Educause Security Discussion mailing list archives
Re: Privileged Account Management
From: "Balge, Jason" <jbalge () MCW EDU>
Date: Tue, 6 Dec 2016 17:45:03 +0000
Great conversation and thanks for sharing your documents Eric. It is nice to know that this can be controlled at the OU level as well as the entire domain. I will definitely look into LAPS after this. Jason Balge Systems Manager Medical College of Wisconsin Department of Pediatrics Helpdesk: 414.337.7347 Phone: 414.337.7111 E-Mail: jbalge () mcw edu<mailto:jbalge () mcw edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Lukens Sent: Tuesday, December 06, 2016 11:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Privileged Account Management We have deployed LAPS to a majority of our Windows computers. Once you get the schema and the permissions done, the rest is fairly easy. We went so far as to put a LAPS group policy object at the root of the domain. So the only action the techs needed to use the tool was to install the client. Depending on how the various techs used the local admin account will dictate how much of a change it is for them. Some of our techs always had the local admin account disabled, so they didn't notice. It had the side-effect of rooting out some bad practices. I wrote up various guides for our techs to use LAPS. The guides don't cover the initial schema or permissions changes, just the day-to-day installation of the client and use of the tool. I've redacted the possibly sensitive bits. They can be found on my Google Drive at: https://drive.google.com/drive/folders/0B_Rq55JJ90lhTU5sUzAwdVU4VVE?usp=sharing<https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com_drive_folders_0B-5FRq55JJ90lhTU5sUzAwdVU4VVE-3Fusp-3Dsharing&d=DgMFaQ&c=aFamLAsxMIDYjNglYHTMV0iqFn3z4pVFYPQkjgspw4Y&r=JrbIFxzuluL0ijQ95hrKtw&m=3-u4ernas73mMcG9QxlsOOiagpufB1gLV3NMuWDOTB4&s=1QX8ZRDLFOhlt9HZvgIAiHxzpIGH5CPPyNy-ASD1yIs&e=> Let me know if you have any questions. -Eric On Tue, Dec 6, 2016 at 10:20 AM, Velislav K Pavlov <VelislavPavlov () ferris edu<mailto:VelislavPavlov () ferris edu>> wrote: Greetings, We are reviewing our privileged account management practices and procedures. Has anyone implemented LAPS and cares to share their experience with the implementation and lessons learned? Any other opensource/free solutions that you are using for Linux/Unix and macOS/SOX? The consideration is specifically for local accounts with elevated privileges. Zero budget for commercial products. Thank you. Vel Pavlov | Coordinator, IT Security M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, Security+, CNA, MPCS, ITILv3F, A+ Big Rapids, MI 49307 VelPavlov () ferris edu<mailto:VelPavlov () ferris edu> [cid:image001.png@01D24414.DC8BCD70] Notice:This email message and any attachments are for the confidential use of the intended recipient. If that isn’t you, please do not read the message or attachments, or distribute or act in reliance on them. If you have received this message by mistake, please immediately notify VelPavlov () ferris edu<mailto:VelPavlov () ferris edu> and delete this message and any attachments. Thank you. -- ============================================================ Eric C. Lukens IT Security Compliance & Policy Analyst Information Security Innov Teaching & Tech Ctr 107 University of Northern Iowa Cedar Falls, IA 50614-0301 (319) 273-7434 http://www.uni.edu/elukens/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.uni.edu_elukens_&d=DgMFaQ&c=aFamLAsxMIDYjNglYHTMV0iqFn3z4pVFYPQkjgspw4Y&r=JrbIFxzuluL0ijQ95hrKtw&m=3-u4ernas73mMcG9QxlsOOiagpufB1gLV3NMuWDOTB4&s=VJ-Qc6h2bhW6tujvgODg4tumNBPPVqB5R_aJJNlMtPM&e=> ============================================================
Current thread:
- Privileged Account Management Velislav K Pavlov (Dec 06)
- Re: Privileged Account Management Justin Store (Dec 06)
- Re: Privileged Account Management Eric Lukens (Dec 06)
- Re: Privileged Account Management Balge, Jason (Dec 06)