I’ll show you the major components of LAPS such as:
- LAPS schema extensions to AD
- Local LAPS agent
- Client-side GPO extension
- Interactive LAPS application
- PowerShell tools
Then as we shift to the security and risks of LAPS we’ll consider:
- How attackers might use LAPS to gain information about the environment
- LAPS vulnerabilities and attack methods
- Important LAPS best practices and security checks you should run if you are using LAPS
At the end of the day, most security researchers agree that LAPS is a decent implementation for what it does but it is very much a point solution. It only addresses the local Administrator account which is one very important but narrow issue when it comes to privileged account management.
We should never be using the local administrator account anyway for any kind of normal day-to-day administration. The local admin account is a necessary evil just like root on Unix; it’s there for when your domain and local systems are so fried the only way to access the system is with a local privileged account. A generic, all powerful account with no accountability between IT staff.
In addition to everything else you do to secure Administrator, if you are following best practice and avoid ever using Administrator, then you should set a highest level alert in your SIEM for whenever it sees a successful logon by Administrator – or whatever you renamed it to.
So, implementing LAPS – securely – and doing the necessary monitoring of LAPS related attributes in AD and LAPS events on member computers will help you reduce the risks associated with “Administrator”. But we’ll take it further with our sponsor BeyondTrust, who will briefly show you how their technology suite provides comprehensive management of privilege across the entire AD/Windows/Unix environment including passwords, least privilege and auditing.
Please join us for this on-demand real training for free solution.