Overview š„
If you suspect a Liongard domain account has been compromised ā for example, due to leaked credentials, unintended access, or unauthorized use ā itās critical to act immediately to secure your environments.
Liongard no longer requires domain accounts for inspection workflows. Modern best practices rely on agents running as the Local System account, which significantly reduces the attack surface tied to credential misuse.
This article provides a stepābyāstep mitigation plan to secure your infrastructure and minimize risk.
Why This Matters š¤
Legacy Liongard domain accounts were used historically for:
Remote Windows Server inspections
Running inspectārelated commands across Active Directory
Since this approach was deprecated, domain accounts are no longer necessary. A compromised domain account can:
Provide unauthorized access to inspection systems
Enable lateral movement across domains
Increase exposure to malicious actors
By removing or remediating the account and ensuring agents run with minimum necessary permissions, you contain risk and align with modern security practices.
Whatās Changed š§
Liongardās current architecture uses:
Local System accounts for agent workloads
Cloudāmanaged authentication for API and integration workflows
Domain accounts only remain relevant if they were manually created by partners in legacy environments
In most cases, domain accounts can be fully removed without impacting inspection operations.
StepābyāStep Mitigation Plan š§āš«
1ļøā£ Remove the Liongard Domain Account
If a domain account was used for Liongard activities:
Identify all Active Directory environments where the account exists
Confirm the accountās permissions and last use
Delete the domain account from each environment
ā Only proceed after ensuring all inspection tasks have been transitioned to local agent or cloudāmanaged identities.
2ļøā£ Update Liongard Agent Service Accounts
Agents should run as Local System, not as a domain or service account:
On each server with a Liongard Agent installed:
Open Services
Locate LiongardAgentSVC
Verify the serviceās Log On As account is set to Local System
If it is not:
Change the service logon to Local System
Restart the service
Confirm the agent reconnects to the Liongard platform
š§ Running as Local System limits the permission scope while ensuring agents function without elevated domain credentials.
3ļøā£ Verify Agent Functionality After Change
Once Local System is set:
Check each agentās heartbeat in Liongard
If heartbeats are missing or agents go offline:
Reinstall the agent using the Liongard Agent Install Script (this ensures correct configuration)
Optionally streamline reinstallations using RMM tools and the script
ā ļø The agent must be mapped to the correct Liongard environment for inspection workflows to resume.
After Mitigation ā Best Practices š
Practice | Why It Matters |
Remove unnecessary domain accounts | Reduces attack surface |
Use Local System for agents | Limits credential misuse |
Rotate API keys and integration secrets | Prevents unauthorized access |
Enable MFA for all Liongard users | Improves authentication security |
Audit recent inspection activity | Detect potential unauthorized actions |
Liongardās Cyber Risk Dashboard can surface authentication and user risks (e.g., missing MFA) if inspectors are operational.
FAQs šāāļø
Q: Will removing the domain account break inspections?
A: Not if you have migrated inspections to agents running as SYSTEM. Domain accounts are not required for modern workflows.
Q: What if an agent fails after changing the service account?
A: Reinstall the agent with the Liongard Agent Install Script and ensure itās assigned to the correct Liongard environment.
Q: Should I rotate all keys and secrets after a compromise?
A: Yes ā any API key, access key, token, or integration secret exposed during a compromise should be rotated.
Q: Does Liongard monitor compromised accounts automatically?
A: Liongard has risk indicators (e.g., in the Cyber Risk Dashboard) but does not automatically remediate compromised accounts on your behalf. Monitoring and response are a joint responsibility.
When to Contact Support š¦
If you experience issues during or after mitigation:Use the Support Chat in your Liongard instance
Please include:
Summary of why the domain account was removed
Servers/Environments affected
Agent service configuration before/after changes
Screenshots of agent statuses or inspection failures
Logs showing heartbeat or connection errors
š Detailed information helps Support diagnose and advise faster.
Summary š¤©
Domain accounts are no longer required for Liongard inspections and pose a security risk when compromised.
Removing them and converting agents to Local System improves security posture.
Validate agent operation after changes and rotate any exposed keys.
Contact Support with relevant details if you encounter issues.