Just had an engagement with Microsoft a few weeks ago. Using a single local admin password is one of the biggest risks to orgs for easily gaining access to a network. From a security perspective, it’s very high risk.
Gain access to a PC with local admin -> Move laterally until you find a domain admins PC -> move vertically and own the network. Daniel Ratliff From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Wednesday, April 12, 2017 12:12 PM To: mssms@lists.myitforum.com Subject: [mssms] RE: Opinions Local Admin So it would seem everyone agrees that it should be done. I was even questioning that. It seems pretty easy to change it regularly via SCCM or GPO and have 1 password. I’ll look into that solution for sure though. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Chris Barnes Sent: April-11-17 6:18 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Opinions Local Admin Totally agree on LAPS. Probably the best ROI on effort for anything security related. Very easy to rollout. This is probably the best guide I have seen on rolling it out. https://flamingkeys.com/deploying-the-local-administrator-password-solution-part-1/ 2nd Place would be Credential Guard. Chris Barnes MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure Coretek Services | Microsoft Delivery Manager • 248.767.4415 cell • chris.bar...@coretekservices.com • http://www.coretekservices.com<http://www.coretekservices.com/> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff Sent: Tuesday, April 11, 2017 2:17 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Opinions Local Admin Use LAPS, no question. https://technet.microsoft.com/en-us/mt227395.aspx<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fmt227395.aspx&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C7e697dd0aae648c0e42808d48108f3ec%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636275322861559939&sdata=94Q%2BZ0hL0I8RWez55SIxeiJZ26Uv85DjPQrgWcBjPPs%3D&reserved=0> https://www.microsoft.com/en-us/download/details.aspx?id=46899<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D46899&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C7e697dd0aae648c0e42808d48108f3ec%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636275322861559939&sdata=4fzLYYwHS%2FG6ThhNe5HlAP0KmB5KHm7bDs25awaLnqA%3D&reserved=0> Daniel Ratliff From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Tuesday, April 11, 2017 1:37 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Opinions Local Admin Hi, We are talking about creating unique local admin passwords for our systems (vs changing it regularly). I’m wondering how many folks actually create unique local admin passwords vs just changing it regularly? The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.