[Community Discussion] Scanning without domain admin credentials - Comment below

Hey! Welcome @DostlBa -- 

So a few ideas...

* if your security team lets you scan other sources, we might be able to bypass a few challenges. For example, if you use Intune or Airwatch, you can scan assets through one of those.

* Another could be to add a script-based scanning like LsPush (LsPush vs. LsAgent scanning agent - Lansweeper Community). This can be triggered via a GPO/logon script upon each login or schedule. 

* For your virtual servers, you can scan them through VMWare. 

* We also have "Asset Radar" which can be configured to add all asset it "sniffs" out in your network. There is some configuration needed in order to sniff all networks--we can discuss this if needed. 

We often hear of Security teams being concerned about entering credentials. Remember, the credentials ONLY need local admin rights (for Windows). Meaning, you can use a dedicated username that is only available on local machines. If you use "Legacy LAPS", you can configure Lansweeper to do the asset discovery those credentials as well. 

I know I went a little off topic, but there are ways that we can be creative to watch and discover on your network. 

Finally, if your security team is concerned about password management; all passwords are always stored and encrypted on your environment... we do not store credentials in the cloud platform. If needed, we can help you understand more about our security posture within the platform. 

I hope this helps to get you thinking around a few ideas. This is not an uncommon request. There are many on this forum that have experienced the same thing 😊

Keep us posted on how it goes. 

@Mister_Nobody this is another great strategy. 

One benefit of using LsPush at login is that you can track EVERY USER that logs into that machine. Then, you know your user information is accurate when looking at the asset list.

{For those that don't know, the active user will only be displayed from when that asset was scanned. So, if you scan 1x per day, only that one user who was logged on during the scan will be displayed. What Mister_Nobody is doing will provide the up-to-date active user.}

I also like how you combine the agents (point #2) as well as scan the assets with a dedicated credential (step #3). You have this covered well. 

Thanks for sharing! 

omg hey Hendrik 🙂  - I use a mix of lspush, lsagent, and one svc acct for workstations, one svc account for servers - and of course set pw to expire in a short interval (not that it really matters anymore) -  I just can't live without active scanning - for catching all the stuff that joins the domain (including linux, esxi, whatever you can join hehe) -   I prefer using asset radar when possible, but also like to tap into a a passive listener or network tap so I don't have to go scanning subnets -  because as we know, with Industrial and Medical devices (i.e. "Fragile" devices) you don't want to just go sweeping willy-nilly

@Hendrik_VE That's a great idea. I didn't consider warranty issues on industrial systems, this is a good call out for others as well. 

Thanks for sharing your strategy. 

Oh, I like that idea @RandomITDude232 -- I like that you use the agents for those without admin rights. 

Maybe this is a little too personal... about your local admin creds, do you use Legacy LAPS to do this or are you guys using a single local credential? 

I think what you are doing is a good idea. Having a local credential on servers vs. workstations vs. laptops vs. etc. would help to divide out the risk as well. 

Thanks for sharing! Very interesting.