As we attempt to harden our networks and strengthen our passwords, I wanted to bring up something again I have talked about in various settings. Password lock-out policies.
Since the beginning of time, we have had a basic password lock-out policy. It is generally something like 5 password attempts in 5 minutes gets you locked out for 15 minutes. However, until last year I did not realize that Microsoft did not enforce our basic password lock-out policies against local login attempts.
Microsoft now has added a local group policy setting that can be turned on to address this gross deficiency in our security posture.
Conceptually you have a student with limited access to their workstation. That student clicks on something bad. That malware finds a home in the student's local profile - where they have all rights. The malware then scans and maps the network and sends that home to the attackers. The name of the game in attacking your network is to identify the core users and machines that interact with personally identifiable information (PII) and money, Once those machines have been identified the attackers will attempt lateral movement across your network to hack into those machines to finalize their attack.
Until this new policy is implemented an attacker can indefinitely attempt to hack the local administrator password on your servers and workstations without ever being locked out! Since it is not a network ID, it won't show up in the normal network lockout reports either. Once this policy is turned on, then the local account will lock out identically to the network accounts to shut down these brute-force hacking attempts promptly.
While this is a local-only policy, we can leverage Group Policy Preference Extensions (GPPE) to easily push this to every endpoint.
That combined with Microsoft's free LAPS (Local Administrator Password Service) should dramatically harden your local passwords making it substantially harder to hack into individual workstations.
If you still haven't implemented Microsoft LAPS and more specifically the new LAPS that came out in April, we need to talk ASAP to get that done.
If you need help getting that simple but vital local lock-out policy in place, please let us know.
-Scott Quimby, CISSP
You must be logged in to post a comment.