PRUEBA AHORA
Pro Tips

Windows Least Privilege Scanning

4 min. read
25/03/2022
By Esben Dochy
Pro tips 18 feature image

Pro Tips with Esben #18

The principle of least privilege dictates that a subject should be given only those privileges needed for it to complete its task. Today we take a look at how this impacts Lansweeper Windows scanning.

When scanning with Lansweeper, you can always check what the scanning requirements are in our knowledge base. These articles also include the requirements for any credentials that need to be used in order to retrieve data.

In a lot of scenarios, Lansweeper requires admin access to retrieve 100% of the data. Some systems unfortunately don’t allow data retrieval without having admin access. The case of Windows, Mac, and Linux scanning is no exception and I’ve often heard people ask if having admin access is really needed.

In short, no. Admin access is technically not required to scan Windows, Mac, or Linux devices. However, it is required to scan 100% of the data from those devices. This is also why our requirement articles include it.

Our own internal IT team has also struggled with implementing Lansweeper while adhering to the principle of least privilege, as a result, they have documented how they scan with Lansweeper while being as strict as possible in regard to credential access.

Prerequisites

PowerShell 5.1 is required. This is installed by default on Windows Server 2016 and above, Windows 10 and above. Otherwise, you can find it on the Microsoft website.

Windows Permission Script

The required permissions to scan with Lansweeper have been automated in a PowerShell script. This script is compatible with Windows Server 2012 (and above) and Windows 7 (and above). I recommended configuring it as a startup script through a GPO or local policy since some permissions can disappear after a reboot.

Additionally, you should adjust the following and use it as a parameter in the startup script entry to specify the account/group you want to give permissions to.

-accountName “domainNetBIOSsamAccountName“

You can download the script here (right-click, save link as…). By default, it logs to ‘C:WindowsTempLansweeperScanningSetupLog.txt’ and the “Application” event log.

Script Content

Obviously, you can always open the script and take a look for yourself, but if you want the short version, here is what it does:

  • Add object to “Distributed COM Users” group
  • Add object to “Event Log Readers“ group
  • Add read & method execute permissions on certain WMI namespaces for the object
  • Change ownership of the Trusted Installer Service in registry to Administrators
  • Add “Local Launch” and “Remote Launch” permissions on the Trusted Installer Service DCOM Component for the object (more might be needed)
  • Add a read clause to the Security Descriptor of the scmanager service for the object
  • Allow netBIOS access from other subnets (required when the scanserver is in another subnet)
  • Allow WMI, DCOM, WinRM (HTTP & HTTPS), ICMPv4/ICMPv6 echo request through firewall
  • Add permissions to WMI namespaces used by LS

Scanning That Won’t Work

As mentioned previously, scanning with the least privilege does have consequences. The following data won’t be retrieved at all or will only have partial data.

  • Last logon scanning
  • Shares scanning
  • SQL scanning
  • Certificates scanning (scanning account needs read permissions on HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurePipeServerswinreg)
  • Hyper-V Virtual Machine objects
  • Windows Cluster scanning (accounts need Full Control permissions before Lansweeper returns cluster information; this can be done in the Failover Cluster Manager/Cluster FQDN/Properties/Cluster Permissions)
  • SCCM (Scanning accounts need to be added in SCCM as “Read-only analyst” before data can be scanned)
  • Exchange scanning (Accounts need to be added to the “Organization management” AD group. Also, WinRM HTTPS listeners need to be configured on the Exchange servers as well as the Domain Controllers.)

If you’re interested in scanning using this least privilege method, I would personally recommend testing it first, the above are findings from our IT team, but it’s always possible something was missed. Additionally, since this isn’t the recommended way of scanning, our support team will always refer you to our official documentation. It is also likely that future new Windows scanning features won’t work without adjustments or that updates can cause unforeseen issues.

With all the disclaimers out of the way, hopefully, this will help the few of you who are not capable (or allowed) to use admin credentials to scan. Be sure to check back for Linux and Mac scanning in the near future!