In a previous post, we discussed how to protect privileged accounts using robust identity management and authentication mechanisms to control access to company resources on a more granular level. We introduced three tools from Microsoft that can keep privileged accounts from being compromised – Microsoft Privileged Access Workstation (PAW), Local Administrator Password Solution (LAPS) and Privileged Access Management (PAM). In this post, we’ll take a deeper dive into PAW and LAPS.
Microsoft Privileged Access Workstation
Credential hygiene is the practice of verifying that a privileged account is used only on trusted workstations and servers. Microsoft PAWs enforce credential hygiene by distinguishing between administrative accounts and normal user accounts and controlling how the privileged accounts are accessed and used.
Using a suite of Windows security technologies, PAWs create a hardened physical environment that protects privileged accounts from both remote attacks and physical compromise within the network. Active Directory structures and policies are automatically created to protect PAWs and admin accounts.
The dedicated PAWs environment restricts the use of privileged accounts to sensitive administrative tasks. PAWs also provide sysadmins with commonly used tools such as Remote Server Administration Tools, Systems Internal Suite and Microsoft System Center consoles.
PAWs should be configured to prohibit high-risk activities and block primary entry points for malware and cyberattacks.
- Block Internet access to prevent Web browsing and the use of email applications
- Establish policies to restrict the use of USB media while allowing USB devices such as keyboards and mice
- Use a host firewall to block inbound network connections
- Segment PAW accounts into a hardened organizational unit
- Remove or harden management agents
Microsoft recommends using a dedicated, PAW-hardened PC for privileged access to minimize the risk that privileged account credentials will be accidentally exposed. To avoid carrying two devices for different workloads, administrators also have the option to run a user PC as a virtual machine (VM) inside the PAW PC. In this scenario, the desktop VM will support routine tasks such as email and web browsing, and the PAW VM will be limited to tasks that require increased security. This approach is less expensive and simpler for the user.
Local Administrator Password Solution
LAPS automatically encrypts passwords for transmission to Active Directory, where passwords are centrally stored and protected by Access Control Lists. This allows domain administrators to apply granular security policies. Randomly generated passwords are unique on each domain-joined computer.
Because LAPS uses existing Active Directory infrastructure, no other technologies need to be installed and maintained. LAPS is a Group Policy Client Side Extension installed on managed machines. Management tasks are performed using tools delivered with the solution to simplify configuration and administration. LAPS automatically determines if an admin’s password is expired and generates a new password when required. The password and its next expiration time are reported to and stored in Active Directory for added protection.
Not only does LAPS make password management easier, but it reduces the risk of lateral escalation that can occur when an administrator uses the same credentials on multiple network devices. Privileged account passwords are periodically randomized, which ensures that passwords are successfully updated to Active Directory before they’re used locally.
In the next post, we’ll discuss how Microsoft Privileged Access Management helps organizations control privileged access and reduces the risk of stolen privileged account credentials.
Written and composed by our Senior Managing Partner, Stephen Soper