More Secure With Microsoft LAPS Avoiding Lateral Movement Risks
Dear JDisc friends,
this post also focuses on security but is specifically aimed at preventing a particular threat: lateral movement risks.
Lateral movement describes a set of techniques that cybercriminals use to navigate a compromised network, find vulnerabilities and escalate access rights. The term “lateral movement” stems from the attackers’ sideways progression through devices, applications, and other resources. Despite this lateral movement, the main goal is to reach higher levels of access or to access and steal sensitive data. If you’d like more details, CERT-EU has published an in-depth article dedicated to Detecting Lateral Movements within Windows Infrastructure.
You may be familiar with notable examples of lateral movement incidents, including the “SolarWinds Orion Compromise (2019),” the “WannaCry Ransomware Attack (2017),” and the “NotPetya Malware Attack (2017)” . These incidents impacted hundreds of thousands of computers and caused financial damages amounting to billions of dollars.
So, what steps can you take to reduce the risk of lateral movement attacks in your IT environment?
General Strategies to Mitigate the Lateral Movement Risk
To mitigate the risk of lateral movement, Microsoft recommends a series of countermeasures, including:
- Restricting privileged domain accounts
- Restricting and protecting local accounts with administrator privileges
- Restricting inbound traffic with Windows Defender Firewall
This article will focus on restricting and protecting local accounts with administrator privileges using Microsoft LAPS. An earlier article also outlines the integration of legacy Microsoft LAPS with JDisc Discovery.
Restrict and Protect Local Accounts with Administrator Privileges
Microsoft LAPS addresses the second countermeasure, “Restricting and protecting local accounts with administrator privileges.” LAPS automates the management of local account passwords. It does that by generating a unique, random password for each local administrator account. This password is securely stored as a confidential attribute within the corresponding computer account in Active Directory.
Configuring Microsoft LAPS for Discovery
There are two key configuration elements to address for native (encrypted) Microsoft LAPS:
- Domain controller access credentials for deploying the JDisc Discovery Zero-Footprint Agent.
- Access credentials for retrieving and decoding the confidential LAPS administrator account/password attribute.
Domain Controller Access Credentials
From the Discovery Configuration dialog-box, navigate to the Scope > Directory tab and select the directory object (Domain Controllers in the screenshot) that has your domain controllers.
Click the “Change Account” button and enter the domain controller access credentials (“JDISC-LAPS\DCADMIN” in the screenshot). The discovery process uses these credentials to deploy the Zero-Footprint Agent and to gather data from domain controllers. In summary, these credentials must have local administrator privileges on the domain controllers.
You might argue that using such highly privileged access credentials on domain controllers for discovery is not ideal. That is a valid concern, but it is the only option when operating in pure zero-footprint discovery mode.
Alternatively, you can use the privilege elevation feature and pre-deploy and configure the JDisc Discovery Zero-Footprint Agent on all domain controllers using your software deployment tools. By doing so, you can configure a low-privilege domain user to interact with the JDisc Discovery Zero-Footprint Agent on the domain controllers, allowing it to gather all device details as effectively as if using an administrator-level account.
Credentials for Retrieving and Decoding LAPS Administrator Account Passwords
With the JDisc Discovery Zero-Footprint Agent successfully deployed to the domain controllers, the next step is to enable and configure the directory objects intended for use with Microsoft LAPS.
In the Discovery Configuration dialog box, go to the Scope > LAPS tab and select the directory objects (“Windows 10” in the screenshot) that you wish to enable for Microsoft LAPS.
Next, click the “Change LAPS Account” button and provide the credentials needed to retrieve and decode the confidential LAPS administrator account/password attribute for the computers.
Similarly, as with the domain controller access credentials, you might prefer not to use highly privileged credentials (potentially with administrative rights) for retrieving and decoding LAPS administrator account passwords.
If the LAPS Account credentials (“JDISC-LAPS\LAPSPWDREADER” in the screenshot) differ from the Domain Controller Access Credentials (“JDISC-LAPS\DCADMIN” in the screenshot), you should also configure them for privilege elevation within the JDisc Discovery Zero-Footprint Agent.
Finally, the JDisc Discovery Zero-Footprint Agent deployment configuration for the domain controllers will look as follows based on the settings outlined above:
For a detailed explanation of how JDisc Discovery integrates Microsoft LAPS into its discovery process, refer to the dedicated chapter titled “Using Microsoft LAPS” in the JDisc Discovery Security Guide.
You might assume that everything is set up and ready to begin discovery, using Microsoft LAPS along with the local administrator accounts and passwords. This will work seamlessly if the built-in administrator account has also been set as the LAPS-managed local administrator. However, if the designated LAPS local administrator account is solely a local user and a member of the local administrators’ group, the discovery process will retrieve only basic information. In this scenario, the local administrator account functions as a Limited User Account (LUA).
Addressing Limited User Account (LUA) Privileges for Local Administrator Accounts
Once again, you may already be familiar with the solution to address the Limited User Account (LUA) issue on Windows computer. As we previously did with the domain controllers, you can deploy and configure the JDisc Discovery Zero-Footprint Agent on your Windows computers and grant privilege elevation to the designated local LAPS administrator account.
I hope this article offers valuable insights to help improve IT security in your organization while maintaining an accurate and up-to-date inventory.
Cheers Thomas