This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
→ 🚀What's New? Explore Lansweeper's Fall 2024 Updates! Fall Launch Blog !
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- Scanning with domain admin or another account that...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-29-2020 02:17 PM
Hi, were new to Lansweeper, just got our feet off the ground this week and we love it so far. WAY faster than Spiceworks! We licenced 1500 assets and I configured it to use SQL Server 2016 and IIS 10.
One of the concerns we had with scanning is what kind of account to use in order to obtain all the good detail for our domain joined machines. The easy route, what we are doing now, is using a domain administrator account, and since our machines are on the domain, they have access to all of the bits and pieces like administrative shares, WMI, DCOM, etc... So this is working. The security concern is that this domain admin account is being sprayed out to every machine to scan.
Another theory we had was use a regular domain account that had read only access to AD, so that part was still readable, but used a GPO to make this account local admin on all of our workstations. My concern with that is if the account is ever compromized on one machine, the bad actor can then use this account to jump around from machine to machine. Its the whole reason we use Microsoft LAPS to randomize and uniquely configure each PC's local administrator password.
Third option would be the LsAgent. Now we are deploying this to laptop and tablet class machines, since they can roam. But we have so many other agents for other things, the concern is adding more "stuff" to end users machines, so we lean towards agentless scanning.
What's your opinion for best practices? Right now I'm leaning towards a special unique domain administrator account with a very long passphrase, like 35 or more characters, and a strict policy to change that in a timely manner. It would be very hard for a bad actor to brute force a password of that length.
Curious to hear what you all do!
One of the concerns we had with scanning is what kind of account to use in order to obtain all the good detail for our domain joined machines. The easy route, what we are doing now, is using a domain administrator account, and since our machines are on the domain, they have access to all of the bits and pieces like administrative shares, WMI, DCOM, etc... So this is working. The security concern is that this domain admin account is being sprayed out to every machine to scan.
Another theory we had was use a regular domain account that had read only access to AD, so that part was still readable, but used a GPO to make this account local admin on all of our workstations. My concern with that is if the account is ever compromized on one machine, the bad actor can then use this account to jump around from machine to machine. Its the whole reason we use Microsoft LAPS to randomize and uniquely configure each PC's local administrator password.
Third option would be the LsAgent. Now we are deploying this to laptop and tablet class machines, since they can roam. But we have so many other agents for other things, the concern is adding more "stuff" to end users machines, so we lean towards agentless scanning.
What's your opinion for best practices? Right now I'm leaning towards a special unique domain administrator account with a very long passphrase, like 35 or more characters, and a strict policy to change that in a timely manner. It would be very hard for a bad actor to brute force a password of that length.
Curious to hear what you all do!
Labels:
- Labels:
-
General Discussion
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-02-2020 03:01 AM
We use a domain admin account, as in its an account that has admin rights on the machines but not the rest of the network / servers etc. So not a true domain admin account.
We exclude our servers from scanning as they are already monitored via other software etc.
We are using Lansweeper purely for Workstation / Laptop auditing and software deployments.
We exclude our servers from scanning as they are already monitored via other software etc.
We are using Lansweeper purely for Workstation / Laptop auditing and software deployments.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-02-2020 04:45 PM
CyberCitizen wrote:
We use a domain admin account, as in its an account that has admin rights on the machines but not the rest of the network / servers etc. So not a true domain admin account.
We exclude our servers from scanning as they are already monitored via other software etc.
We are using Lansweeper purely for Workstation / Laptop auditing and software deployments.
Oh ok are you using something like this article to create a new type of "Workstation Administrator" group and group policy to add this to the local admin of PC's?
https://www.petri.com/manage-workstations-without-domain-admin-rights
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-03-2020 12:36 AM
kjstech wrote:
Oh ok are you using something like this article to create a new type of "Workstation Administrator" group and group policy to add this to the local admin of PC's?
https://www.petri.com/manage-workstations-without-domain-admin-rights
Pretty Much Spot On
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- On Prem - Dashboards Questions in General Discussions
- What is a best practice to keep your scanning queue running smoothly at all times? in Technical Troubleshooting
- Looking for report that will find systems with a specific local user account in General Discussions
- Registry and File Scanning - description field in General Discussions
- Scan slowness in General Discussions
