I’ll show you the major components of LAPS such as:
Then as we shift to the security and risks of LAPS we’ll consider:
At the end of the day, most security researchers agree that LAPS is a decent implementation for what it does but it is very much a point solution. It only addresses the local Administrator account which is one very important but narrow issue when it comes to privileged account management.
We should never be using the local administrator account anyway for any kind of normal day-to-day administration. The local admin account is a necessary evil just like root on Unix; it’s there for when your domain and local systems are so fried the only way to access the system is with a local privileged account. A generic, all powerful account with no accountability between IT staff.
In addition to everything else you do to secure Administrator, if you are following best practice and avoid ever using Administrator, then you should set a highest level alert in your SIEM for whenever it sees a successful logon by Administrator – or whatever you renamed it to.
So, implementing LAPS – securely – and doing the necessary monitoring of LAPS related attributes in AD and LAPS events on member computers will help you reduce the risks associated with “Administrator”. But we’ll take it further with our sponsor BeyondTrust, who will briefly show you how their technology suite provides comprehensive management of privilege across the entire AD/Windows/Unix environment including passwords, least privilege and auditing.
Please join us for this on-demand real training for free solution.
Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.