Microsoft has tried hard to increase awareness of "pass the hash" attacks. They have been patching, but the threats keep coming. Back in April Microsoft released something quite awesome - their next-generation Local Administrator Password Solution (LAPS).
Quite simply LAPS allows you to automatically rotate the password for a designated "local administrator" account on endpoints. For example, if you have 200 endpoints, a properly implemented LAPS would make sure 200 different local administrator passwords were automatically rotating but could still be easily looked up by your technical staff. LAPS is free.
In the April Windows Updates Microsoft embedded the LAPS functionality in Windows 10, Windows Server 2019, and Windows Server 2020. Microsoft's release was a little confusing as "new LAPS" is incompatible with "old LAPS".
I am not going to detail all the technical details here. However, there are a couple of big-picture concepts and features you need to understand to maximize LAPS functionality:
- Make sure the April updates have been installed.
- Uninstall "old LAPS" on all Windows 10, Windows Server 2019, and Windows Server 2022. It is incompatible with old LAPS.
- Set up the "new LAPS" group policy. It is separate and different than the old LAPS group policy.
- For any other operating system (i.e., Windows Server 2016, Windows Server 2012, and Windows Server 2012 R2), continue to use the "old LAPS" using the old LAPS group policy.
- "New LAPS" also contains traditional LAPS functionality for Azure AD and Hybrid Azure AD joined machines for the first time!
- New LAPS has an improved Active Directory password interface without the "old LAPS" confusing rights customization.
I urge you to make the "new LAPS rollout part of your summer work". We are happy to help you sort out "new LAPS" vs. "old LAPS" with the Azure AD/Hybrid Azure AD joined twist.
It is not a huge project to implement this district-wide.
It is vital that you sure up your local administrator credential security strategy by fully implementing LAPS on your network.
BONUS - While not part of LAPS I believe that implementing Microsoft's local account lockout policy at the same time as LAPS will allow you to for the first time visualize if an attacker is attempting to brute force crack a local administrator password. Right now, an attacker could generate unlimited logon attempts against a local ID and you'd probably never realize it was going on.
We are happy to help you sort out all of this and add the bonus functionality along the way. Give us a call.
-Scott Quimby, CISSP
You must be logged in to post a comment.