Forum Discussion

Copper Contributor

Mar 29, 2021

Solved

LAPS - Splunk account reading ms-Mcs-AdmPwd

Hi all, We have used LAPS for a few years, and recently we started using a logging service called Splunk, and as it turns out, this logging service account is reading the ms-Mcs-AdmPwd attribute ...

SmasSec
Apr 02, 2021
JoniLjungqvist

This isn't necessarily a MDI topic, but here are a few recommendations I'd look into:
1.) Run the Splunk UF and associated account in low priv mode. Don't let your security monitoring/logging infra be leveraged against you.
2.) Configure your inputs.conf and mask that, e.g.
sedcmd-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/##########/g
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Anonymizedata
3.) Go back and remove all those entries from splunk or rotate laps pws.

SmasSec

Copper Contributor

Apr 02, 2021

JoniLjungqvist

This isn't necessarily a MDI topic, but here are a few recommendations I'd look into:
1.) Run the Splunk UF and associated account in low priv mode. Don't let your security monitoring/logging infra be leveraged against you.

2.) Configure your inputs.conf and mask that, e.g.

sedcmd-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/##########/g

https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Anonymizedata

3.) Go back and remove all those entries from splunk or rotate laps pws.