The local administrators (LA) passwords randomization is a hot topic for a couple of years already (and it should have been like this for much longer, to be honest). And nevertheless, at least 2 of 3 companies still doing it in a wrong, or, better to say, incomplete way.
What is the flawed pattern we can observe here?
- A company implement a password randomization solution, like free Microsoft LAPS (https://www.microsoft.com/en-us/download/details.aspx?id=46899).
- Local administrator passwords on workstations (and servers in some cases) are randomized.
- “Phew… We are done!”. And LA accounts and passwords are almost never used after that. Workstation support tasks are still performed using domain accounts.
What many companies are missing here is that the LA password randomization pursuits two objectives:
- First (the obvious one). Prevent an adversary from LA hash reuse on other workstations. In this case after a host compromise an attacker could extract LA password hash from SAM database, but as passwords are different for all the workstations, he won’t be able to reuse this stolen password on other workstations.
- Second (usually missed, but still as important as the first one). Prevent privileged domain credentials (like HelpDesk operators’ credentials) exposure on workstations. We do LA password randomization not only for the randomization sake, but for letting administrative personnel to use this LA accounts with randomized passwords, and prevents them from their domain accounts usage leaving reusable credentials on users’ workstations.
I don’t know why so many are overlooking the second point, it seems so obvious. Ok, we assume that an attacker got administrative access to a corporate workstation. We expect he extracts LA hash from SAM and try to re-use on other hosts. Well, our LA passwords are randomized and he’s unable to connect to anywhere. That’s good. But what would be his next step? In most cases, he will try to attract someone with higher privileges to this compromised workstation. How? Just delete a couple of files, kill a couple of processes, and here we are, there’s a swift and dashing HelpDesk operator ready to give away his domain credentials by logging on interactively or through remote desktop.
Will it make a difference for the adversary which of the stolen accounts to use: LA account when the password is the same on many workstations, or HelpDesk privileged domain account that has almost as wide administrative coverage as a common LA account does? The difference is not that big.
And that’s why we have this unambiguous statement within our Securing Privileged Access recommendations (https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material):
Desk-side workstation support – The Tier 2 support personnel is physically at the user’s workstation.
- Primary – Retrieve the local account password set by LAPS from an admin workstation before connecting to user workstation.
- Forbidden – Logging on with domain account administrative credentials is not allowed in this scenario.
Remote workstation support – The Tier 2 support personnel is physically remote to the workstation.
- Primary – Use RDP RestrictedAdmin from an admin workstation with a domain account that uses permissions obtained just-in-time from a privileged access management solution.
- Secondary – Retrieve a local account password set by LAPS from an admin workstation before connecting to user workstation.
- Forbidden – Use standard RDP with a domain account.
Nothing to add here. If your HelpDesk’s still using their domain accounts to support corporate users/workstations, reconsider administrative approaches as soon as possible.
Implement LAPS (or other password randomization solutions), and follow the guidance above.