Secondly, using an unnamed account to log in means we don’t have a record of who accessed the device with administrative privileges. The only drawbacks that I can see are that it requires some administrative effort for helpdesk staff to retrieve local admin passwords from AD every time they need to log in, as opposed to getting quick access with a domain account. It can be found under Administrative Templates\MS Security Guide and should be set to Disabled.Īs you can see, there are some definite advantages to using LAPS-managed local administrator accounts for remote access. The third is a custom setting that’s part of the baseline templates (SecGuide.admx).
The first two settings can be found under Windows Settings\Security Settings\Local Policies\User Rights Assignment and should be set to empty.
Some remote access tools expose credentials when logging in to remote systems, so IT helpdesk account credentials could be compromised.
If the local admin password is compromised, any damage is limited to that device. Margosis says that if a helpdesk user wants to remotely access a workstation, it is more secure to retrieve the local administrator password from AD than to use a domain account. Otherwise you should continue to block remote use of local accounts. In a blog post by Aaron Margosis, Microsoft recommends that organizations consider unblocking remote use of local administrator accounts if LAPS or another password management solution in place, and if you want to use local accounts for remote administration. not a member of Domain Admins or other privileged AD group, the account could still be used to compromise every workstation in the domain. While this account doesn’t need to be a privileged domain account, i.e. 28th from 10-11am PST.ĭespite the convenience LAPS provides for managing local admin accounts, IT helpdesk staff often use a domain account that is granted administrator rights on each workstation in the domain. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. “Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Microsoft’s security baseline templates for Windows and Windows Server are available as part of the Security Compliance Toolkit. LAPS solves these problems, ensuring that local administrator accounts remain secure and can’t be used by hackers to laterally move around your network.įor more information on using LAPS, see Secure Local Administrator Accounts with the Local Administrator Password Solution (LAPS) Tool on Petri. But that doesn’t address the issue of changing passwords periodically and requires you to make sure the spreadsheet isn’t accessed by malicious or unauthorized users. The risk posed by local administrator accounts can be managed by manually setting a random password on each device and then recording it in a spreadsheet.
LAPS is a free tool from Microsoft that randomizes local admin passwords every 30 days and stores them securely in Active Directory for each computer account. Microsoft’s security baseline templates block remote use of local accounts because until Local Administrator Password Solution (LAPS) was released in 2015, there was no mechanism for securely managing local administrator accounts. Local administrator accounts are commonly configured with the same password across all devices in corporate environments, making it easy for attackers to own every device if the password is compromised.