question

eC4ve avatar image
0 Votes"
eC4ve asked HannahXiong-MSFT commented

LAPS vs PCI DSS

I wanted to implement LAPS in my organization but it stores passwords in plaintext and I have to comply with PCI DSS requirements such as "Req. 8.2.1: Make all authentication information unreadable using strong encryption during transmission and storage on all system components."

I need to confirm if this will no put my compliance at risk.

windows-10-securitywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered HannahXiong-MSFT commented

Hello @eC4ve,

Thanks for posting here.

Microsoft Local Administrator Password Solution (LAPS) is a Microsoft tool that gives AD administrators the ability to manage the local account password of domain-joined computers and store them in AD.

Someone might be wondering whether the Administrator password storing in AD in plain text is secure.

The ms-Mcs-AdmPwd attribute in AD is a confidential attribute protected by an Access Control List (ACL). Only users with permissions to view this attribute can view the password (that is, Domain Admins and anyone else they’ve delegated access to). Keeping the same local Administrator password across large groups of systems is a much bigger security risk.


Best regards,
Hannah Xiong

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

Hope you are doing well.

May I know how things are going on your end? Sorry that I am not professional with PCI DSS. As for the LAPS, the Administrator password is storing in AD in plain text. But only users with permissions can view the password.

For any question or concern, please feel free to let me know.

Best regards,
Hannah Xiong

0 Votes 0 ·