Thanks, Susan...
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Thu, May 14, 2015 at 12:34 AM, Susan Bradley <[email protected]> wrote: > https://www.microsoft.com/en-us/download/details.aspx?id=46899 > For environments in which users are required to log on to computers > without domain credentials, password management can become a complex issue. > Such environments greatly increase the risk of a Pass-the-Hash (PtH) > credential replay attack. The Local Administrator Password Solution (LAPS) > provides a solution to this issue of using a common local account with an > identical password on every computer in a domain. LAPS resolves this issue > by setting a different, random password for the common local administrator > account on every computer in the domain. Domain administrators using the > solution can determine which users, such as helpdesk administrators, are > authorized to read passwords. > > LAPS simplifies password management while helping customers implement > recommended defenses against cyberattacks. In particular, the solution > mitigates the risk of lateral escalation that results when customers use > the same administrative local account and password combination on their > computers. LAPS stores the password for each computer's local administrator > account in Active Directory, secured in a confidential attribute in the > computer's corresponding Active Directory object. The computer is allowed > to update its own password data in Active Directory, and domain > administrators can grant read access to authorized users or groups, such as > workstation helpdesk administrators. > > Use LAPS to automatically manage local administrator passwords on domain > joined computers so that passwords are unique on each managed computer, > randomly generated, and securely stored in Active Directory infrastructure. > The solution is built on Active Directory infrastructure and does not > require other supporting technologies. LAPS uses a Group Policy client-side > extension (CSE) that you install on managed computers to perform all > management tasks. The solution's management tools provide easy > configuration and administration. > > > *How does LAPS work?* > The core of the LAPS solution is a GPO client-side extension (CSE) that > performs the following tasks and can enforce the following actions during a > GPO update: > * Checks whether the password of the local Administrator account has > expired. > * Generates a new password when the old password is either expired or is > required to be changed prior to expiration. > * Validates the new password against the password policy. > * Reports the password to Active Directory, storing it with a confidential > attribute with the computer account in Active Directory. > * Reports the next expiration time for the password to Active Directory, > storing it with an attribute with the computer account in Active Directory. > * Changes the password of the Administrator account. > The password then can be read from Active Directory by users who are > allowed to do so. Eligible users can request a password change for a > computer. > > *What are the features of LAPS?* > LAPS includes the following features: > * Security that provides the ability to: > * Randomly generate passwords that are automatically changed on managed > machines. > * Effectively mitigate PtH attacks that rely on identical local account > passwords. > * Enforced password protection during transport via encryption using the > Kerberos version 5 protocol. > * Use access control lists (ACLs) to protect passwords in Active > Directory and easily implement a detailed security model. > * Manageability that provides the ability to: > * Configure password parameters, including age, complexity, and length. > * Force password reset on a per-machine basis. > * Use a security model that is integrated with ACLs in Active Directory. > * Use any Active Directory management tool of choice; custom tools, such > as Windows PowerShell, are provided. > * Protect against computer account deletion. > * Easily implement the solution with a minimal footprint. >
