A tool was released last year which addresses the challenges of managing local administrator credentials by releasing the Local Administration Password Solution (LAPS).
There are several commercial solutions available, as well as doing this via Group Policy preferences.
Using shared credentials (ie the same local admin password on every machine) is bad security practice and can lead to a number of problems such as:
- One person finds the password out and soon word gets around and you will find the password attached to computers on post-it notes, dymo labels, or written on the computer with a permanent marker pen.
- Shared passwords are rarely changed, if ever. Ex-employees and contractors will still know these!
- Your estate is more vulnerable to credential replay attacks, such as pass-the-hash (PTH).
- Users having access to these accounts will be able to install whatever they like.
- Accountability issues.
How it works:
Install LAPS to automatically manage local administrator account passwords on domain-joined computers so that passwords are unique on each managed computer, randomly generated, and centrally stored in Active Directory infrastructure.
LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.
The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.
The tool will also allow you randomise the local passwords on an ongoing basis going forward. More information on the Microsoft Local Administrator Password Solution (LAPS) can be found here.
The LAPS tool can assist organisations to comply with the Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions. Specifically regarding control #9: Disable local administrator accounts and the Information Security Manual (ISM) Control:0383 (rev 4).
Control 0383 states: “Agencies must ensure that default operating system accounts are disabled, renamed or have their passphrase changed.”
Even though the overall objective of the ISM is to make organisations disable local administrative accounts, the LAPS tool can help in circumstances where this is not an option.
Controls above extracted from the 2015 Information Security Manual 2105 Controls.