Notification

Icon
Error

Not giving hackers the Domain Admin password / account

Posted: Monday, October 21, 2019 3:54:33 AM(UTC)
PaulY

PaulY

Member Original PosterPosts: 2
0
Like
If there is a malicious Windows computer on the LAN, then Lansweeper will try and login to it.
Seems to be unavoidable to not have the Global Windows credential presented on the IP Scan.

This login will be with a Domain Admin account.

There are many tools for leveraging this attempted login to capture and reverse the auth credentials / reuse them.

What is Lansweepers take on this attack?

The best mitigation I can see is
a) Never use Domain Admin account. Use a "Read Only" account for scanning (still a compromise, but less serious)
b) Only scan computers in an OU, using DNS address. Don't offer Windows account on IP Scans.

Paul
Esben.D
#1Esben.D Member Administration Posts: 1,982  
posted: 10/23/2019 9:14:40 AM(UTC)
It is well documented that you indeed do not need to use a domain admin account to scan. The account does need local administrative permissions.
If you don't link a Windows credential to an IP Range, you will still get a list of devices with basic info so you could verify whether those machines should be added to your AD or not.
PaulY
#2PaulY Member Original PosterPosts: 2  
posted: 10/23/2019 9:24:40 AM(UTC)
By default the Global Windows (mandatory) is presented to any Windows found on IP Scan. Cannot be unlinked.
Only option is to put in "invalid" credentials.

Local admin on one PC allows jumping between all PC's
Best to only present windows credentials to hosts discovered from AD.
JimL
#3JimL Member Posts: 3  
posted: 8/6/2020 7:08:15 AM(UTC)
Is there a good solution for this? A pentester captured our scan creds so we were working towards not using credentialed scans.

We've deployed LSAgent everywhere we can so that we don't need to run credentialed scans, but barring configuring invalid global credentials for Windows and SSH, I don't see a way to disable the Global Credential. Can I just remove the login information to disable the global credential?

I'd still like to perform global SNMP (r/o) scan for network devices, so disabling the scan targets isn't ideal.

Plan was:
  • LSAgent to all Windows and Apple devices
  • SSHCertificate to all *nix devices that can't/won't run LSAgent
  • SNMP r/o for network devices

Now I'm not sure that's a good plan without the ability to limit/disable global credentials.

Using invalid credentials and creating failed login traffic doesn't seem like a great solution.

FrankSc
#4FrankSc Member Administration Posts: 64  
posted: 8/6/2020 9:27:13 PM(UTC)
You can disable Windows scanning in your IP range scanning targets. In this way Windows computers will be ignored. Disabling the global credentials is at this moment not possible. But in this way, any Windows computer should be skipped for scanning.
In this way only SNMP and SSH credentials will be used.

Active Discussions

Lansweeper Show attached USB devices
by  Dannnnooo   Go to last post Go to first unread
Last post: Today at 10:42:17 AM(UTC)
Lansweeper Lansweeper Ubiquiti AP Bullet Devices
by  Beta_Tester  
Go to last post Go to first unread
Last post: Today at 8:59:06 AM(UTC)
Lansweeper Report to find ScanServer 'not working'
by  Rocher Vincent   Go to last post Go to first unread
Last post: Today at 8:07:26 AM(UTC)
Lansweeper Security: HSTS Missing
by  Grey  
Go to last post Go to first unread
Last post: Yesterday at 9:36:49 PM(UTC)
Lansweeper Include custom ticket fields as email tags
by  brownscar   Go to last post Go to first unread
Last post: 9/29/2020 4:09:02 PM(UTC)
Lansweeper SSH - Keyboard Interactive Authentication
by  blackmoonwolf  
Go to last post Go to first unread
Last post: 9/29/2020 1:21:59 PM(UTC)
Lansweeper Lansweeper Dark Theme
by  blackmoonwolf   Go to last post Go to first unread
Last post: 9/29/2020 1:18:32 PM(UTC)
Lansweeper Drag and Drop Email
by  Chris Durham  
Go to last post Go to first unread
Last post: 9/29/2020 7:13:09 AM(UTC)