April 23, 2025 · Anton Berghult · Compliance & Governance Security & Vulnerability · 5 min

Securing Your Windows Data Center: A Practical Guide to setting up access for IT Discovery

Gaining comprehensive visibility into your IT environment is crucial for accurate asset inventory, documentation, and effective security audits. However, granting overly broad access and permissions for user accounts can introduce significant security vulnerabilities, making the careful management of user account access a critical concern. In this blog post, we’ll review different options and their respective pros and cons for managing access within your IT environment, aiming to help you successfully combine secure operations with full visibility.

Finding the right balance – Security vs. Visibility vs. Complexity

Before diving into specific options on setting up access control in your Windows environment, let’s define two important terms that can be used to benchmark different options against each other – Permission and Access.

• Permission refers to the specific actions an account is authorized to perform on a resource (eg. server, database, system). For example, having “read” permission on an NTFS file share or the ability to query specific information from the registry via WMI.
• Access is the ability of an account to access and connect to a resource. This could involve authenticating to a server via network protocols like SMB or using management interfaces like PowerShell Remoting.

Some solutions to access control implementation might effectively manage how an account authenticates (access) but not necessarily what it can do once connected (permissions), and vice versa. In the end, it comes down to finding the right balance between enabling necessary visibility vs. compromising security vs. the complexity to manage. There’s no silver bullet that solves everything, but by carefully reviewing your specific needs, you can make a balanced decision that considers all aspects of access control.

Five ways for managing access control for IT Discovery of Windows environments

Now, with that said, Let’s explore five common approaches to manage access control in a Microsoft-centric data center, highlighting their pros and cons to help you make well-informed decisions. These are, from my perspective, the most frequently used solutions to manage access control for IT discovery. Let’s go!

1. Local Administrator

– Like giving someone the keys to the entire building just to read the electricity meter.

What it is: A built-in Windows user group that has full administrative control over a local machine.

Pros: Provides complete read (but also write…) access to the local system, making discovery straightforward on a single server.

Cons: Managing local administrator accounts consistently across multiple Windows servers is challenging. Granting local admin rights for discovery introduces a security risk due to the unnecessary write privileges. This approach doesn’t inherently provide a restricted, domain-wide view.

2. Windows Local Administrator Password Solution (LAPS)

– Like making the keys to the entire building harder to copy, but the person with the keys can still access everything.

What it is: Microsoft LAPS is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra-joined or Windows Server Active Directory-joined devices.

Pros: Significantly enhances the security of local administrator accounts, mitigating the risk of lateral movement by ensuring unique and regularly changed passwords.

Cons: While LAPS secures the local administrator account, it doesn’t inherently restrict the permissions of that account. If a local administrator account is used for accessing a machine, it still possesses high privileges. LAPS focuses on securing access to the powerful local admin account, not on granting granular read-only permissions for discovery tasks.

3. Domain Administrator

– Like giving someone the master key to every building in the city just to check the inventory in a few supply closets.

What it is: A highly privileged account in Windows Active Directory with administrative control over the entire domain.

Pros: Has broad access to all domain-joined resources. Easy to manage and to setup.

Cons: This is a significant security risk and should almost never be used for routine IT discovery read accounts. Granting Domain Admin rights for discovery severely violates the principle of least privilege and creates a massive security vulnerability. If compromised, this account could have severe consequences for your entire Windows environment.

4. Group Managed Service Account (gMSA)

– Like giving someone a unique, strong key that changes automatically, but you still need to define which rooms that key can open and what the person can do inside.

What it is: A managed domain account in Active Directory that provides automatic password management for services running on one or more servers.

Pros: Simplifies service account management and enhances security by automating password changes.

Cons: Primarily secures the access of the service account. The permissions the gMSA has once it connects to a resource are determined by how it’s configured in NTFS permissions, share permissions, and other access control lists. Careful configuration is essential to limit its read-only capabilities.

5. Just Enough Administration (JEA)

– Like creating a specific key that only opens the supply closets in a room and only allows the person to find the inventory list in that closet, nothing else.

What it is: JEA is a Windows PowerShell feature that enables delegated administration for specific tasks using restricted privileges. You can define precisely what actions a user or group can perform via PowerShell Remoting.

Pros: Provides granular control over permissions for specific discovery tasks. You can create JEA roles that allow only necessary read-only actions. It can be configured with specific user or group access through Active Directory. This approach significantly enhances security by adhering to the principle of least privilege and is centrally manageable.

Overview of different access option

Here are five different options for enabling access to Windows operating systems:

Solution	Minimizes Unnecessary Privileges? (Permissions)	Restricts Access Appropriately? (Account Scope)	Comment	Complexity
Local Administrator	❌ No (Full local rights — always excessive)	✅ Yes (Access is local only)	Easy to configure, but local admin accounts have full control. Not scalable and prone to misuse or credential reuse without additional controls.	Low–Medium
Windows LAPS	❌ No (Still grants full local admin rights)	✅ Yes (Access limited via unique per-device passwords)	Rotates local administrator passwords per machine, reducing lateral movement risk. Does not reduce privilege level — account is still admin.	Medium
gMSA (Group Managed Service Account)	✅ Yes (Account is service-scoped)	✅ Yes (Access limited to defined services)	Used for running services securely with automatic password management. Privileges must still be scoped manually, but no user login allowed.	Medium
Domain Administrator	❌ No (Highest-level privileges — overkill for most tasks)	❌ No (Access is domain-wide and persistent)	Full control across the domain. Not suitable for daily routines. Avoid assigning to (human) users for routine access.	Low
Just Enough Administration (JEA)	✅ Yes (Granular, task-specific access via PowerShell)	✅ Yes (Access limited to what is explicitly allowed)	Implements least privilege by defining what users can do and see. Centralized, auditable, and supports role-based delegation through endpoints.	Medium–High