Educause Security Discussion mailing list archives
Re: Privileged Account Management
From: Justin Store <jrstore () MTU EDU>
Date: Tue, 6 Dec 2016 11:39:02 -0500
This blog post covers the topic well for looking at randomizing local windows accounts through scripting vs LAPS: https://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator-password-automatically-with-a-different-password-across-the-enterprise For windows, our primary concern with having a common local administrator password is the ease of pivoting once a single machine is compromised. We address this risk by preventing workstations from talking to each other on the common Microsoft ports 139, 445, 3389, etc. We have local firewall rules deployed via GPO that enforce this by only allowing inbound access on these port from trusted servers and subnets. We are looking to expand this to block all traffic between workstations. -Justin Justin Store Security Architect Michigan Tech University <http://www.mtu.edu/> Information Technology <http://www.it.mtu.edu/> 906.487.1477 On Tue, Dec 6, 2016 at 11:20 AM, Velislav K Pavlov < VelislavPavlov () ferris edu> wrote:
Greetings, We are reviewing our privileged account management practices and procedures. Has anyone implemented LAPS and cares to share their experience with the implementation and lessons learned? Any other opensource/free solutions that you are using for Linux/Unix and macOS/SOX? The consideration is specifically for local accounts with elevated privileges. Zero budget for commercial products. Thank you. *Vel Pavlov | Coordinator, IT Security * M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, Security+, CNA, MPCS, ITILv3F, A+ Big Rapids, MI 49307 VelPavlov () ferris edu [image: cid:image001.png@01D24414.DC8BCD70] Notice:This email message and any attachments are for the confidential use of the intended recipient. If that isn’t you, please do not read the message or attachments, or distribute or act in reliance on them. If you have received this message by mistake, please immediately notify VelPavlov () ferris edu and delete this message and any attachments. Thank you.
Current thread:
- Privileged Account Management Velislav K Pavlov (Dec 06)
- Re: Privileged Account Management Justin Store (Dec 06)
- Re: Privileged Account Management Eric Lukens (Dec 06)
- Re: Privileged Account Management Balge, Jason (Dec 06)