Microsoft Defender for Identity Recommended Actions: Protect and manage local admin passwords with Microsoft LAPS

by thalpius

[WARNING] This blog post is created when Microsoft Windows still came in a physical box with multiple installation disks.

Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions of what it means, a plan of approach, their impact, and my security recommendations, hopefully helping others. The fourth one in the series is the “Protect and manage local admin passwords with Microsoft LAPS” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

  • Resolve unsecure domain configurations
  • Resolve unsecure account attributes
  • Remove dormant accounts from sensitive groups
  • Protect and manage local admin passwords with Microsoft LAPS
  • Configure VPN integration
  • Reduce lateral movement path risk to sensitive entities
  • Stop clear text credentials exposure
  • Disable Print spooler service on domain controllers
  • Stop weak cipher usage
  • Remove unsecure SID history attributes from entities
  • Modify unsecure Kerberos delegations to prevent impersonation
  • Install Defender for Identity Sensor on all Domain Controllers
  • Set a honeytoken account
  • Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers
  • Accounts with non-default Primary Group ID
  • Change Domain Controller computer account old password
  • Reversible passwords found in GPOs
  • Unsafe permissions on the DnsAdmins group
  • GPO assigns unprivileged identities to local groups with elevated privileges
  • Remove access rights on suspicious accounts with the Admin SDHolder permission
  • Remove local admins on identity assets
  • Remove non-admin accounts with DCSync permissions
  • GPO can be modified by unprivileged accounts
  • Built-in Active Directory Guest account is enabled
  • Change password for krbtgt account
  • Change password of built-in domain Administrator account
  • Ensure that all privileged accounts have the configuration flag

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Protect and manage local admin passwords with Microsoft LAPS.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

Protect and manage local admin passwords with Microsoft LAPS

Microsoft introduced a new and improved Microsoft Local Administrator Password Solution called Windows Local Administrator Password Solution. I know it is confusing, but the difference in the name is Microsoft vs Windows. Microsoft LAPS is also called Legacy LAPS. Since Microsoft Defender for Identity Recommended Action only supports the Legacy LAPS, I am not going into detail about Windows LAPS.

Microsoft LAPS stands for Microsoft Local Administrator Password Solution and is a Microsoft solution to manage a local administrator password automatically. Easy-to-guess passwords are a huge issue in every environment. An easy-to-guess password for a local administrator is an even bigger issue. When every device uses the same password, all devices are compromised once a single password is compromised.

For me, Microsoft LAPS is a no-brainer. Changing the password automatically using a generated, complex password is a must. The only downside of using Microsoft LAPS is administration. If administrators use a script to connect to multiple devices, the administrator uses a single password. With Microsoft LAPS, Active Directory holds the password for the device. So, when administrators connect to multiple devices using a script, the script first needs to get the password from Active Directory before connecting to the device when using the local administrator account. Administrators need to use their named admin account anyway for accountability and responsibility, not a non-named administrator account.

Since Microsoft LAPS is a familiar feature, I will not go into detail as Microsoft well documents it.

Conclusion

As I previously said: Microsoft LAPS is a no-brainer. Do not use the same password for multiple devices. Once a malicious actor gets the password, all devices are compromised. Microsoft LAPS is easy to implement and helps mitigate the risk of a successful compromise.