09-26-2024 12:53 PM
How do you use Lansweeper to scan your entire network without relying on domain admin credentials, while still maintaining a strong security posture? What access controls and best practices do you follow?
Share your comments below.
10-02-2024 03:29 PM
Actually, I just signed up to ask nearly the same question. We are evaluating different discovery solutions to identify unknown (!) devices.
Security "says no" to central admin accounts for all devices.
Installing an agent is the option for *known* devices. But we would not be able to identify unknown devices. The scenario here would be: manually register during staging, install an agent and get all the details via the agent.
(How) is Lansweeper able to discover / probe e.g. network segments and systems just IP adresses and perhaps open ports?
Are there whitepapers / demos / manuals out there that show how it works?
Thanks!
10-02-2024 04:26 PM
Hey! Welcome @DostlBa --
So a few ideas...
* if your security team lets you scan other sources, we might be able to bypass a few challenges. For example, if you use Intune or Airwatch, you can scan assets through one of those.
* Another could be to add a script-based scanning like LsPush (LsPush vs. LsAgent scanning agent - Lansweeper Community). This can be triggered via a GPO/logon script upon each login or schedule.
* For your virtual servers, you can scan them through VMWare.
* We also have "Asset Radar" which can be configured to add all asset it "sniffs" out in your network. There is some configuration needed in order to sniff all networks--we can discuss this if needed.
We often hear of Security teams being concerned about entering credentials. Remember, the credentials ONLY need local admin rights (for Windows). Meaning, you can use a dedicated username that is only available on local machines. If you use "Legacy LAPS", you can configure Lansweeper to do the asset discovery those credentials as well.
I know I went a little off topic, but there are ways that we can be creative to watch and discover on your network.
Finally, if your security team is concerned about password management; all passwords are always stored and encrypted on your environment... we do not store credentials in the cloud platform. If needed, we can help you understand more about our security posture within the platform.
I hope this helps to get you thinking around a few ideas. This is not an uncommon request. There are many on this forum that have experienced the same thing 😊
Keep us posted on how it goes.
09-27-2024 10:33 AM
We don't use domain admins account into LS:
09-27-2024 02:56 PM - edited 09-27-2024 02:57 PM
@Mister_Nobody this is another great strategy.
One benefit of using LsPush at login is that you can track EVERY USER that logs into that machine. Then, you know your user information is accurate when looking at the asset list.
{For those that don't know, the active user will only be displayed from when that asset was scanned. So, if you scan 1x per day, only that one user who was logged on during the scan will be displayed. What Mister_Nobody is doing will provide the up-to-date active user.}
I also like how you combine the agents (point #2) as well as scan the assets with a dedicated credential (step #3). You have this covered well.
Thanks for sharing!
09-27-2024 09:13 AM
We solely rely on LsPush for scanning our +1500 (industrial) Windows devices.
Main advantages:
09-28-2024 09:33 PM - edited 09-28-2024 09:38 PM
omg hey Hendrik 🙂 - I use a mix of lspush, lsagent, and one svc acct for workstations, one svc account for servers - and of course set pw to expire in a short interval (not that it really matters anymore) - I just can't live without active scanning - for catching all the stuff that joins the domain (including linux, esxi, whatever you can join hehe) - I prefer using asset radar when possible, but also like to tap into a a passive listener or network tap so I don't have to go scanning subnets - because as we know, with Industrial and Medical devices (i.e. "Fragile" devices) you don't want to just go sweeping willy-nilly
09-27-2024 02:53 PM
@Hendrik_VE That's a great idea. I didn't consider warranty issues on industrial systems, this is a good call out for others as well.
Thanks for sharing your strategy.
09-26-2024 07:26 PM
So we give it local admin creds on most of our machines, but if a system requires a domain admin cred. We are using the LSAgent to get that information. That way we don't risk the user being too elevated, and we ensure our security team that we can get the info without violating policy. The agents are amazing for getting you the inventory data when elevated creds and sometimes no creds at all are your only option for servers. Honestly, we get buy okay with simple admin level.
09-26-2024 08:21 PM
Oh, I like that idea @RandomITDude232 -- I like that you use the agents for those without admin rights.
Maybe this is a little too personal... about your local admin creds, do you use Legacy LAPS to do this or are you guys using a single local credential?
I think what you are doing is a good idea. Having a local credential on servers vs. workstations vs. laptops vs. etc. would help to divide out the risk as well.
Thanks for sharing! Very interesting.
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now