Shulou(Shulou.com)06/01 Report--

With the continuous discovery of Internet technology, more and more attention has been paid to information security in enterprises. Terminal management is an important part of information security. It is impossible to require end users and server administrators to have the same security awareness and technical level, so it is very important to formulate and improve the terminal management system and use the existing technology to standardize user behavior in the terminal administrator layer. Among them, the management of authority is the top priority, and the password management of the terminal in the enterprise is the basis of authority management.

In small businesses, the PC client directly uses the client. In this way, the only password that needs to be managed on the terminal is the workgroup account password, which is less proficient and can only be managed by other gadgets such as excel. In medium and large enterprises, AD active Directory is used for unified identity authentication. At this time, the passwords of domain user accounts are centrally retained in the AD database, and user permissions are also retained in AD. The security of AD is much higher than that of ordinary PC, so the security is greatly improved.

However, using the active directory, how to manage the local administrator password of the computer entering the domain is a headache for the enterprise IT operation and maintenance administrator. The base is huge and the local administrator account is really needed when dealing with the failure. Here I introduce several common ways of managing the local administrator account of the domain computer in the enterprise, with emphasis on LAPS (Local Administrator Password Solution).

Several common password management methods for local administrators

1. Directly disable the local administrator

This is a simple and rude way to directly save the work of managing local accounts, which can be achieved by using group policy. The problem is that when the computer is out of the domain due to failure, or cannot log in using the domain account, the computer cannot log in. You need to use tools such as PE to enable the local administrator and set the password. Although the management is simple, the security is guaranteed.

two。 Use a unified local administrator password

This method is most common in enterprises. The local administrator administrator password is in the hands of a small number of administrators, and the company or a single department maintains a consistent local administrator password (which can be achieved through group policy). This method brings great convenience to helpdesk operation and maintenance work, but as long as the password is leaked, it will bring great hidden dangers, which is not highly recommended.

3. Each computer has a different password.

Each computer sets a different administrator password, which is recorded on the Excel or notebook by IT personnel, but the problem is: every time you want to find the administrator password of a computer, you have to find the file or record, and you can't change it regularly! This method greatly increases the workload of operation and maintenance of IT staff.

4. Set a random password for each PC local administrator

In a small number of enterprises, through the computer boot script, set a random password for each computer, and through other methods to prohibit users with local administrator privileges to change the local account password, this way is not very different from directly disabling the local administrator account.

5. Use LAPS to uniformly manage your computer's local administrator password

Advantages:

Fully automatic, configurable computer local administrator account update

A simple delegate that accesses stored passwords through OU.

Because LAPS takes advantage of Active Directory components (group policy, computer object properties, and so on), no other servers are required.

Computer accounts can only write / update their own local administrator account password (the ms-Mcs-AdmPwd property), but cannot read the password from that property.

Password update traffic is encrypted.

You can easily change the password for each computer in OU.

Free of charge

Disadvantages:

Only the current password is stored and is available for retrieval

The password of only one local administrator account can be managed by LAPS at a time (only one password attribute)

The compromise of the domain controller may compromise all local administrator account passwords in the domain.

Passwords can be accessed at any time and can be used by authorized password personnel at any time. Although auditing can be enabled, it must be configured on a per-OU, per-group basis to log event ID 4662 on the domain controller.

LAPS component Agent-Group Policy client extension (CSE)-installed through MSI

Event recording

Random password generation-write to AD computer objects from client computers

PowerShell module

Permission configuration

Active Directory- centralized control

Audit trail in domain controller security log

Computer object special properties (ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime)

LAPS supported version active Directory:

Windows 2003 SP1 and later

Managed / client computers:

Windows Server 2016

Windows Server 2012 R2 data Center (x86 or x64)

Windows Server 2012 R2 Standard (x86 or x64)

Windows Server 2012 R2 Basics (x86 or x64)

Windows 8.1 Enterprise Edition (x86 or x64)

Windows 8.1 Professional Edition (x86 or x64)

Windows Server 2012 data Center (x86 or x64)

Windows Server 2012 Standard Edition (x86 or x64)

Windows Server 2012 Essentials (x86 or x64)

Windows Server 2012 Basics (x86 or x64)

Windows 8 Enterprise Edition (x86 or x64)

Windows 8 Professional Edition (x86 or x64)

Windows Server 2008 R2 Service Pack 1 (x86 or x64)

Windows 7 Service Pack 1 (x86 or x64)

Windows Server 2008 Service Pack 2 (x86 or x64)

Windows Vista Service Pack 2 (x86 or x64)

Microsoft Windows Server 2003 Service Pack 2 (x86 or x64)

Itanium is not supported

Management tools:

NET Framework4.0

PowerShell 2.0 or later

LAPS, the core of LAPS operations, simplifies password management while helping customers implement recommended defenses against the network. In particular, the solution mitigates the horizontal risk that occurs when customers use the same administrative local account and password combination on their computers. LAPS stores the password of the local administrator account for each computer in Active Directory and protects it in the security properties of the corresponding Active Directory object on the computer. Allows computers to update their own password data in Active Directory, and domain administrators can grant read permissions to authorized users or groups, such as workstation help desk administrators.

Use LAPS to automatically manage local administrator passwords on computers joined to a domain so that passwords on each managed computer are unique, randomly generated, and securely stored in the Active Directory infrastructure. The solution is based on the Active Directory infrastructure and does not require other supporting technologies. LAPS uses the Group Policy client extension (CSE) that you install on the managed computer to perform all administrative tasks. The management tools for the solution can be easily configured and managed.

At the core of the LAPS solution is the GPO client extension (CSE), which performs the following tasks and can perform the following operations during GPO updates:

Check that the password for the local Administrator account has expired.

Generate a new password when the old password expires or needs to be changed before it expires.

Verify the new password according to the password policy.

Report the password to Active Directory and store the password and secret attributes in Active Directory.

Report the next expiration time of the password to Active Directory and store this property in Active Directory along with the properties of the computer account.

Change the password for the administrator account.

Users who are allowed to do so can then read the password from the Active Directory. Qualified users can request to change the password of the computer.

LDAPS installation and deployment

1. Install LAPS.exe components

DC is generally used as the server side. When installing, be sure to uncheck the first option to prevent policies from mistakenly issuing passwords that affect AD domain administrators.

two。 Architecture extension

To run in DC:

Import-Module Admpwd.ps

Update-AdmPwdADSchema

At this point, looking at the computer properties of AD, two new properties appear, namely ms-MCS-AdmPwd (storage password) and ms-MCS-AdmPwd (storage expiration time).

3. Delete default extended permissions

Password storage is confidential, and if the OU permission configuration of the computer is not correct, it may enable unauthorized users to read the password, so the permission of the "All extended rights" attribute is removed from the permissions of users and groups, and the value of the attribute ms-Mcs-AdmPwd is not allowed.

If necessary, repeat the following for each OU where the computer is placed, and if the sub-OU and you disable permission inheritance, then each sub-OU should have the same configuration.

Open ADSIEdit

Right-click on the OU where the computer you want to configure is located, and click Properties

Click the Security tab

Click Advanced

Select the group or user that you do not want to be able to read the password, and then click Edit.

Uncheck all extended permissions

4. Use PowerShell to manage LAPS permissions

Set-AdmPwdComputerSelfPermission-OrgUnit "OU=computerGroup,dc=contoso,dc=com"

All computer accounts themselves need permission to write to the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd properties. This command allows the computer to update the password and expiration timestamp for managing the local administrator password.

Set-AdmPwdReadPasswordPermission-OrgUnit ComputerGroup-AllowedPrincipals willwang

Set the willwang account to allow reading the local administrator password of the computer in the OU of ComputerGroup

Set-AdmPwdResetPasswordPermission-OrgUnit computerGroup-AllowedPrincipals willwang

Setting the willwang account allows you to set the local administrator password of the computer in the OU of ComputerGroup

Find-AdmPwdExtendedRights-OrgUnit ComputerGroup |% {$_ .ExtendedRightHolders}

Find the password permission assignment in the OU of ComputerGroup

5. Client installs GPO extension (CSE)

There are two ways, you can use the Group Policy software installation option or you can use scripts.

Group Policy Software installation options configuration

Boot script installation

Msiexec / I\\ server\ share\ LAPS.x64.msi / quiet

After installation, you can see this installation option on the client.

6. Issued by group policy

Configure the policy by configuration options.

Password Settings configure password parameters

Password complexity:

Which characters are used when generating a new password

Default value:

Big letters + lowercase letters + numbers + special characters

Password length:

Minimum: 8 characters

Maximum: 64 characters

Default value: 14 characters

Password age (days):

Minimum: 1 day

Maximum: 365 days

Default value: 30 days

Name of administrator account to manage local administrator name management

Administrator account name-the name of the local account for which you want to manage the password.

Do not configure when using the built-in administrator account. Even if renamed, the built-in administrator account is automatically detected by the well-known SID

Configure when using a custom local administrator account

The Do not allow password expiration time longer than required by policy password expiration time may be longer than the password setting policy

When this setting is enabled, the scheduled password expiration time is not allowed to be longer than the password time specified in the password Settings policy. When such expiration is detected, change the password immediately and set the password to expire according to the policy.

When this setting is disabled or not configured, the password expiration time may be longer than the password Settings policy.

Enable local admin password management enables password management for local administrator accounts

If this setting is enabled, the local administrator password is managed

If this setting is disabled or not configured, the local administrator password is not managed

7. Client refresh policy, effective

When modifying a password using LAPS UI, the client must refresh the policy, and then write to the AD after the client changes it.

Reference link:

Https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)?redirectedfrom=MSDN

Author: Wang Zhihui

Quality article Tencent PaaS platform | what if the hostname is set incorrectly?

Introduction to Redis persistence

4 big steps to save 30% waste, optimizing enterprise cloud cost starts with understanding cloud!

Operation and maintenance staff think about it. Do you know the relationship between CMDB and monitoring?

[practical information] which of the four Oracle DBaaS deployment models are you using?

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.