Re: Microsoft LAPS

[Clark Gaylord <cgaylord () VT EDU>]

Likewise: use it, love it, addresses big threat

Another nice touch: have a scalable way to give users and support desk
local admin account instead of domain account, reducing exposure.

We don't use it on things like single purpose dedicated web servers and the
like, where domain membership/domain admin is potentially more risk than
it's worth, but I'm curious if anyone has taken it to this extent.

--
Clark Gaylord
cgaylord () vt edu
... autocorrect may have improved this message ...

On Thu, Jul 18, 2019, 06:17 Seth A. Shestack <shestack () temple edu> wrote:

> We have been using LAPS for several years.
>
> It is used by both our desktop support and server administration groups.
>
> LAPS has enabled us to have a randomized account password that is
> different on each machine, reset whenever used and at specific intervals.
>
>
>
> Before LAPS each of these groups had an account they would place in the
> Administrators group of every device they managed with the same password.
>
> Basically an extremely weak security foundation.
>
>
>
> Regards
>
> Seth
>
>
>
> Seth Shestack
>
> Deputy CISO
>
> Executive Director, Information Security and Privacy
>
> Temple University
>
> 1805 N Broad St
>
> Wachman Hall 762
>
> Philadelphia PA 19122
>
> 215-204-5884
>
> Shestack () temple edu
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *WALTER KERNER
> *Sent:* Wednesday, July 17, 2019 5:24 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Microsoft LAPS
>
>
>
> Hi all.  I found a thread from 2 years ago asking about Microsoft LAPS for
> local admin control.  Is anyone using it?  How do you like it?  Any other
> suggestions for admin password management?  Thanks
>
>
>
>
>
>
>
> Walter
>
>
>
> Walter Kerner
>
> Assistant Vice President and CISO
>
> 212 217 3415
>
> [image: blue and black logo two lines png]