In the past, a company-specific standard was usually used for the local administrator passwords. But what do you do if an employee who knows the standard password leaves the company?
Right, it should be changed. In the past group policies (GPO) were used for this, even if the password was in clear text in SysVol. Fortunately, Microsoft put a stop to this. What other solutions are there? In practice, you can use VBS or PowerShell scripts, the good ones have random passwords, the bad ones just a standard.
But isn’t there a well thought-out solution from Microsoft? Yes, there is, Local Administrator Password Solution (LAPS).
Microsoft LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints. By ensuring that all local Administrator accounts have unique, complex passwords, LAPS helps mitigate the risk of lateral movement and privilege escalation: An attacker who compromise one local Administrator account can’t move laterally to other endpoints simply by using the same password.
A benefit over other password managers is that LAPS does not require additional computers to manage these passwords; it’s done entirely through Active Directory components. Plus, you can download and use LAPS for free.
LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.
One of the most detrimental misconfigurations on a Windows network is setting the same password for all local administrator accounts. It happens everywhere. Even if you’ve streamlined your endpoint rollouts with imaging software, it’s just easier to make that admin login the same across the organization. The support staff and management software can use it without needing to worry about remembering a password schema. Who else can benefit from this ease of configuration? Malicious actors, worms, viruses, ransomware just to name a few.
Once a password hash has been stolen, it can be used over and over again on any computer that has that same user/password locally. A common tool for this credential stealing is Mimikatz, a tool that can dump passwords and other authentication methods such as kerberos tickets out of memory and use those to escalate from a normal under-privileged account to an administrator account.
The primary defense against Mimikatz (and other privilege escalation) is limiting administrative privileges to only those users that need it. That’s definitely easier said than done, especially in an enterprise environment that has been around for a long time. It’s common to start at a company where you find a network that was built without design or security in mind. Many times least privilege wasn’t a consideration when a piece of software or business function just needed to work.
Luckily in 2015 Microsoft came up with an integrated solution for this. LAPS enables admins to manage the local account passwords of domain-joined computers.
LAPS protects these passwords by storing them in an access-control list (ACL) within AD (Active Directory), so only users with access rights can read or request a password reset.
Signs your computer has a virus and what to do about it Try Free 1 Month Trial What is a computer virus? A computer virus