cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PaulY
Engaged Sweeper
If there is a malicious Windows computer on the LAN, then Lansweeper will try and login to it.
Seems to be unavoidable to not have the Global Windows credential presented on the IP Scan.

This login will be with a Domain Admin account.

There are many tools for leveraging this attempted login to capture and reverse the auth credentials / reuse them.

What is Lansweepers take on this attack?

The best mitigation I can see is
a) Never use Domain Admin account. Use a "Read Only" account for scanning (still a compromise, but less serious)
b) Only scan computers in an OU, using DNS address. Don't offer Windows account on IP Scans.

Paul
4 REPLIES 4
JimL
Engaged Sweeper
Is there a good solution for this? A pentester captured our scan creds so we were working towards not using credentialed scans.

We've deployed LSAgent everywhere we can so that we don't need to run credentialed scans, but barring configuring invalid global credentials for Windows and SSH, I don't see a way to disable the Global Credential. Can I just remove the login information to disable the global credential?

I'd still like to perform global SNMP (r/o) scan for network devices, so disabling the scan targets isn't ideal.

Plan was:
  • LSAgent to all Windows and Apple devices
  • SSHCertificate to all *nix devices that can't/won't run LSAgent
  • SNMP r/o for network devices

Now I'm not sure that's a good plan without the ability to limit/disable global credentials.

Using invalid credentials and creating failed login traffic doesn't seem like a great solution.

FrankSc
Lansweeper Tech Support
Lansweeper Tech Support
You can disable Windows scanning in your IP range scanning targets. In this way Windows computers will be ignored. Disabling the global credentials is at this moment not possible. But in this way, any Windows computer should be skipped for scanning.
In this way only SNMP and SSH credentials will be used.
PaulY
Engaged Sweeper
By default the Global Windows (mandatory) is presented to any Windows found on IP Scan. Cannot be unlinked.
Only option is to put in "invalid" credentials.

Local admin on one PC allows jumping between all PC's
Best to only present windows credentials to hosts discovered from AD.
Esben_D
Lansweeper Employee
Lansweeper Employee
It is well documented that you indeed do not need to use a domain admin account to scan. The account does need local administrative permissions.
If you don't link a Windows credential to an IP Range, you will still get a list of devices with basic info so you could verify whether those machines should be added to your AD or not.