They can, that is, provided that their use isn’t blocked by security policy – which our baselines do today.
With LAPS – or in fact, with any solution that makes local account passwords unique and not guessable – using local accounts for remote computer management actually offers some advantages over using domain accounts. Not only does LAPS neutralize both the pass-the-hash and well-known-secret problems, it creates new opportunities for remote management. LAPS is an elegant and lightweight mechanism for Active Directory domain-joined systems that periodically sets each computer’s admin account password to a new random and unique value, storing the password in a secured confidential attribute on the corresponding computer object in Active Directory where only specifically-authorized users can retrieve it. Local Administrator Password Solution (LAPS) But by far the biggest problem is that an attacker with administrative rights on one machine can easily obtain the account’s password hash from the local Security Accounts Manager (SAM) database and use it to gain administrative rights over the other machines using “pass the hash” techniques. One problem with that is that the common password often becomes a well-known secret over time with no way to revoke access from anyone who ever received it.
It was typical for an entire organization to have an administrative local user account with the same username and password on every Windows computer. Back then, Windows had yet to offer anything resembling secure management of administrative local account credentials. Beginning in 2014 with our baselines for Windows 8.1 and Windows Server 2012R2, our security baselines have been
0 kommentar(er)
