I’ll show you the major components of LAPS such as:
- LAPS schema extensions to AD
- Local LAPS agent
- Client-side GPO extension
- Interactive LAPS application
- PowerShell tools
Then as we shift to the security and risks of LAPS we’ll consider:
- How attackers might use LAPS to gain information about the environment
- LAPS vulnerabilities and attack methods
- Important LAPS best practices and security checks you should run if you are using LAPS
At the end of the day, most security researchers agree that LAPS is a decent implementation for what it does but it is very much a point solution. It only addresses the local Administrator account which is one very important but narrow issue when it comes to privileged account management.
We should never be using the local administrator account anyway for any kind of normal day-to-day administration. The local admin account is a necessary evil just like root on Unix; it’s there for when your domain and local systems are so fried the only way to access the system is with a local privileged account. A generic, all powerful account with no accountability between IT staff.
In addition to everything else you do to secure Administrator, if you are following best practice and avoid ever using Administrator, then you should set a highest level alert in your SIEM for whenever it sees a successful logon by Administrator – or whatever you renamed it to.
So, implementing LAPS – securely – and doing the necessary monitoring of LAPS related attributes in AD and LAPS events on member computers will help you reduce the risks associated with “Administrator”. But we’ll take it further with our sponsor BeyondTrust, who will briefly show you how their technology suite provides comprehensive management of privilege across the entire AD/Windows/Unix environment including passwords, least privilege and auditing.
Please join us for this on-demand real training for free solution.
Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.
Randy Franklin Smith began his career in information technology in the 1980s developing software for a variety of companies. During the early 1990s, he led a business process re-engineering effort for a multi-national organization and designed several mission critical, object-oriented, client/server systems. As the Internet and Windows NT took off, Randy focused on security and led his employer's information security planning team. In 1997, he formed Monterey Technology Group, Inc. where he serves as President.