[Community Discussion] Scanning without domain admin credentials - Comment below

Mercedes_O · Thursday

How do you use Lansweeper to scan your entire network without relying on domain admin credentials, while still maintaining a strong security posture? What access controls and best practices do you follow?

Share your comments below.

Mister_Nobody · yesterday

We don't use domain admins account into LS:

We use lspush during user session start via GPO Policy.
We use lspush/lsagent to scan non-domain computers.
We create separate accounts for computers and server and set their to LS creds for scannin target.

Tim_N · yesterday

@Mister_Nobody this is another great strategy.

One benefit of using LsPush at login is that you can track EVERY USER that logs into that machine. Then, you know your user information is accurate when looking at the asset list.

{For those that don't know, the active user will only be displayed from when that asset was scanned. So, if you scan 1x per day, only that one user who was logged on during the scan will be displayed. What Mister_Nobody is doing will provide the up-to-date active user.}

I also like how you combine the agents (point #2) as well as scan the assets with a dedicated credential (step #3). You have this covered well.

Thanks for sharing!

Tim N.
Lansweeper Employee

Hendrik_VE · yesterday

We solely rely on LsPush for scanning our +1500 (industrial) Windows devices.

Main advantages:

Only 1 port needs to be opened in the FW between the Windows device and the scanning server (we have very segregated networks)
Unlike LsAgent, no software needs to be installed on the Windows devices when using LsPush. Installing 'unsupported' software on industrial devices could cause warranty issues with the (industrial device) vendor.
LsPush is triggered either using a scheduled task (once daily) or using our Antivirus management portal (which can be used to deploy scripts and trigger the LsPush executable).
As these industrial devices our not part of any domain, we don't have domain credentials and using LsPush we don't need any credential to be configured on the device or stored in Lansweeper.

Tim_N · yesterday

@Hendrik_VE That's a great idea. I didn't consider warranty issues on industrial systems, this is a good call out for others as well.

Thanks for sharing your strategy.

Tim N.
Lansweeper Employee

RandomITDude232 · Thursday

So we give it local admin creds on most of our machines, but if a system requires a domain admin cred. We are using the LSAgent to get that information. That way we don't risk the user being too elevated, and we ensure our security team that we can get the info without violating policy. The agents are amazing for getting you the inventory data when elevated creds and sometimes no creds at all are your only option for servers. Honestly, we get buy okay with simple admin level.

Tim_N · Thursday

Oh, I like that idea @RandomITDude232 -- I like that you use the agents for those without admin rights.

Maybe this is a little too personal... about your local admin creds, do you use Legacy LAPS to do this or are you guys using a single local credential?

I think what you are doing is a good idea. Having a local credential on servers vs. workstations vs. laptops vs. etc. would help to divide out the risk as well.

Thanks for sharing! Very interesting.

Tim N.
Lansweeper Employee

[Community Discussion] Scanning without domain admin credentials - Comment below

New to Lansweeper?

Try Lansweeper For Free