‎06-01-2023 12:33 AM - last edited on ‎06-14-2023 07:40 PM by Mercedes_O
I recently learned about the power of PowerShell SessionConfigurations and Just Enough Administration (JEA). There are two things that could benefit Lansweeper scanning.
1. Scan and report on Get-PSSessionConfiguration. I'm deploying more and more SessionConfigurations to servers so users can connect using PowerShell Remoting but are only allowed to run specific commands; without adding them to Remote Desktop Users, Remote Management Users, or Administrators group. It would be useful knowing which computers have which SessionConfigurations. (IT Asset Inventory)
2. Scanning Windows devices without being Administrator. LAPS scanning is a great new feature! However, LAPS still uses a local Admin account, and our security policy blocks local accounts from connecting remotely. Bring out JEA! The Windows device would need a SessionConfiguration that allows an Active Directory non-admin account to connect to it. After connection that non-admin account runs as a virtual account using SYSTEM and the SessionConfiguration restricts what commands it can run. For example, the LansweeperScanning SessionConfiguration could allow all cmdlet's that match with Get-* (e.g., Get-Cim*, Get-Wmi*, Get-Process, etc.). This would require Lansweeper scanning service to use PowerShell remoting to scan computers. LsPush/LsAgent could also be used to optionally install the required SessionConfiguration. This would reduce risk because it's a non-admin account and only allowed to run specific cmdlets. (Cybersecurity & Vulnerabilities)
Finally, it would be awesome if Lansweeper supported a gMSA (Group-Managed Service Account) for scanning. Then I wouldn't have to put in a password in the web UI. I'd need to make the gMSA and allow the server running Lansweeper scanner permissions to get the gMSA password. Further reducing the use of passwords.
Solved! Go to Solution.
‎06-02-2023 03:36 PM
Hi @Bowser,
These ideas would really be beneficial for the configuration of Lansweeper so extra asset details are retrieved and asset and scan server security is increased.
PS Session Configuration: we're considering including a custom discovery section within the Lansweeper solution.
This would allow you to send specific read commands to your assets and capture these in custom discovery sections.
Just Enough Administration: great tip! While Lansweeper currently relies on RPC, remote registry and sometimes PowerShell (to keep full support with older operating systems), we're currently working on a next-gen version that focuses more on retrieving the data using Powershell where possible. Adding JEA to the final solution would really help out to have a scan server working according to a least privileged account.
gMSA: we evaluated adding gMSA support previously to Lansweeper but the foundations needed to be changed too drastically.
Hence we're evaluating including this in the next-gen version (mentioned in the section above)
Our current roadmap already has lots of content but custom discovery is at the top of our list to be reviewed.
Thank you for contributing these great ideas!
3 weeks ago
Hi Gillian,
Do you have an idea when JEA will be implemented in Lansweeper ?
As our Microsoft administrator does not like the the fact to have the Lansweeper user as a domain admin user.
Thank you
‎06-02-2023 03:36 PM
Hi @Bowser,
These ideas would really be beneficial for the configuration of Lansweeper so extra asset details are retrieved and asset and scan server security is increased.
PS Session Configuration: we're considering including a custom discovery section within the Lansweeper solution.
This would allow you to send specific read commands to your assets and capture these in custom discovery sections.
Just Enough Administration: great tip! While Lansweeper currently relies on RPC, remote registry and sometimes PowerShell (to keep full support with older operating systems), we're currently working on a next-gen version that focuses more on retrieving the data using Powershell where possible. Adding JEA to the final solution would really help out to have a scan server working according to a least privileged account.
gMSA: we evaluated adding gMSA support previously to Lansweeper but the foundations needed to be changed too drastically.
Hence we're evaluating including this in the next-gen version (mentioned in the section above)
Our current roadmap already has lots of content but custom discovery is at the top of our list to be reviewed.
Thank you for contributing these great ideas!
‎06-02-2023 01:16 PM
Thank you for sharing @Bowser I have shared this internally and also tapping @IainCaldwell into the chat
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now