Apr 06 · 3 min read
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and the need for managing them properly. In this part, let us analyze the pros and cons of different approaches to managing the local administrator accounts.
Before getting into the details, let us examine the various efforts made by Microsoft in managing privileged access.
A vast majority of vulnerabilities in Windows environments are related to the local admin accounts. Microsoft was obviously concerned about this fact and made sincere efforts to find a solution. First, they came up with the concept of User Account Control (UAC), which allowed administrators to log on to workstations with standard privilege and then use “Run as” to elevate rights on-demand. UAC, no doubt, was a brilliant concept, but it too was susceptible to pass-the-hash attacks, besides introducing several operational challenges.
Another significant approach was the Privileged Access Workstation (PAW), which involves separating administrative accounts from normal user accounts - physical separation of standard and privileged access. PAW requires users to access privileged accounts from a dedicated, hardened, locked-down device that is only used for privileged activities. PAW is not to be connected with the internet and won’t accept inbound connections. PAW implementation is not something that is simple and straightforward. It also introduced the burden of maintaining a separate infrastructure. User experience was severely constrained.
Of all the attempts by Microsoft, perhaps the most successful one is the introduction of the Local Administrator Password Solution (LAPS). LAPS enables IT organizations to randomize the passwords of domain-joined local administrator accounts at periodic intervals. This ensures that the local admin accounts are assigned with strong, unique passwords that are periodically changed.
LAPS revolves fully around the Active Directory to manage the passwords of local administrator accounts. The local admin passwords are centrally stored in the Active Directory against the respective machine objects. Authorized users can retrieve the passwords when access is needed.
Through Group Policy, LAPS enforces strong, unique password usage. LAPS automatically identifies password expiration and generates a new password. Even if an attacker gains access to one local admin account, chances of lateral movement become remote. This saves your other endpoints and accounts in your network from attacks.
LAPS is very simple. It is tied to the AD and can manage local administrator accounts passwords. Nothing more. So, this simplicity is both a strength and a weakness. Its scope is too narrow.
Some of the limitations are:
While LAPS serves as a great tool to manage only the local admin accounts, it doesn’t fit the needs of most organizations, which are required to secure privileged access in its entirety.
This is where the Privileged Access Management (PAM) solutions come into the picture.
LAPS is undoubtedly a great solution. But its usage is strictly limited to local admin accounts. It cannot offer holistic privileged access security much needed by the enterprises. A comprehensive PAM solution can help you take total control of privileged access, including local admin access across the organization. PAM solutions deal with all aspects of privileged access - centrally controlling, auditing, monitoring, and recording all access to critical IT assets.
Some of the significant advantages of PAM solutions include:
From the foregoing, it is clear that organizations require a comprehensive PAM solution like Securden Unified PAM for holistic security.
In this part, we have discussed how to automate the best practices when you decide to retain the local admin accounts. Another approach to mitigate the security risks is to eliminate the local admin accounts altogether. Let us discuss the merits and demerits of this approach in the next post.
Mother of all breaches – Reinforces the need for enhanced password security
Yes, you read it right. 26 billion records have been leaked online. Researchers from Security Discovery...
Feb 7 · 4 min read
Local admin rights for Developers – Balancing the scales between basic necessity and security risk
Local admin rights for Developers – Balancing the scales between basic necessity and security risk...
Jan 25 · 5 min read
Privileged Access Management Best Practices for Unparalleled Security
Privileged accounts are the keys to your kingdom. Protecting and managing access to these sensitive...
Dec 21 · 5 min read
Endpoint Privilege Management: Filling the gaps in Intune (Part 2)
Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner ...
Oct 10 · 3 min read
Endpoint Privilege Management: The local admin rights dilemma (Part 1)
The debate over giving unrestricted admin rights is a constant struggle between IT staff and ...
Oct 6 · 4 min read
2013 Target Data Breach: 10 Years On, but the Same Threat Pattern Looms Large!
Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a...
July 25 · 6 min read
Password management best practices: Practice or Pay!
Passwords leaked from data breaches in the past continue to cause ripples in 2023, even amidst...
May 26 · 5 min read
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Dec 27 · 4 min read
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Nov 25 · 4 min read
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Nov 21 · 2 min read
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Oct 20 · 4 min read
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Oct 10 · 2 min read
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jun 12 · 8 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Mar 13 · 6 min read