Threat HUNTing Platform
Credential Risk Assessment and Remediation
ORKOS: Preventing the 9 steps to domain collapse
R9B understands the cognitive aspects of cyber operations. Our curriculum provides the hands-on technical skills students require to attain a variety of advanced cybersecurity qualifications. We instill the knowledge, skills, and abilities necessary for our students to defeat the adversary. Below are our available courses. Please check back often as our course offerings are updated regularly. Government organizations, please contact R9B directly via training@root9B.com for pricing and purchasing information.
Last time, we discussed the importance and impact of User Rights Assignments on your network. When coupled with a solid delegation model and group policy settings such as Restricted Groups, they can create a strong defensive posture for your network. In this entry, I want to address the problem of local administrative accounts and Microsoft’s budget-friendly solution known as Local Administrator Password Solution (LAPS).
Local accounts on workstations have been and continue to be a huge chink in the armor of most networks, mostly because there is no native or simple way to manage them once a workstation has been deployed in the live environment. A few of the complications that involve local accounts in an enterprise include:
Local accounts within a network can be very scary if not properly managed as adversaries use local accounts to move laterally between systems. When moving between systems whose local accounts share a password, the adversary can bypass some of your defenses as no domain authentication is required. If local accounts are not properly administered, then network defenders will leave a glaring hole in their defensive strategy. Unfortunately, there is no easy, cost-effective way of managing these local accounts while maintaining security. As such, I recommend purchasing a management platform. My recommendation, while not an easy or budget-friendly one, is a secure solution.
There are existing solutions to centrally manage local accounts within your domain. This approach will require deploying the solution within your network and dealing with the costs and limitations of the chosen solution. What you gain, though, is a central location that can manage your system’s local accounts, log administrative actions taken against those systems, and properly secure local passwords. In my opinion, acquiring a local account management platform is the best solution for the problems listed above. Of course, not every company has thousands or tens of thousands of dollars extra to purchase these platforms, and as a stopgap for those in this situation, Microsoft has created the LAPS program that you can deploy for free.
Before I start talking about LAPS, let me give you two disclaimers. First, I do not advocate using LAPS over any fully-developed, third-party solution. LAPS is free, but there are a number of limitations that come with it. Second, this is not a deployment guide but rather a list of the pros and cons of LAPS. (You can find a deployment guide here1) Microsoft created this program to help ease the burden of local administrative password management, and I want to make sure that you are informed before deciding which solution to deploy.
Now, what does LAPS do? LAPS automatically manages the local administrative account on a system by rotating its passwords. It creates a randomly-generated password that gets uploaded to a machine’s active directory object, and only authorized accounts can view the password of the local account. The process to deploy LAPS is fairly painless, and the solution is easy to manage once it is deployed to the domain. Here are some of the things that LAPS will do for your domain:
With some of the benefits listed, here are some of the limitations of LAPS:
Clearly, LAPS does not provide a complete answer to managing local accounts on a system. To increase security, you would have to pair it with other stopgap options, such as a script that deletes unneeded local users on workstations. However, deploying LAPS is better than having no solution or an extremely unsecure solution. To me, ignoring this option is like refusing to drive your old car because it doesn’t have air conditioning or power steering. Is it an ideal solution? No. Will it get you from Point A to Point B until you can acquire a different car? Yes, as long as Point B is within city limits. Sometimes, you can’t purchase all the necessary defensive solutions for the network for one reason or another. In those instances, LAPS can provide some protection to your local accounts rather than letting all the weaknesses remain as holes in the wall of your domain.
While this post focuses on workstations, the principles discussed here can be applied to servers as well. (LAPS is easier to apply to workstations as they are easier to standardize. Servers require a little bit more planning.)
Note: I would not recommend running LAPS on a domain controller as it will change the domain’s administrator’s account instead of the true local administrator account (the DSRM account).
Stop by next time to learn about critical logs occurring in your domain that can assist you in detecting lateral movement, credential abuse, or abnormal user behavior.
Until next time!
BACK TO NEWSROOM