LAPS and restrict usage of local accounts
Another important factor is the local administrator accounts, which are often used when there is an issue with the domain trust between an endpoint and the domain, and we need to log on to troubleshoot the issue. Attackers commonly use local accounts that exist on servers to move laterally within an environment. This can be particularly detrimental if the password for the built-in local administrator account is set to the same value across multiple servers.
Windows Local Administrator Password Solution (LAPS) is a Microsoft tool that allows us to securely manage the local administrator passwords of domain-joined computers. When we install the Windows LAPS component on our machines, it makes the following changes:
- A new Group Policy client-side extension is installed on all domain-joined computers. This extension is responsible for generating a random password for the local administrator account on the computer and storing it in AD...
