Let's be honest, your network has all the coolest data, and jealous people want it. I don’t blame them. Anyone who says they don’t want your data is the most suspicious. DO NOT TRUST THEM! Security is best in layers if someone does get control of an endpoint we want to limit their ability to expand that control across your domain. In this blog, we'll talk LAPS and how it helps to protect systems if the first line of defense fails. The fact is, there are a lot of people out there who are very good at gaining access to your systems. I have no doubt that you all have taken all the best precautions. Your packets are loaded under direct supervision into armored trucks and taken directly to their destination. Your Internet tubes are packed with sharks that have laser beams on their heads. You even hired Chuck Norris to browbeat your employees into following best security practices! Yet somehow, someway, you have a computer that has a compromised local admin account.
Unfortunately for you and your marvelous data, once somebody has gained that kind of access there are plenty of tools that will allow someone to gain domain-level access once they have local admin on a machine. This means without much effort they can capture domain credentials, then expand and build on that until they get the dreaded “Golden Ticket,” allowing them full Domain Admin access.
All is not lost, being compromised is never good, but you can still implement a few things to slow or block the spread of the breach. The most critical may be limiting which user accounts have access to make changes to your Active Directory. If a compromised account is not able to make these types of changes it will severely limit the ability to spread across the network.
For some reason, I feel compelled to talk about how you might be able to protect a service account that is used for installing software…can't place my finger on why, but let's dive into that.
I have no doubt that everyone here deploys with a service account that has a very long and complex password. The issue here is that in most cases a service account password does not change, so once they harvest the needed data after you’ve deployed the latest Candy Crush, they will eventually crack that password. Now, refer to paragraph three, where they get the Golden Ticket.
Luckily for you, PDQ Deploy and Inventory allow the use of LAPS for all service accounts. LAPS allows you to use a Local admin account for the install, this limits what the hacker is able to get out of those captured credentials. You can also set that password to rotate so the credentials that have been captured lose value after a short time. This is by no means a cure-all, but it will allow you an extra layer of security, that should help mitigate the damage.
I hear you, you’re probably saying to yourself that all of this information is fine and dandy, but not nearly as important as the how-to. Luckily for you, we gotcha covered, click here and protect yourselves from all of those jealous people who claim they don’t want any of your cool data.