ADCE: Local Administrator Password Management
Pass-the-Hash (PtH) attacks against the Windows operating systems are becoming common. Microsoft wants organizations to assume that a breach has already occurred in order to highlight the need for a more mature defense. In most organizations, the Local Administrator Password is shared amongst many administrators and is a small set of static strings. This raises major security concerns specially when it comes to Pass-the-Hash attacks.
Encryption
Administrator Password is encrypted using unique encryption key
No Schema Changes
No Schema Changes are required to store the password.
Remote Desktop
Remote Desktop connection can be established without typing username or password
Least Privileges
Workflow is built following the principle of least privileges
Auditing
Integrated Audit Logs
Unique Password
Local Administrator Password is unique and varies in length from 8 to 48 characters
Delegation
Leverages delegation in AD to support centralized or decentralized management
Business Justification
Requestor is required to type business justification before opening the password valut
Password Masking
By default, password are masked, when first retrieved.
Replica
Replication of encrypted data stored in Active Directory can be limited to physically secured DCs/p>