This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Not giving hackers the Domain Admin password / account

PaulY
Engaged Sweeper

‎10-21-2019 04:54 AM

If there is a malicious Windows computer on the LAN, then Lansweeper will try and login to it.
Seems to be unavoidable to not have the Global Windows credential presented on the IP Scan.

This login will be with a Domain Admin account.

There are many tools for leveraging this attempted login to capture and reverse the auth credentials / reuse them.

What is Lansweepers take on this attack?

The best mitigation I can see is
a) Never use Domain Admin account. Use a "Read Only" account for scanning (still a compromise, but less serious)
b) Only scan computers in an OU, using DNS address. Don't offer Windows account on IP Scans.

Paul
Labels:
0 Kudos
4 REPLIES 4
JimL
Engaged Sweeper

‎08-06-2020 08:08 AM

Is there a good solution for this? A pentester captured our scan creds so we were working towards not using credentialed scans.

We've deployed LSAgent everywhere we can so that we don't need to run credentialed scans, but barring configuring invalid global credentials for Windows and SSH, I don't see a way to disable the Global Credential. Can I just remove the login information to disable the global credential?

I'd still like to perform global SNMP (r/o) scan for network devices, so disabling the scan targets isn't ideal.

Plan was:
  • LSAgent to all Windows and Apple devices
  • SSHCertificate to all *nix devices that can't/won't run LSAgent
  • SNMP r/o for network devices

Now I'm not sure that's a good plan without the ability to limit/disable global credentials.

Using invalid credentials and creating failed login traffic doesn't seem like a great solution.

0 Kudos
FrankSc
Lansweeper Tech Support
Lansweeper Tech Support
In response to JimL

‎08-06-2020 10:27 PM

You can disable Windows scanning in your IP range scanning targets. In this way Windows computers will be ignored. Disabling the global credentials is at this moment not possible. But in this way, any Windows computer should be skipped for scanning.
In this way only SNMP and SSH credentials will be used.
0 Kudos
PaulY
Engaged Sweeper

‎10-23-2019 10:24 AM

By default the Global Windows (mandatory) is presented to any Windows found on IP Scan. Cannot be unlinked.
Only option is to put in "invalid" credentials.

Local admin on one PC allows jumping between all PC's
Best to only present windows credentials to hosts discovered from AD.
0 Kudos
Esben_D
Lansweeper Employee
Lansweeper Employee

‎10-23-2019 10:14 AM

It is well documented that you indeed do not need to use a domain admin account to scan. The account does need local administrative permissions.
If you don't link a Windows credential to an IP Range, you will still get a list of devices with basic info so you could verify whether those machines should be added to your AD or not.
0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now