Home
%3CLINGO-SUB%20id%3D%22lingo-sub-701083%22%20slang%3D%22en-US%22%3ERemote%20Use%20of%20Local%20Accounts%3A%20LAPS%20Changes%20Everything%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-701083%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20TechNet%20on%20Dec%2010%2C%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CI%3E%20Long%20overdue%20post%20revisiting%20the%20question%20about%20whether%20and%20when%20to%20block%20the%20use%20of%20local%20accounts%2C%20particularly%20for%20remote%20administration.%20%3C%2FI%3E%20%3CBR%20%2F%3E%3CDIV%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3EBeginning%20in%202014%20with%20our%20baselines%20for%20Windows%208.1%20and%20Windows%20Server%202012R2%2C%20our%20security%20baselines%20have%20been%20%3CSPAN%20class%3D%22MsoHyperlink%22%3E%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2014%2F09%2F02%2Fblocking-remote-use-of-local-accounts%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20blocking%20remote%20use%20of%20local%20accounts%20%3C%2FA%3E%20%3C%2FSPAN%3E%20.%20Back%20then%2C%20Windows%20had%20yet%20to%20offer%20anything%20resembling%20secure%20management%20of%20administrative%20local%20account%20credentials.%20It%20was%20typical%20for%20an%20entire%20organization%20to%20have%20an%20administrative%20local%20user%20account%20with%20the%20same%20username%20and%20password%20on%20every%20Windows%20computer.%20One%20problem%20with%20that%20is%20that%20the%20common%20password%20often%20becomes%20a%20well-known%20secret%20over%20time%20with%20no%20way%20to%20revoke%20access%20from%20anyone%20who%20ever%20received%20it.%20But%20by%20far%20the%20biggest%20problem%20is%20that%20an%20attacker%20with%20administrative%20rights%20on%20one%20machine%20can%20easily%20obtain%20the%20account%E2%80%99s%20password%20hash%20from%20the%20local%20Security%20Accounts%20Manager%20(SAM)%20database%20and%20use%20it%20to%20gain%20administrative%20rights%20over%20the%20other%20machines%20using%20%E2%80%9Cpass%20the%20hash%E2%80%9D%20techniques.%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3EIn%20May%202015%2C%20Microsoft%20released%20the%20%3CSPAN%20class%3D%22MsoHyperlink%22%3E%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D46899%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Local%20Administrator%20Password%20Solution%20(LAPS)%20%3C%2FA%3E%20%3C%2FSPAN%3E%20.%20LAPS%20is%20an%20elegant%20and%20lightweight%20mechanism%20for%20Active%20Directory%20domain-joined%20systems%20that%20periodically%20sets%20each%20computer%E2%80%99s%20admin%20account%20password%20to%20a%20new%20random%20and%20unique%20value%2C%20storing%20the%20password%20in%20a%20secured%20confidential%20attribute%20on%20the%20corresponding%20computer%20object%20in%20Active%20Directory%20where%20only%20specifically-authorized%20users%20can%20retrieve%20it.%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3ELAPS%20changes%20everything.%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3ENot%20only%20does%20LAPS%20neutralize%20both%20the%20pass-the-hash%20and%20well-known-secret%20problems%2C%20it%20creates%20new%20opportunities%20for%20remote%20management.%20With%20LAPS%20%E2%80%93%20or%20in%20fact%2C%20with%20any%20solution%20that%20makes%20local%20account%20passwords%20unique%20and%20not%20guessable%20%E2%80%93%20using%20local%20accounts%20for%20remote%20computer%20management%20actually%20offers%20some%20advantages%20over%20using%20domain%20accounts.%20They%20can%2C%20that%20is%2C%20provided%20that%20their%20use%20isn%E2%80%99t%20blocked%20by%20security%20policy%20%E2%80%93%20which%20our%20baselines%20do%20today.%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3EIt%E2%80%99s%20all%20about%20credential%20hygiene.%20Good%20credential%20hygiene%20means%20not%20exposing%20credentials%20on%20a%20potentially-compromised%20system%20when%20those%20credentials%20can%20be%20used%20to%20compromise%20another%20system.%20Credentials%20can%20be%20a%20plaintext%20password%2C%20an%20account%E2%80%99s%20NTLM%20hash%2C%20or%20a%20Kerberos%20TGT.%20Microsoft%E2%80%99s%20%3CSPAN%20class%3D%22MsoHyperlink%22%3E%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fpth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Pass%20the%20Hash%20whitepapers%20%3C%2FA%3E%20%3C%2FSPAN%3E%20go%20into%20detail%20about%20which%20remote%20logon%20types%20and%20tools%20expose%20credentials%20and%20which%20ones%20don%E2%80%99t.%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3ELet%E2%80%99s%20say%20your%20helpdesk%20technicians%20each%20have%20a%20domain%20account%20that%20is%20granted%20administrative%20rights%20on%20all%20workstations%20in%20the%20domain.%20User%20Umberto%20reports%20computer%20issues%2C%20so%20Helen%20helpdesk%20technician%20logs%20on%20remotely%20to%20the%20workstation%20using%20her%20privileged%20domain%20account%2C%20not%20realizing%20that%20the%20workstation%20has%20been%20compromised%20with%20credential%20theft%20malware.%20Depending%20on%20how%20Helen%20logged%20on%2C%20her%20account%20credentials%20could%20be%20stolen%20and%20the%20thief%20can%20now%20gain%20administrative%20control%20over%20all%20workstations.%20All%20the%20technicians%20might%20follow%20the%20whitepapers%E2%80%99%20recommendations%2C%20but%20they%20must%20do%20it%20the%20right%20way%20every%20single%20time.%20One%20technician%20with%20a%20privileged%20account%20making%20one%20mistake%20just%20one%20time%20can%20lead%20to%20a%20domain-wide%20compromise.%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3ELet%E2%80%99s%20say%20instead%20of%20using%20a%20privileged%20domain%20account%2C%20Helen%20helpdesk%20technician%20retrieves%20the%20LAPS%20password%20for%20the%20workstation%20and%20uses%20the%20LAPS-managed%20administrative%20local%20account%20to%20log%20on.%20Credential%20theft%20is%20not%20a%20problem.%20If%20the%20thief%20gets%20the%20hash%20or%20even%20the%20plaintext%20password%2C%20it%E2%80%99s%20useful%20only%20on%20the%20computer%20that%20the%20thief%20already%20controls.%20So%20Helen%20can%20use%20whichever%20logon%20type%20or%20remote%20tool%20is%20most%20convenient%20for%20the%20work%20being%20performed.%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-left%3A%20.5in%3B%22%3E%3CI%3E%20%3CSPAN%20style%3D%22font-variant%3A%20small-caps%3B%22%3ENote%3A%20%3C%2FSPAN%3E%20One%20caveat%20about%20using%20remote%20desktop%3A%20do%20not%20enable%20drive%20redirection%20for%20your%20local%20volumes%20when%20connecting%20to%20a%20potentially-compromised%20system.%20And%20avoid%20clipboard%20redirection%20as%20well.%20This%20caveat%20applies%20whether%20you%E2%80%99re%20using%20a%20LAPS-managed%20account%2C%20%2FrestrictedAdmin%2C%20or%20anything%20else.%20%3C%2FI%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3EIf%20you%20have%20deployed%20LAPS%20or%20another%20local%20account%20password%20management%20solution%20and%20you%20want%20to%20use%20local%20accounts%20for%20the%20remote%20administration%20of%20Windows%20computers%2C%20you%20need%20to%20change%20three%20of%20the%20Computer%20Configuration%20settings%20that%20we%20recommend%20in%20the%20baselines%20for%20Windows%20client%20and%20Windows%20Server%20in%20the%20Member%20Server%20role.%20We%20recommend%20these%20changes%20only%20if%20you%20plan%20to%20use%20LAPS-managed%20local%20accounts%20for%20remote%20administration.%20Note%20also%20that%20the%20local-policy%20scripts%20included%20with%20the%20Windows%20%3CSPAN%20class%3D%22MsoHyperlink%22%3E%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2018%2F04%2F30%2Fsecurity-baseline-for-windows-10-april-2018-update-v1803-final%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%201803%20%3C%2FA%3E%20%3C%2FSPAN%3E%20and%20%3CSPAN%20class%3D%22MsoHyperlink%22%3E%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2018%2F11%2F20%2Fsecurity-baseline-final-for-windows-10-v1809-and-windows-server-2019%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%201809%20%3C%2FA%3E%20%3C%2FSPAN%3E%20baseline%20packages%20include%20%E2%80%9CNon-Domain%E2%80%9D%20options%20that%20implement%20these%20same%20changes.%3C%2FP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CTABLE%20border%3D%221%22%20cellpadding%3D%220%22%20cellspacing%3D%220%22%20class%3D%22MsoTableGrid%22%20style%3D%22border-collapse%3A%20collapse%3B%20border%3A%20none%3B%22%3E%3CBR%20%2F%3E%3CTBODY%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Policy%20path%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-left%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Windows%20Settings%5CSecurity%20Settings%5CLocal%20Policies%5CUser%20Rights%20Assignment%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Policy%20name%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Deny%20access%20to%20this%20computer%20from%20the%20network%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Baseline%20setting%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CI%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3EWin%20client%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20%3A%20NT%20AUTHORITY%5CLocal%20Account%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CI%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3EWin%20Server%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20%3A%20NT%20AUTHORITY%5CLocal%20account%20and%20member%20of%20Administrators%20group%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Updated%20setting%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20%5Bempty%5D%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3C%2FTBODY%3E%3CBR%20%2F%3E%3C%2FTABLE%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CTABLE%20border%3D%221%22%20cellpadding%3D%220%22%20cellspacing%3D%220%22%20class%3D%22MsoTableGrid%22%20style%3D%22border-collapse%3A%20collapse%3B%20border%3A%20none%3B%22%3E%3CBR%20%2F%3E%3CTBODY%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Policy%20path%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-left%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Windows%20Settings%5CSecurity%20Settings%5CLocal%20Policies%5CUser%20Rights%20Assignment%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Policy%20name%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Deny%20log%20on%20through%20Remote%20Desktop%20Services%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Baseline%20setting%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20NT%20AUTHORITY%5CLocal%20Account%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Updated%20setting%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20%5Bempty%5D%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3C%2FTBODY%3E%3CBR%20%2F%3E%3C%2FTABLE%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CTABLE%20border%3D%221%22%20cellpadding%3D%220%22%20cellspacing%3D%220%22%20class%3D%22MsoTableGrid%22%20style%3D%22border-collapse%3A%20collapse%3B%20border%3A%20none%3B%22%3E%3CBR%20%2F%3E%3CTBODY%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Policy%20path%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-left%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Administrative%20Templates%5CMS%20Security%20Guide%20%3CI%3E%20(*)%3C%2FI%3E%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Policy%20name%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Apply%20UAC%20restrictions%20to%20local%20accounts%20on%20network%20logon%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Baseline%20setting%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Enabled%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3CTR%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border%3A%20solid%20windowtext%201.0pt%3B%20border-top%3A%20none%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CB%3E%20%3CI%3E%20%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Updated%20setting%20%3C%2FSPAN%3E%20%3C%2FI%3E%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3CTD%20style%3D%22border-top%3A%20none%3B%20border-left%3A%20none%3B%20border-bottom%3A%20solid%20windowtext%201.0pt%3B%20border-right%3A%20solid%20windowtext%201.0pt%3B%20padding%3A%200in%205.4pt%200in%205.4pt%3B%22%20valign%3D%22top%22%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%20.0001pt%3B%20line-height%3A%20normal%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010.0pt%3B%22%3E%20Disabled%20%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FTD%3E%3CBR%20%2F%3E%3C%2FTR%3E%3CBR%20%2F%3E%3C%2FTBODY%3E%3CBR%20%2F%3E%3C%2FTABLE%3E%3CBR%20%2F%3E%3CP%20class%3D%22MsoNormal%22%3E(*)%20%E2%80%9CMS%20Security%20Guide%E2%80%9D%20is%20a%20collection%20of%20custom%20settings%20that%20comes%20with%20the%20security%20baselines%20and%20is%20represented%20in%20SecGuide.admx.%20You%20can%20configure%20the%20updated%20setting%20directly%20by%20configuring%20the%20registry%20value%20LocalAccountTokenFilterPolicy%20to%20REG_DWORD%20value%201%20in%20HKLM%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CPolicies%5CSystem.%3C%2FP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3C%2FDIV%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-701083%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TechNet%20on%20Dec%2010%2C%202018%20%26nbsp%3BLong%20overdue%20post%20revisiting%20the%20question%20about%20whether%20and%20when%20to%20block%20the%20use%20of%20local%20accounts%2C%20particularly%20for%20remote%20administration.%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-736207%22%20slang%3D%22en-US%22%3ERe%3A%20Remote%20Use%20of%20Local%20Accounts%3A%20LAPS%20Changes%20Everything%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736207%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Aaron%2C%26nbsp%3B%3C%2FP%3E%3CP%3Enice%20to%20talk%20to%20you%20again%20..%3C%2FP%3E%3CP%3EWith%20the%20introduction%20of%20LAPS%2C%20I%20think%20many%20will%20switch%20to%20that%20configuration%2C%20because%20it's%20simple%20and%20really%20secure..%3CBR%20%2F%3EDo%20you%20have%20contact%20with%20the%20original%20developer%20of%20RDCMan%202.7%3F%20If%20yes%2C%20can%20you%20ask%20him%20to%20integrate%20the%20tool%20with%20LAPS%3F%20I%20mean%2C%20one%20more%20configuration%20panel%20where%20to%20specify%20the%20Domain%20name%20or%20a%20specific%20domain%20controller%20where%20the%20tool%20could%20query%20the%20computer%20name%20object%20in%20order%20to%20retrieve%20automatically%20the%20password%20for%20the%20administrator%20account..%20if%20the%20user%20running%20the%20tool%20has%20the%20permission%20to%20do%20so..%3CBR%20%2F%3EIt%20would%20be%20a%20killing%20feature%20for%20RDCMan%20when%20LAPS%20is%20deployed%20in%20the%20environment..%3C%2FP%3E%3CP%3EThanks!%20Greetings%20from%20Italy!%3CBR%20%2F%3E-mario%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-777561%22%20slang%3D%22en-US%22%3ERe%3A%20Remote%20Use%20of%20Local%20Accounts%3A%20LAPS%20Changes%20Everything%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777561%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20again%20Aaron..%3C%2FP%3E%3CP%3ELAPS%20it's%20a%20great%20solution%20to%20avoid%20lateral%20movement%20in%20a%20domain%20if%20a%20machine%20has%20been%20compromised%2C%20but%20here%20in%20Europe%2C%20we%20have%20GDPR..%3C%2FP%3E%3CP%3Eone%20of%20the%20requirements%20of%20GDPR%20is%20that%20every%20access%20performed%20to%20administer%20a%20machine%2C%20must%20be%20logged%20with%20all%20the%20information%20about%20the%20admin%20which%20is%20logging%20on..%20as%20you%20can%20imagine%20if%20all%20the%20admin%20which%20logs%20on%20to%20a%20server%20use%20the%20same%20account%2C%20that%20is%20local%20Administrator%2C%20this%20requirement%20is%20not%20satisfied%20at%20all..%20So%2C%20unless%20there%20is%20a%20better%20logging%20of%20the%20remote%20desktop%20session%20which%20logs%20everything%20about%20the%20remote%20client%2C%20passing%20also%20the%20username%20of%20the%20user%20logging%20in%20as%20Administrator%2C%20LAPS%20cannot%20be%20used%20to%20perform%20server%20administration..%26nbsp%3B%3CBR%20%2F%3EDo%20you%20think%20you%20can%20speak%20with%20the%20MSTSC%20client%20group%20so%20they%20can%20improve%20the%20logging%20passing%20together%20with%20the%20client%20address%20also%20the%20real%20name%20of%20the%20user%20logging%20on%20as%20Administrator%3F%3F%20Without%20this%20information%20LAPS%20its%20useless%20in%20Europe..%3C%2FP%3E%3CP%3ECiao%3CBR%20%2F%3E-mario%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-778942%22%20slang%3D%22en-US%22%3ERe%3A%20Remote%20Use%20of%20Local%20Accounts%3A%20LAPS%20Changes%20Everything%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-778942%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275004%22%20target%3D%22_blank%22%3E%40mariora%3C%2FA%3EIf%20you%20audit%20process%20creation%20and%20successful%20filtering%20platform%20connections%20on%20the%20administration%20servers%20and%20on%20the%20client%20you%20will%20have%20a%20full%20trace%20of%20the%20user%20who%20initiated%20the%20connection%20and%20everything%20they%20did%20on%20the%20remote%20machine.%20There's%20a%20little%20HEX%20to%20decimal%20conversion%20needed%20for%20the%20process%20to%20logon%20ID%20trace%20but%20this%20is%20only%20needed%20during%20a%20security%20investigation%20so%20doesn't%20impact%20on%20the%20day%20to%20day%20operations.%20This%20auditing%20can%20also%20help%20forensic%20investigations%20to%20non%20Windows%20machines%20too.%20Let%20me%20know%20if%20you%20need%20more%20information.%20Greetings%20from%20England.%20Steve%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-781117%22%20slang%3D%22en-US%22%3ERe%3A%20Remote%20Use%20of%20Local%20Accounts%3A%20LAPS%20Changes%20Everything%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-781117%22%20slang%3D%22en-US%22%3E%3CP%3EHI%20Steve%2C%20I'm%20really%20interested%20in%20everything%20that%20can%20help%20here%20tracking%20down%20the%20original%20user..%26nbsp%3B%3CBR%20%2F%3EI%20already%20found%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fkfalde%2F2015%2F11%2F18%2Flaps-audit-reporting-via-wef-posh-and-powerbi%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fkfalde%2F2015%2F11%2F18%2Flaps-audit-reporting-via-wef-posh-and-powerbi%2F%3C%2FA%3E%26nbsp%3B%3CSPAN%3Eand%20this%20can%20help%20a%20little%20bit%20but%20there%20is%20always%20the%20problem%20of%20a%20jump%20server..%20that%20is%20if%20the%20user%20access%20a%20middle%20server%20from%20where%20he%20goes%20to%20the%20AD%20to%20get%20the%20admin%20password%26nbsp%3B%20and%20then%20connect%20to%20the%20remote%20server%20as%20Administrator%20I%20can%20loose%20the%20original%20user%20as%20he%20could%20have%20logged%20on%20as%20a%20local%20user%20in%20the%20middle%20server..%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EUnfortunately%20GDPR%20has%20very%20strict%20rules%20on%20the%20logging.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECan%20you%20please%20explain%20more%20in%20detail%20your%20idea%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3CBR%20%2F%3E-mario%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787161%22%20slang%3D%22en-US%22%3ERe%3A%20Remote%20Use%20of%20Local%20Accounts%3A%20LAPS%20Changes%20Everything%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787161%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275004%22%20target%3D%22_blank%22%3E%40mariora%3C%2FA%3E%2C%20To%20track%20the%20use%20of%20the%20local%20administrator%20you%20can%20look%20in%20the%20Windows%20security%20event%20log.%20On%20the%20source%20server%20you%20will%20see%20event%20ID%204648%20which%20tells%20you%20the%20name%20of%20the%20source%20user%2C%20the%20remote%20machine%20name%20connected%20to%20and%20the%20remote%20credentials%20used.%20On%20the%20remote%20machine%20you%20will%20see%20Windows%20security%20event%20ID%204624%20which%20tells%20you%20the%20credentials%20used%2C%20the%20source%20server%20name%20and%20the%20source%20IP%20address.%20The%20auditing%20that%20produces%20these%20events%20is%20enabled%20by%20the%20security%20baselines%20provided%20by%20Microsoft.%20To%20track%20other%20user%20activities%20across%20the%20network%2C%20including%20to%20non-Windows%20systems%2C%20you%20need%20to%20enable%20success%20auditing%20of%20%E2%80%98Object%20Access%2FAudit%20Filtering%20Platform%20Connection%E2%80%99%2C%20this%20will%20then%20log%20event%20ID%205156%20in%20the%20Windows%20security%20event%20log.%20Example%3B%20A%20Linux%20server%20log%20shows%20a%20login%20from%20IP%20address%2010.0.0.1%20to%20TCP%20port%2022%20with%20a%20source%20port%20of%2059109%20The%20Windows%20security%20log%20on%20the%20server%20with%20address%2010.0.0.1%20has%20a%20corresponding%20event%20ID%205156%20showing%20putty.exe%20making%20the%20connection%20with%20a%20matching%20source%20port%20and%20matching%20timestamp.%20The%20event%20ID%205156%20will%20tell%20you%20the%20decimal%20process%20ID%20e.g.%207672%2C%20this%20needs%20to%20converted%20in%20Hex%20e.g.%201df8%20Searching%20for%20process%20creation%20event%20ID%204688%20containing%201df8%20will%20find%2C%20for%20example%3B%20New%20Process%20ID%3A%200x1df8%20New%20Process%20Name%3A%20C%3A%5CProgram%20Files%5CPuTTY%5Cputty.exe%20And%20in%20that%20log%20entry%20will%20be%20the%20account%20details%20of%20the%20user%20running%20the%20program.%20Let%20me%20know%20how%20you%20get%20on%2C%20Steve%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789633%22%20slang%3D%22en-US%22%3ERe%3A%20Remote%20Use%20of%20Local%20Accounts%3A%20LAPS%20Changes%20Everything%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789633%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Steve%2C%20will%20give%20it%20a%20try..%3C%2FP%3E%3CP%3E-mario%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft
First published on TechNet on Dec 10, 2018


Long overdue post revisiting the question about whether and when to block the use of local accounts, particularly for remote administration.

Beginning in 2014 with our baselines for Windows 8.1 and Windows Server 2012R2, our security baselines have been blocking remote use of local accounts . Back then, Windows had yet to offer anything resembling secure management of administrative local account credentials. It was typical for an entire organization to have an administrative local user account with the same username and password on every Windows computer. One problem with that is that the common password often becomes a well-known secret over time with no way to revoke access from anyone who ever received it. But by far the biggest problem is that an attacker with administrative rights on one machine can easily obtain the account’s password hash from the local Security Accounts Manager (SAM) database and use it to gain administrative rights over the other machines using “pass the hash” techniques.


In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) . LAPS is an elegant and lightweight mechanism for Active Directory domain-joined systems that periodically sets each computer’s admin account password to a new random and unique value, storing the password in a secured confidential attribute on the corresponding computer object in Active Directory where only specifically-authorized users can retrieve it.


LAPS changes everything.


Not only does LAPS neutralize both the pass-the-hash and well-known-secret problems, it creates new opportunities for remote management. With LAPS – or in fact, with any solution that makes local account passwords unique and not guessable – using local accounts for remote computer management actually offers some advantages over using domain accounts. They can, that is, provided that their use isn’t blocked by security policy – which our baselines do today.


It’s all about credential hygiene. Good credential hygiene means not exposing credentials on a potentially-compromised system when those credentials can be used to compromise another system. Credentials can be a plaintext password, an account’s NTLM hash, or a Kerberos TGT. Microsoft’s Pass the Hash whitepapers go into detail about which remote logon types and tools expose credentials and which ones don’t.


Let’s say your helpdesk technicians each have a domain account that is granted administrative rights on all workstations in the domain. User Umberto reports computer issues, so Helen helpdesk technician logs on remotely to the workstation using her privileged domain account, not realizing that the workstation has been compromised with credential theft malware. Depending on how Helen logged on, her account credentials could be stolen and the thief can now gain administrative control over all workstations. All the technicians might follow the whitepapers’ recommendations, but they must do it the right way every single time. One technician with a privileged account making one mistake just one time can lead to a domain-wide compromise.


Let’s say instead of using a privileged domain account, Helen helpdesk technician retrieves the LAPS password for the workstation and uses the LAPS-managed administrative local account to log on. Credential theft is not a problem. If the thief gets the hash or even the plaintext password, it’s useful only on the computer that the thief already controls. So Helen can use whichever logon type or remote tool is most convenient for the work being performed.


Note: One caveat about using remote desktop: do not enable drive redirection for your local volumes when connecting to a potentially-compromised system. And avoid clipboard redirection as well. This caveat applies whether you’re using a LAPS-managed account, /restrictedAdmin, or anything else.


If you have deployed LAPS or another local account password management solution and you want to use local accounts for the remote administration of Windows computers, you need to change three of the Computer Configuration settings that we recommend in the baselines for Windows client and Windows Server in the Member Server role. We recommend these changes only if you plan to use LAPS-managed local accounts for remote administration. Note also that the local-policy scripts included with the Windows 1803 and 1809 baseline packages include “Non-Domain” options that implement these same changes.























Policy path



Windows Settings\Security Settings\Local Policies\User Rights Assignment



Policy name



Deny access to this computer from the network



Baseline setting



Win client : NT AUTHORITY\Local Account


Win Server : NT AUTHORITY\Local account and member of Administrators group



Updated setting



[empty]
























Policy path



Windows Settings\Security Settings\Local Policies\User Rights Assignment



Policy name



Deny log on through Remote Desktop Services



Baseline setting



NT AUTHORITY\Local Account



Updated setting



[empty]
























Policy path



Administrative Templates\MS Security Guide (*)



Policy name



Apply UAC restrictions to local accounts on network logon



Baseline setting



Enabled



Updated setting



Disabled



(*) “MS Security Guide” is a collection of custom settings that comes with the security baselines and is represented in SecGuide.admx. You can configure the updated setting directly by configuring the registry value LocalAccountTokenFilterPolicy to REG_DWORD value 1 in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.



6 Comments
Senior Member

Hi Aaron, 

nice to talk to you again ..

With the introduction of LAPS, I think many will switch to that configuration, because it's simple and really secure..
Do you have contact with the original developer of RDCMan 2.7? If yes, can you ask him to integrate the tool with LAPS? I mean, one more configuration panel where to specify the Domain name or a specific domain controller where the tool could query the computer name object in order to retrieve automatically the password for the administrator account.. if the user running the tool has the permission to do so..
It would be a killing feature for RDCMan when LAPS is deployed in the environment..

Thanks! Greetings from Italy!
-mario

Senior Member

Hi again Aaron..

LAPS it's a great solution to avoid lateral movement in a domain if a machine has been compromised, but here in Europe, we have GDPR..

one of the requirements of GDPR is that every access performed to administer a machine, must be logged with all the information about the admin which is logging on.. as you can imagine if all the admin which logs on to a server use the same account, that is local Administrator, this requirement is not satisfied at all.. So, unless there is a better logging of the remote desktop session which logs everything about the remote client, passing also the username of the user logging in as Administrator, LAPS cannot be used to perform server administration.. 
Do you think you can speak with the MSTSC client group so they can improve the logging passing together with the client address also the real name of the user logging on as Administrator?? Without this information LAPS its useless in Europe..

Ciao
-mario 

Occasional Contributor
@mariora If you audit process creation and successful filtering platform connections on the administration servers and on the client you will have a full trace of the user who initiated the connection and everything they did on the remote machine. There's a little HEX to decimal conversion needed for the process to logon ID trace but this is only needed during a security investigation so doesn't impact on the day to day operations. This auditing can also help forensic investigations to non Windows machines too. Let me know if you need more information. Greetings from England. Steve
Senior Member

HI Steve, I'm really interested in everything that can help here tracking down the original user.. 
I already found this https://blogs.technet.microsoft.com/kfalde/2015/11/18/laps-audit-reporting-via-wef-posh-and-powerbi/ and this can help a little bit but there is always the problem of a jump server.. that is if the user access a middle server from where he goes to the AD to get the admin password  and then connect to the remote server as Administrator I can loose the original user as he could have logged on as a local user in the middle server..

Unfortunately GDPR has very strict rules on the logging.

Can you please explain more in detail your idea?

 

Thanks
-mario

Occasional Contributor
Hi @mariora, To track the use of the local administrator you can look in the Windows security event log. On the source server you will see event ID 4648 which tells you the name of the source user, the remote machine name connected to and the remote credentials used. On the remote machine you will see Windows security event ID 4624 which tells you the credentials used, the source server name and the source IP address. The auditing that produces these events is enabled by the security baselines provided by Microsoft. To track other user activities across the network, including to non-Windows systems, you need to enable success auditing of ‘Object Access/Audit Filtering Platform Connection’, this will then log event ID 5156 in the Windows security event log. Example; A Linux server log shows a login from IP address 10.0.0.1 to TCP port 22 with a source port of 59109 The Windows security log on the server with address 10.0.0.1 has a corresponding event ID 5156 showing putty.exe making the connection with a matching source port and matching timestamp. The event ID 5156 will tell you the decimal process ID e.g. 7672, this needs to converted in Hex e.g. 1df8 Searching for process creation event ID 4688 containing 1df8 will find, for example; New Process ID: 0x1df8 New Process Name: C:\Program Files\PuTTY\putty.exe And in that log entry will be the account details of the user running the program. Let me know how you get on, Steve
Senior Member

Thanks Steve, will give it a try..

-mario