Microsoft have attempted to address the challenge of managing local administrator credentials by releasing the Local Administration Password Solution (LAPS).
There are commercial solutions in this space, however many organisations are using either same password across machines, or try to use other methods, such as shared spreadsheets to manage individual passwords.
Using shared credentials on a network is bad security practice and can lead to a number of problems such as-
- More people have access to, or discover the password. Word will get around and you will find the password attached to computers on sticky notes, label maker labels, or written on the computer itself in plain sight.
- Shared passwords are rarely changed. Ex-employees and contractors will continue to have ability to access systems.
- Networks with computers running shared passwords are more vulnerable to credential replay attacks, such as pass-the-hash (PTH). As a result hackers/malware will more easily traverse the network.
- Users having access to these accounts will be able to install non-standard software, such as games, or remove protective controls such as antivirus protection.
- Accountability issues. When random users are able to user the Administrator account they become anonymised. It is difficult to determine the actual individual who has made system changes from the log files.
How it works:
Install LAPS to automatically manage local administrator account passwords on domain-joined computers so that passwords are unique on each managed computer, randomly generated, and centrally stored in Active Directory infrastructure.
LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.
The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.
The tool will also allow you randomise the local passwords on an ongoing basis going forward. More information on the Microsoft Local Administrator Password Solution (LAPS) can be found here.
The LAPS tool can assist organisations to comply with the Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions. Specifically regarding control #9: Disable local administrator accounts and the Information Security Manual (ISM) Control:0383 (rev 4).
Control 0383 states: “Agencies must ensure that default operating system accounts are disabled, renamed or have their passphrase changed.”
Even though the overall objective of the ISM is to make organisations disable local administrative accounts, the LAPS tool can help in circumstances where this is not an option.
Controls above extracted from the 2015 Information Security Manual 2105 Controls.