Educause Security Discussion mailing list archives

Re: Privileged Account Management

From: Justin Store <jrstore () MTU EDU>
Date: Tue, 6 Dec 2016 11:39:02 -0500

This blog post covers the topic well for looking at randomizing local
windows accounts through scripting vs LAPS:
https://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator-password-automatically-with-a-different-password-across-the-enterprise

For windows, our primary concern with having a common local administrator
password is the ease of pivoting once a single machine is compromised. We
address this risk by preventing workstations from talking to each other on
the common Microsoft ports 139, 445, 3389, etc. We have local firewall
rules deployed via GPO that enforce this by only allowing inbound access on
these port from trusted servers and subnets. We are looking to expand this
to block all traffic between workstations.

-Justin

Justin Store
Security Architect
Michigan Tech University <http://www.mtu.edu/>
Information Technology <http://www.it.mtu.edu/>
906.487.1477

On Tue, Dec 6, 2016 at 11:20 AM, Velislav K Pavlov <
VelislavPavlov () ferris edu> wrote:

Greetings,



We are reviewing our privileged account management practices and
procedures. Has anyone implemented LAPS and cares to share their experience
with the implementation and lessons learned? Any other opensource/free
solutions that you are using for Linux/Unix and macOS/SOX? The
consideration is specifically for local accounts with elevated privileges.
Zero budget for commercial products. Thank you.



*Vel Pavlov | Coordinator, IT Security *
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE,

Security+, CNA, MPCS, ITILv3F, A+

Big Rapids, MI 49307

VelPavlov () ferris edu

[image: cid:image001.png@01D24414.DC8BCD70]



Notice:This email message and any attachments are for the confidential use
of the intended recipient. If that isn’t you, please do not read the
message or attachments, or distribute or act in reliance on them. If you
have received this message by mistake, please immediately notify
VelPavlov () ferris edu and delete this message and any attachments. Thank
you.

Current thread:

Privileged Account Management Velislav K Pavlov (Dec 06)
- Re: Privileged Account Management Justin Store (Dec 06)
- Re: Privileged Account Management Eric Lukens (Dec 06)
  - Re: Privileged Account Management Balge, Jason (Dec 06)