So the thought behind these Posts are to offer very basic things that System Administrators (you) can do to help secure the network. These are things I see time and time again when doing Assessments and worse, Incident Responses.
I will try to break these down in SysAdmin talk and take off my security hat. But these will be things that your security team will respect you for doing.
Part 1 – LAPS
I had a hard time picking what I should start with, there are so many, but looking back at past positions I have held and some of the more recent incidents we have investigated this one stood out as something that should be on every sysadmins radar, it is really easy to implement, touches a wide range of environment and more than likely does not effect end users, plus it almost always fits within the budget. And to be honest, it really is a System Admins responsibility and helps with endpoint managment. What we are are going to discuss is LAP or Microsofts Local Administrator Password Solution.
Remember that password you set when you installed the OS on that laptop last year? NO? yeah .. me too. Or worse .. YES .. its PASSWORD1!, Like it is on every other workstation and server (because we have a process that sets it). Well, that is bad, those passwords can and DO get compromised. Once they are, the worse case scenario is that the attacker now has Local admin rights on all your workstations and or servers. Best case, you forgot what was entered or some one before you set it and never followed a process, but this is easy for the attacker to get as it is so they will have it within minutes. Lets take care of that.
Ok, lets make some assumptions first off, You are not using any PAM solution that does this already, or didnt pay for that option when purchased some of the popular ones that are out there (which are also expensive). Perfect! LAPS is free, well .. as free as MS is. So LAPS is a solution that will take that Local Password on Endpoints and Rotate them with a strong password at a set schedule, Making it more difficult for an attacker to compromise those passwords and prevent them from re-using them between machines (remember the “don’t re-use passwords” phrase.. it also applies for local passwords too). So besides being Free(ish).. it is also Easy to setup. Download the software, Install on a System (not a DC), Extend the Schema, ensure you set the proper permissions so everyone doesn’t have access to see what password LAPS has set, Set your policies, TEST (TEST AGAIN), Roll it out within a GPO, and let it go. Simple.
I am not going to get into the details here of Installing LAPS, as you see above it is pretty simple, and MS has some instructions within the documents which can be found here: https://www.microsoft.com/en-us/download/details.aspx?id=46899
Things to be aware of, and I will re-iterate this .. You must secure the property that stores the password. Since LAPS stores the password for that object in Active Directory, and everyone in your org can read active directory just by running a query you must ensure that only authorized or elevated accounts can see that password. Preferable a tier level account (Domain Admin, Server Admin or Workstation Admin) only. We will talk more about these tiered level accounts in a up coming post.
Also note the requrements from the documentation on PowerShell Level, OS level and .NET versions.
In Summary, IMO this is probably one of the leading things you can do as a SysAdmin to help secure your environment .. well along with the 1000 other things that Security tells you to. But … BUT .. it is only a start, like all of security you can not change one thing and call yourself secure.
Let me know if we need to walk through the actual install of LAPS and Settings. These can be covered seperatly if needed.
-k