Microsoft Security Advisory 3062591 Option Local Administrator Password Management

ADCE: Local Administrator Password Management

Pass-the-Hash (PtH) attacks against the Windows operating systems are becoming common. Microsoft wants organizations to assume that a breach has already occurred in order to highlight the need for a more mature defense. In most organizations, the Local Administrator Password is shared amongst many administrators and is a small set of static strings. This raises major security concerns specially when it comes to Pass-the-Hash attacks.

With AD Client Extensions installed, Local Administrator Password is system generated and stored in Active Directory in encrypted form. Passwords are validated regularly and reset to maintain the integrity. The password vault is infallible to the extend of AD Domain Infrastructure. Only designated administrators are allowed to retrieve and decrypt the password strings.

Encryption

Administrator Password is encrypted using unique encryption key

No Schema Changes

No Schema Changes are required to store the password.

Remote Desktop

Remote Desktop connection can be established without typing username or password

Least Privileges

Workflow is built following the principle of least privileges

Auditing

Integrated Audit Logs

Unique Password

Local Administrator Password is unique and varies in length from 8 to 48 characters

Delegation

Leverages delegation in AD to support centralized or decentralized management

Business Justification

Requestor is required to type business justification before opening the password valut

Password Masking

By default, password are masked, when first retrieved.

Replica

Replication of encrypted data stored in Active Directory can be limited to physically secured DCs/p>