what you are doing is a good idea. Having a local credential on servers vs. workstations vs. laptops vs. etc. would help to divide out the risk as well. 

Thanks for sharing! Very interesting. 

Tim N.
Lansweeper Employee