{"id":1814,"date":"2015-05-18T15:06:18","date_gmt":"2015-05-18T13:06:18","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=1814"},"modified":"2015-05-18T15:06:18","modified_gmt":"2015-05-18T13:06:18","slug":"microsoft-laps-gestion-des-mots-de-passe-des-administrateurs-locaux","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/microsoft-laps-gestion-des-mots-de-passe-des-administrateurs-locaux\/","title":{"rendered":"Microsoft LAPS: Managing local administrator passwords"},"content":{"rendered":"
\n
\n
\n

Problem statement<\/h1>\n

Following the compromise of one machine, attackers will seek to leverage other machines to escalate their privileges or gain access to the information they desire.<\/p>\n

Within Windows domains, a bounce technique involves exploiting the local administrator account, whose password is often the same across machines. This password can be easily obtained if it is deployed via GPO (see...). CVE-2014-1812<\/a> \/ MS14-025<\/a> \/ KB2962486<\/a>), otherwise attackers can obtain the hash and use it directly to authenticate on other machines (Pass-The-Hash technique).<\/p>\n

Our experience from penetration tests conducted by Intrinsec at our clients' sites shows that this redirection technique is very often feasible. We continue to discover passwords in Group Policy Objects (GPOs): although this functionality has been removed by Microsoft, the policy must be manually cleaned to properly remove the password.<\/p>\n

To address this widespread problem, Microsoft released the Local Administrator Password Solution (LAPS) tool on May 1, 2015. MSA3062591<\/a> \/ KB3062591<\/a>.<\/p>\n

This solution is free, is based on the existing infrastructure (Active Directory domain) and allows the administration of workstations (e.g. administrators or support).<\/p>\n

 <\/p>\n

Deployment tips<\/h1>\n

For general deployment instructions, we recommend that you follow the guide provided by Microsoft, the file of which is called "LAPS_OperationsGuide.docx".<\/p>\n

The machines on which LAPS is deployed generate a random password and store it in their machine account in the Active Directory database:
\n\"LAPS<\/a>It is therefore important to restrict access to the ms-Mcs-AdmPwd attribute, for example, to workstation administrators or support staff. Two PowerShell commands are available for this purpose:<\/p>\n