Liongard Ideas Portal

Maybe I'm checking too early, but the email alerts worked well...

Can someone from Liongard comment or explain where the above requested information is and how this is Shipped status? I just checked docs and it still shows Domain Admins as suggested setup, and still mentions needing to finish updating the documentation on this page:

https://docs.liongard.com/docs/agent-service-permissions

• Assign the account the appropriate permissions for the inspectors you wish to run. We recommend adding the account to the domain administrators group. Liongard is currently working on documentation to scope this account down to the least necessary privileges, and it will be posted here when complete.

All we want is visibility into the domain, so I'm sure this can be limited in scope. I know the documentation says that Liongard is working on it, but the docs have said that for years now. We can try to scope it down ourselves, but it would be nice to have more information on what the agent is doing and what it needs to accomplish its tasks.

The "take privileges away until it breaks" game is not fun and always leaves us wondering what we missed or if anything is going to break in the future. I know this is a typical vendor problem and not exclusive to Liongard, but security is now at the forfront of our clients' minds not just our's, so shoring up these accounts is imperitive.

This is unacceptable now; we must understand what's truly required from a privilege standpoint.

Other security and monitoring tools are able to articulate from a WMI or AD privilege standpoint what is required. But it should be read-only access and a method that should work with AD.

This! With evolving threats out there using privelage escalations and credential thefts the Liongard AD account with Domain admin could easily be used to crypto an entire org - even on devices such as workstations which Liongard doesn't even inspect.


With compliance obligations, evolution within the security ecosystem, etc this should be a no brainer.