{"id":3531,"date":"2015-05-07T21:56:03","date_gmt":"2015-05-08T05:56:03","guid":{"rendered":"http:\/\/www.atumvirt.com\/?p=3531"},"modified":"2015-05-07T21:56:03","modified_gmt":"2015-05-08T05:56:03","slug":"managing-your-local-administrator-passwords-the-correct-way","status":"publish","type":"post","link":"https:\/\/avtempwp.azurewebsites.net\/2015\/05\/managing-your-local-administrator-passwords-the-correct-way\/","title":{"rendered":"Managing Your Local Administrator Passwords The Correct Way"},"content":{"rendered":"<p>Some ideas take a long time to realize.\u00a0 Unfortunately, one of those has been a good way to manage local administrator passwords.\u00a0 System admins the world round have developed scripts to randomize and change the local administrator password of their systems.\u00a0 Others ensure the local administrator password is disabled, but that approach is potentially flawed too (did you know the local admin account automatically is enabled in safe mode?).\u00a0 Group Policy Preferences offered a reprieve for a few years,but the functionality was removed last year when Microsoft determined the obfuscated password was not secure (lets be real: it was a <strong><em>terrible<\/em><\/strong> plan to store passwords in reversible format in a &#8211; nearly universally &#8211; publicly readable file).<\/p>\n<p>The solution?\u00a0 LAPS \u2013 or the Local Administrator Password Solution.\u00a0 You can acquire LAPS <a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/3062591\">here<\/a>.<\/p>\n<p>LAPS introduces a client side extension for GPO.<\/p>\n<h1>What can it do?<\/h1>\n<ul>\n<li>Randomly generate passwords that are changed on managed machines<\/li>\n<li>Effectively mitigate Pass the hash (PtH) attacks that rely on identical local account passwords<\/li>\n<li>Enforced password protection during transport using Kerberos v5<\/li>\n<li>Use ACLs to protect passwords in Active Directory<\/li>\n<\/ul>\n<h1><\/h1>\n<h1>What can I manage with LAPS?<\/h1>\n<ul>\n<li>Configure password parameters such as age, complexity and length<\/li>\n<li>Force password reset on a per-machine basis<\/li>\n<li>Use ACLs within Active Directory to control the security model<\/li>\n<li>Protect against computer account deletion<\/li>\n<\/ul>\n<h1>How does LAPS work?<\/h1>\n<ul>\n<li>Checks whether the local Administrator password has expired<\/li>\n<li>Generates new password when the old password is expired or required to be changed prior to expiration<\/li>\n<li>Validates the new password against the password policy<\/li>\n<li>Reports the password to Active Directory, storing it in a confidential attribute in the computer account<\/li>\n<li>Reports the next expiration time to Active Directory, storing it in an attribute in ACtive Directory<\/li>\n<li>Changes the password of the administrator account<\/li>\n<\/ul>\n<h1><\/h1>\n<h1>What does LAPS require?<\/h1>\n<p><strong>Active Directory:<\/strong> Windows Server 2003 Service Pack 1 or later<\/p>\n<p><strong>Managed Machines: <\/strong>Windows Server 2003 SP2 or later, Windows Server 2003 x64 SP2 or later<\/p>\n<p><strong>Management tools:<\/strong> .NET framework 4.0, Windows PowerShell 2.0 or later<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some ideas take a long time to realize.\u00a0 Unfortunately, one of those has been a good way to manage local administrator passwords.\u00a0 System admins the world round have developed scripts to randomize and change the local administrator password of their systems.\u00a0 Others ensure the local administrator password is disabled, but that approach is potentially flawed [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[22,33,69,70,71,72],"tags":[],"_links":{"self":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts\/3531"}],"collection":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/comments?post=3531"}],"version-history":[{"count":0,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/posts\/3531\/revisions"}],"wp:attachment":[{"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/media?parent=3531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/categories?post=3531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/avtempwp.azurewebsites.net\/wp-json\/wp\/v2\/tags?post=3531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}