ADCE: Local Administrator Password Management
Pass-the-Hash (PtH) attacks against the Windows operating systems are becoming common. Microsoft wants organizations to assume that a breach has already occurred in order to highlight the need for a more mature defense. In most organizations, the Local Administrator Password is shared amongst many administrators and is a small set of static strings. This raises major security concerns specially when it comes to Pass-the-Hash attacks.
Administrator Password is encrypted using unique encryption key
No Schema Changes
No Schema Changes are required to store the password.
Remote Desktop connection can be established without typing username or password
Workflow is built following the principle of least privileges
Integrated Audit Logs
Local Administrator Password is unique and varies in length from 8 to 48 characters
Leverages delegation in AD to support centralized or decentralized management
Requestor is required to type business justification before opening the password valut
By default, password are masked, when first retrieved.
Replication of encrypted data stored in Active Directory can be limited to physically secured DCs/p>