Local Administrator Password Solution (LAPS)
Microsoft has finally released a solution to manage local administrator passwords across the domain with AD management.
https://technet.microsoft.com/en-us/library/security/3062591
“LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.”
“Microsoft has observed that Group Policy Preferences abuse is one of the most common tactics used by attackers to elevate permissions in a domain.”
Apparently this solution was released in response to a vulnerability created by Microsoft’s poor password encryption policies. If you defined a local admin account with a Group Policy Preference “the password is symmetrically encrypted using a static key and written to the XML file”. “If an attacker is able to get access to the SYSVOL share (which is open to all authenticated users, so a malicious or spear phished employee will have access to it) and obtain the AES encryption key used to encrypt/decrypt passwords set with GPP (which we document on MSDN), the attacker will be able to obtain the credentials set with GPP.”
-From MS14-025: An Update for Group Policy Preferences - Security Research & Defense - Site Home - TechNet Blogs
The static AES key they are referencing above is published on MSDN here: https://msdn.microsoft.com/en-us/library/cc422924.aspx
Brilliant!
https://technet.microsoft.com/en-us/library/security/3062591
“LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.”
“Microsoft has observed that Group Policy Preferences abuse is one of the most common tactics used by attackers to elevate permissions in a domain.”
Apparently this solution was released in response to a vulnerability created by Microsoft’s poor password encryption policies. If you defined a local admin account with a Group Policy Preference “the password is symmetrically encrypted using a static key and written to the XML file”. “If an attacker is able to get access to the SYSVOL share (which is open to all authenticated users, so a malicious or spear phished employee will have access to it) and obtain the AES encryption key used to encrypt/decrypt passwords set with GPP (which we document on MSDN), the attacker will be able to obtain the credentials set with GPP.”
-From MS14-025: An Update for Group Policy Preferences - Security Research & Defense - Site Home - TechNet Blogs
The static AES key they are referencing above is published on MSDN here: https://msdn.microsoft.com/en-us/library/cc422924.aspx
Brilliant!
2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response