cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

LAPS - Splunk account reading ms-Mcs-AdmPwd

JoniLjungqvist
Copper Contributor

‎Mar 29 2021 05:38 AM - last edited on ‎Nov 30 2021 09:24 AM by

‎Mar 29 2021 05:38 AM - last edited on ‎Nov 30 2021 09:24 AM by

LAPS - Splunk account reading ms-Mcs-AdmPwd

Hi all,

 

We have used LAPS for a few years, and recently we started using a logging service called Splunk, and as it turns out, this logging service account is reading the ms-Mcs-AdmPwd attribute in Active Directory and sending it in cleartext.

 

The account we use that runs on the machines is a member of the "Administrators" but also "Domain Admins" group on the machines via a GPO (the "Restricted groups" setting). However, I've removed the "All extended attributes" ACL on the Domain Admins-group in our domain and I've also used the "Find-AdmPwdExtendedRights" on our two OU:s where we have computer objects with LAPS, and this doesn't show the account (or the "Domain admins"-group) any longer.

 

What am I missing here? Is there an ACL I'm missing or am I thinking this wrong? Any help or ideas would be appriciated.

2,863 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by JoniLjungqvist (Copper Contributor)
SmasSec

‎Apr 02 2021 11:01 AM

‎Apr 02 2021 11:01 AM

Solution

Re: LAPS - Splunk account reading ms-Mcs-AdmPwd

@JoniLjungqvist 

This isn't necessarily a MDI topic, but here are a few recommendations I'd look into:
1.) Run the Splunk UF and associated account in low priv mode. Don't let your security monitoring/logging infra be leveraged against you.

2.) Configure your inputs.conf and mask that, e.g. 

sedcmd-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/##########/g
3.) Go back and remove all those entries from splunk or rotate laps pws.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by JoniLjungqvist (Copper Contributor)
SmasSec

‎Apr 02 2021 11:01 AM

‎Apr 02 2021 11:01 AM

Solution

Re: LAPS - Splunk account reading ms-Mcs-AdmPwd

@JoniLjungqvist 

This isn't necessarily a MDI topic, but here are a few recommendations I'd look into:
1.) Run the Splunk UF and associated account in low priv mode. Don't let your security monitoring/logging infra be leveraged against you.

2.) Configure your inputs.conf and mask that, e.g. 

sedcmd-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/##########/g
3.) Go back and remove all those entries from splunk or rotate laps pws.

View solution in original post

0 Likes
Reply