Good credential hygiene means not exposing credentials on a potentially-compromised system when those credentials can be used to compromise other systems. Credentials can be a password, an account’s NTLM hash, or a Kerberos TGT. When these kinds of credentials are hacked, there is the potential for the entire company to be at risk. That’s where Microsoft’s Local Administrator Password Solution (LAPS) can come into play.
The Local Administrator Password Solution (LAPS) provides centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords. LAPS provides a simple, secure, and most importantly free solution to secure local administrator accounts.
LAPS not only simplifies password management but it also helps organizations implement defenses against cyber-attacks. It can help mitigate the risk of lateral escalation from administrators who have the same local account and password combination on multiple devices. This is an elegant and lightweight mechanism for Active Directory domain-joined systems that periodically sets each computer’s admin account password to a new random and unique value, storing the password in a secured confidential attribute on the corresponding computer object in Active Directory where only specifically-authorized users can retrieve it.
The big issue with credentials is that it only takes one technician with a privileged account making one mistake just one time – and that can lead to a domain-wide compromise.
For example, let’s say your helpdesk technicians each have a domain account that is granted administrative rights on all workstations in the domain. One user reports a computer issue, so the helpdesk technician logs on remotely to the workstation using their privileged domain account – not realizing that the workstation has been compromised with credential theft malware. Depending on how they logged on, the account credentials could be stolen, and the thief can now gain administrative control over all workstations.
Now let’s say instead of using a privileged domain account, the helpdesk technician retrieves the LAPS password for the workstation and uses the LAPS-managed administrative local account to log on. Credential theft is no longer an issue. If the thief gets the hash or even the plaintext password, it’s useful only on the computer that the thief already controls.
If you’re interested in how to deploy LAPS, how it could help improve your organization’s security or have any questions at all, contact Interlink today and we can help. Our technicians are experienced and knowledgeable with this product, so we are here to answer any of your questions about LAPS, security in general or user identity protection.