Microsoft’s release last week of the Local Administrator Password Solution (LAPS) takes some steps to address an old question of what to do with local admin passwords, but doesn’t provide a complete answer, experts said.
Windows admins have long used a common local account with the same password on computers in the same domain. This provides attackers with a single point of failure to target; one password affords access to every machine. What the LAPS tool does is set a random password for the common local admin account on machines in the same domain, Microsoft said.
“Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords,” Microsoft said in an advisory published on Friday.
The availability of LAPS is a big deal for enterprises, for example, that built homegrown solutions that presented some implementation and/or support challenges that frustrated enterprises. Companies that set common passwords do so in the name of efficiency and ease of manageability, which in this case works against any security in place by creating a domain filled with PCs with the same admin password.
“What to do with all those local admin passwords has always been source of frustration for IT ops teams,” said Andrew Storms, vice president of security services for New Context. “What’s ironic for companies that manage many Windows computers is those that have spent the time and resources to create an automated build system where all the end user computers are identical are also the ones at the most risk.”
An attacker who managed to steal the common password could pull off dangerous attacks in the context of the domain administrators, including Pass-the-Hash credential replay attacks. In these attacks, if a hacker can gain access to the local admin password hash, he can use that rather than a plaintext password to gain access to services. This can allow an attacker to elevate privileges and, in this case, access any computer on a domain.
“LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks,” Microsoft said. “In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.”
While the LAPS solution is considered past due from Microsoft, it will help enterprises automate their management of local admin passwords.
“The typical methods today of storing all those passwords in a spreadsheet or setting them all to the same single password is simply unmanageable from both an operational and security standpoint,” Storms said.
Microsoft said LAPS now stores the random password for each machine’s local administrator account in Active Directory. The passwords are kept in a “confidential attribute” in the PC’s Active Directory object.
“The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators,” Microsoft said. “The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.”
By storing passwords in AD, has Microsoft merely created a different appealing target?
“While the solution looks promising, it also appears to simply move the problem and not necessarily solve it completely,” Storms said. “Microsoft is now storing the passwords in Active Directory. This means that if the attacker gets into Active Directory, then they have access to the entire kit and caboodle.”