Educause Security Discussion mailing list archives

Re: Privileged Account Management

From: Eric Lukens <eric.lukens () UNI EDU>
Date: Tue, 6 Dec 2016 11:04:45 -0600

We have deployed LAPS to a majority of our Windows computers. Once you get
the schema and the permissions done, the rest is fairly easy. We went so
far as to put a LAPS group policy object at the root of the domain. So the
only action the techs needed to use the tool was to install the client.
Depending on how the various techs used the local admin account will
dictate how much of a change it is for them. Some of our techs always had
the local admin account disabled, so they didn't notice. It had the
side-effect of rooting out some bad practices.

I wrote up various guides for our techs to use LAPS. The guides don't cover
the initial schema or permissions changes, just the day-to-day installation
of the client and use of the tool. I've redacted the possibly sensitive
bits. They can be found on my Google Drive at:

https://drive.google.com/drive/folders/0B_Rq55JJ90lhTU5sUzAwdVU4VVE?usp=sharing

Let me know if you have any questions.

-Eric

On Tue, Dec 6, 2016 at 10:20 AM, Velislav K Pavlov <
VelislavPavlov () ferris edu> wrote:

Greetings,



We are reviewing our privileged account management practices and
procedures. Has anyone implemented LAPS and cares to share their experience
with the implementation and lessons learned? Any other opensource/free
solutions that you are using for Linux/Unix and macOS/SOX? The
consideration is specifically for local accounts with elevated privileges.
Zero budget for commercial products. Thank you.



*Vel Pavlov | Coordinator, IT Security *
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE,

Security+, CNA, MPCS, ITILv3F, A+

Big Rapids, MI 49307

VelPavlov () ferris edu

[image: cid:image001.png@01D24414.DC8BCD70]



Notice:This email message and any attachments are for the confidential use
of the intended recipient. If that isn’t you, please do not read the
message or attachments, or distribute or act in reliance on them. If you
have received this message by mistake, please immediately notify
VelPavlov () ferris edu and delete this message and any attachments. Thank
you.




-- 
============================================================
Eric C. Lukens       IT Security Compliance & Policy Analyst
Information Security           Innov Teaching & Tech Ctr 107
University of Northern Iowa       Cedar Falls, IA 50614-0301
(319) 273-7434                   http://www.uni.edu/elukens/
============================================================

Current thread:

Privileged Account Management Velislav K Pavlov (Dec 06)
- Re: Privileged Account Management Justin Store (Dec 06)
- Re: Privileged Account Management Eric Lukens (Dec 06)
  - Re: Privileged Account Management Balge, Jason (Dec 06)