SEVA: Local User Password Management
Pass-the-Hash (PtH) attacks against the Windows operating systems are becoming common. Microsoft wants organizations to assume that a breach has already occurred in order to highlight the need for a more mature defense. In most organizations, the Local Administrator Password is shared amongst many administrators and is a small set of static strings. This raises major security concerns specially when it comes to Pass-the-Hash attacks.
Encryption
Local User Password is encrypted using unique encryption key
No Schema Changes
No Schema Changes are required as passwords are stored in the vault.
Remote Desktop
Remote Desktop connection can be established without typing username or password
Least Privileges
Workflow is built following the principle of least privileges
Auditing
Integrated Audit Logs
Unique Password
Local User Account Password is unique and varies in length from 8 to 48 characters
Delegation
Leverages delegation in Azure AD to manage access to the vault
Business Justification
Requestor is required to type business justification before opening the password valut
Password Masking
By default, password is masked, when first retrieved.
Instrumentation
Computer properties, from various WMI claases, are stored in a database./p>