Forum Discussion

JoniLjungqvist's avatar
JoniLjungqvist
Copper Contributor
Mar 29, 2021
Solved

LAPS - Splunk account reading ms-Mcs-AdmPwd

Hi all,

 

We have used LAPS for a few years, and recently we started using a logging service called Splunk, and as it turns out, this logging service account is reading the ms-Mcs-AdmPwd attribute in Active Directory and sending it in cleartext.

 

The account we use that runs on the machines is a member of the "Administrators" but also "Domain Admins" group on the machines via a GPO (the "Restricted groups" setting). However, I've removed the "All extended attributes" ACL on the Domain Admins-group in our domain and I've also used the "Find-AdmPwdExtendedRights" on our two OU:s where we have computer objects with LAPS, and this doesn't show the account (or the "Domain admins"-group) any longer.

 

What am I missing here? Is there an ACL I'm missing or am I thinking this wrong? Any help or ideas would be appriciated.

  • JoniLjungqvist 

    This isn't necessarily a MDI topic, but here are a few recommendations I'd look into:
    1.) Run the Splunk UF and associated account in low priv mode. Don't let your security monitoring/logging infra be leveraged against you.

    2.) Configure your inputs.conf and mask that, e.g. 

    sedcmd-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/##########/g
    https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Anonymizedata
    3.) Go back and remove all those entries from splunk or rotate laps pws.

1 Reply

  • SmasSec's avatar
    SmasSec
    Copper Contributor

    JoniLjungqvist 

    This isn't necessarily a MDI topic, but here are a few recommendations I'd look into:
    1.) Run the Splunk UF and associated account in low priv mode. Don't let your security monitoring/logging infra be leveraged against you.

    2.) Configure your inputs.conf and mask that, e.g. 

    sedcmd-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/##########/g
    https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Anonymizedata
    3.) Go back and remove all those entries from splunk or rotate laps pws.

Resources