Local administrator accounts are useful for IT administrators and support staff, especially when domain accounts are not working or available. In our experience these ‘local admin’ accounts often use an identical password on every computer across the enterprise.
Unfortunately, it’s just as common for threat actors to take advantage of these accounts and is often their easy button to move laterally in environments. In fact, threat actors are able to leverage the account regardless of password complexity by obtaining NTLM hashes, enabling a ‘Pass the Hash’ attack. Once this is complete, the attacker is able to move laterally to any system that has an account with a matching hash (as opposed to the password characters) -- no password cracking required. Local admin Pash the Hash has been used by a variety of different threat groups (FIN10, Turla, APT32) for years; some as early as 2004. Local admin Pass the Hash is so trivial to perform that take anyone off the street can learn the method in less than five minutes. The technique is built into the most common attack tools and toolkits, including Mimikatz, Cobalt Strike, and Empire. And even without Pass the Hash, local admin accounts can be vulnerable to memory dumps for offline cracking attacks.
Enter Microsoft’s Local Administrator Password Solution (“LAPS”). LAPS is a free utility that has been around since 2015 that mitigates Pass the Hash and other attacks by setting unique, random local admin passwords on every domain computer. Enabling LAPS is quick and simple for most environments, and access to the resulting passwords can be restricted to a specific trusted user subset for access control. While LAPS doesn’t entirely prevent Pass the Hash and cracking attacks, it greatly reduces the blast radius.
The above pieces are core to any implementation. Depending on your environment there is a bit of strategy to implement LAPS in a more secure fashion.
Can we control password complexity, randomization, and resets?
Yes, this is a great strength of LAPS. You can configure the policy to align with your organization and be as strict as you want.
Can I audit who accesses the passwords in AD?
Yes, you can however you would need to enabled auditing (Set-AdmPwdAuditing).
Can I specify the password the LAPS uses on the client?
No, this will be randomized.
Download LAPS here: https://www.microsoft.com/en-us/download/details.aspx?id=46899
Michael is a Director of Technical Advisory Services at MOXFIVE where he provides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a Masters Degree in Cyber Security and is accredited through SANS for the GCFA, GCIA, and GOSI certifications. He has had a wide range of experience from building and managing global Security Operation Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.