In Praise of LAPS
When performing internal tests on a company’s network, one of the top priorities is compromising Windows workstations and servers. This is made much easier when local administrator accounts have the same password on multiple machines.
Sharing local account passwords allows pass-the-hash attacks that can move laterally between hosts. Once an attacker has administrator access on a single machine, it is possible to dump hashes (with open source tools such as https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) and use those to authenticate to any other machine that has the same local account password.
In a made-up scenario, let’s say that ivision finds an old server (doesn’t even need to be joined to the domain) that is vulnerable to an exploit that lets us take it over. We can run secretsdump.py
and retrieve a hash for localhost\Administrator
: 353A8D7F7E6A06C71746D2E49C2FD8A7
. Now we can write a script to authenticate to every single other Windows machine on the network with that hash, which will succeed on every machine with the same Administrator password. In some engagements we can use this simple technique to compromise hundreds of computers.
There is a straightforward way to solve this issue: set a unique local admin password on every machine. Microsoft has developed a tool that automates that process: Local Administrator Password Solution, or LAPS (https://www.microsoft.com/en-us/download/details.aspx?id=46899). LAPS stores local administrator passwords in Active Directory and can automatically generate and rotate passwords for the entire domain.