Notification

Icon
Error

Not giving hackers the Domain Admin password / account

Posted: Monday, October 21, 2019 3:54:33 AM(UTC)
PaulY

PaulY

Member Original PosterPosts: 2
0
Like
If there is a malicious Windows computer on the LAN, then Lansweeper will try and login to it.
Seems to be unavoidable to not have the Global Windows credential presented on the IP Scan.

This login will be with a Domain Admin account.

There are many tools for leveraging this attempted login to capture and reverse the auth credentials / reuse them.

What is Lansweepers take on this attack?

The best mitigation I can see is
a) Never use Domain Admin account. Use a "Read Only" account for scanning (still a compromise, but less serious)
b) Only scan computers in an OU, using DNS address. Don't offer Windows account on IP Scans.

Paul
Esben.D
#1Esben.D Member Administration Posts: 1,982  
posted: 10/23/2019 9:14:40 AM(UTC)
It is well documented that you indeed do not need to use a domain admin account to scan. The account does need local administrative permissions.
If you don't link a Windows credential to an IP Range, you will still get a list of devices with basic info so you could verify whether those machines should be added to your AD or not.
PaulY
#2PaulY Member Original PosterPosts: 2  
posted: 10/23/2019 9:24:40 AM(UTC)
By default the Global Windows (mandatory) is presented to any Windows found on IP Scan. Cannot be unlinked.
Only option is to put in "invalid" credentials.

Local admin on one PC allows jumping between all PC's
Best to only present windows credentials to hosts discovered from AD.
JimL
#3JimL Member Posts: 3  
posted: 8/6/2020 7:08:15 AM(UTC)
Is there a good solution for this? A pentester captured our scan creds so we were working towards not using credentialed scans.

We've deployed LSAgent everywhere we can so that we don't need to run credentialed scans, but barring configuring invalid global credentials for Windows and SSH, I don't see a way to disable the Global Credential. Can I just remove the login information to disable the global credential?

I'd still like to perform global SNMP (r/o) scan for network devices, so disabling the scan targets isn't ideal.

Plan was:
  • LSAgent to all Windows and Apple devices
  • SSHCertificate to all *nix devices that can't/won't run LSAgent
  • SNMP r/o for network devices

Now I'm not sure that's a good plan without the ability to limit/disable global credentials.

Using invalid credentials and creating failed login traffic doesn't seem like a great solution.

FrankSc
#4FrankSc Member Administration Posts: 64  
posted: 8/6/2020 9:27:13 PM(UTC)
You can disable Windows scanning in your IP range scanning targets. In this way Windows computers will be ignored. Disabling the global credentials is at this moment not possible. But in this way, any Windows computer should be skipped for scanning.
In this way only SNMP and SSH credentials will be used.

Active Discussions

Action Open Teams/SfB Chat with user
by  marceman   Go to last post Go to first unread
Last post: 9/10/2020 4:10:18 PM(UTC)
Lansweeper Report showing app even after it has gone
by  TimHolmes1973  
Go to last post Go to first unread
Last post: 9/9/2020 11:50:17 PM(UTC)
Action Remote Device Manager
by  steveb   Go to last post Go to first unread
Last post: 9/4/2020 9:52:01 PM(UTC)
Action View Windows Defender detections remotely
by  steveb  
Go to last post Go to first unread
Last post: 9/4/2020 9:37:48 PM(UTC)
Action Remote Uninstaller
by  steveb   Go to last post Go to first unread
Last post: 9/4/2020 9:27:17 PM(UTC)
Lansweeper Filter Assets' groups by WinSystemLocale
by  Alex Beaumier  
Go to last post Go to first unread
Last post: 8/20/2020 4:17:17 PM(UTC)
Action Chrome History
by  csys   Go to last post Go to first unread
Last post: 8/14/2020 2:14:21 PM(UTC)
Action Offer remote assistance
by  FixitDave  
Go to last post Go to first unread
Last post: 8/4/2020 9:57:51 AM(UTC)