Local Administrator Password Solution, at Ignite
Last Friday, Microsoft announced the release of the Local Administrator Password Solution, which solves the problem of having an identical local account and password on large numbers of domain-joined computers. I’ll be discussing and showing LAPS this Thursday, May 7, at the Microsoft Ignite conference, as part of a session I’m sharing with Mark Simos called Barbarians Inside the Gates: Protecting against Credential Theft and Pass the Hash Today. The session runs from 5:00pm to 6:15pm US Central time. The session code is BRK2334; [I’ll update here after I verify whether it will be broadcast live through the Ignite web site.] Jeremy Moskowitz will also discuss it during his Windows 10 Group Policy session (BRK3304), Wednesday at 9am US Central.
“Pass the hash” and other credential theft techniques have become standard operating procedure even for unsophisticated attackers once they have established control of one or more domain computers. This has made the problematic configuration of a common administrative local account with an identical password on all systems riskier than ever. Even if the account is not actively used, it can be trivially easy for an attacker with control of one computer to gain control of all other computers that have the same local account and password. The Local Administrator Password Solution (LAPS) addresses this problem with a group policy client side extension (CSE) that generates and sets a different, random password for this local account on every computer in the domain. This achieves one of the three primary recommendations in Microsoft’s whitepaper, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, which can be downloaded from www.microsoft.com/pth. LAPS stores the password in the computer’s corresponding Active Directory object, secured in a confidential attribute. Each computer is allowed to update its own local-account password data in Active Directory, and Domain Admins can grant “read” access to authorized groups or users, such as workstation helpdesk administrators.
More information and download links here: https://support.microsoft.com/en-us/kb/3062591