Windows Icinga2 Service permissions


i am using the Icinga2 client to monitor multiple Windows Servers and Clients. As stated in the documentation, the “update-windows” check will need elevated privilegs and thus can be run as “LocalSystem” instead of “NetworkService”.

The same seems to be true for a Powerhell script I use to monitor replication status of several Hyper-V VMs. Since this is happening on one of our Hypervisors I was wondering if running the Icinga2 Service under LocalSystem poses a security risk? Are there any best practice recommendations as to how to solve this?