Keeping your organization secure is a top priority – so what is credential hygiene and why is it important?
Good credential hygiene means not exposing credentials on a potentially-compromised system when those credentials can be used to compromise other systems. Credentials can be a password, an account’s NTLM hash, or a Kerberos TGT. When these kinds of credentials are hacked, there is the potential for the entire company to be at risk. That’s where Microsoft’s Local Administrator Password Solution (LAPS) can come into play.
Local Administrator Password Solution (LAPS)
The Local Administrator Password Solution (LAPS) provides centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords. LAPS provides a simple, secure, and most importantly free solution to secure local administrator accounts.
LAPS not only simplifies password management but it also helps organizations implement defenses against cyber-attacks. It can help mitigate the risk of lateral escalation from administrators who have the same local account and password combination on multiple devices. This is an elegant and lightweight mechanism for Active Directory domain-joined systems that periodically sets each computer’s admin account password to a new random and unique value, storing the password in a secured confidential attribute on the corresponding computer object in Active Directory where only specifically-authorized users can retrieve it.
- Simplifies password management at no cost
- Helps customers implement a defense against cyber attacks
- Mitigates risk of lateral escalation – when customers have the same administrative local account and password combination on multiple computers
Why Use LAPS Compared to Similar Products?
- Periodically randomizing local administrator passwords - ensures password update to AD succeeds before modifying local secrets/passwords
- Centrally store secrets in existing infrastructure - Active Directory (AD)
- Control access via AD ACL permissions
- Transmit encrypted passwords from client to AD (using Kerberos encryption, AES cypher by default)
- Supported Operating Systems: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
- Active Directory: Windows 2003 SP1 or later
- Managed Machines: Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later
- Management Tools: .NET Framework 4.0, PowerShell 2.0 or later
How does LAPS work?
The big issue with credentials is that it only takes one technician with a privileged account making one mistake just one time – and that can lead to a domain-wide compromise.
For example, let’s say your helpdesk technicians each have a domain account that is granted administrative rights on all workstations in the domain. One user reports a computer issue, so the helpdesk technician logs on remotely to the workstation using their privileged domain account – not realizing that the workstation has been compromised with credential theft malware. Depending on how they logged on, the account credentials could be stolen, and the thief can now gain administrative control over all workstations.
Now let’s say instead of using a privileged domain account, the helpdesk technician retrieves the LAPS password for the workstation and uses the LAPS-managed administrative local account to log on. Credential theft is no longer an issue. If the thief gets the hash or even the plaintext password, it’s useful only on the computer that the thief already controls.
If you’re interested in how to deploy LAPS, how it could help improve your organization’s security or have any questions at all, contact Interlink today and we can help. Our technicians are experienced and knowledgeable with this product, so we are here to answer any of your questions about LAPS, security in general or user identity protection.