Re: Privileged Account Management

["Balge, Jason" <jbalge () MCW EDU>]

Great conversation and thanks for sharing your documents Eric.  It is nice to know that this can be controlled at the 
OU level as well as the entire domain.  I will definitely look into LAPS after this.

Jason Balge
Systems Manager
Medical College of Wisconsin
Department of Pediatrics
Helpdesk: 414.337.7347
Phone:     414.337.7111
E-Mail: jbalge () mcw edu<mailto:jbalge () mcw edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Lukens
Sent: Tuesday, December 06, 2016 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Privileged Account Management

We have deployed LAPS to a majority of our Windows computers. Once you get the schema and the permissions done, the 
rest is fairly easy. We went so far as to put a LAPS group policy object at the root of the domain. So the only action 
the techs needed to use the tool was to install the client. Depending on how the various techs used the local admin 
account will dictate how much of a change it is for them. Some of our techs always had the local admin account 
disabled, so they didn't notice. It had the side-effect of rooting out some bad practices.

I wrote up various guides for our techs to use LAPS. The guides don't cover the initial schema or permissions changes, 
just the day-to-day installation of the client and use of the tool. I've redacted the possibly sensitive bits. They can 
be found on my Google Drive at:

https://drive.google.com/drive/folders/0B_Rq55JJ90lhTU5sUzAwdVU4VVE?usp=sharing<https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com_drive_folders_0B-5FRq55JJ90lhTU5sUzAwdVU4VVE-3Fusp-3Dsharing&d=DgMFaQ&c=aFamLAsxMIDYjNglYHTMV0iqFn3z4pVFYPQkjgspw4Y&r=JrbIFxzuluL0ijQ95hrKtw&m=3-u4ernas73mMcG9QxlsOOiagpufB1gLV3NMuWDOTB4&s=1QX8ZRDLFOhlt9HZvgIAiHxzpIGH5CPPyNy-ASD1yIs&e=>

Let me know if you have any questions.

-Eric

On Tue, Dec 6, 2016 at 10:20 AM, Velislav K Pavlov <VelislavPavlov () ferris edu<mailto:VelislavPavlov () ferris edu>> 
wrote:
Greetings,

We are reviewing our privileged account management practices and procedures. Has anyone implemented LAPS and cares to 
share their experience with the implementation and lessons learned? Any other opensource/free solutions that you are 
using for Linux/Unix and macOS/SOX? The consideration is specifically for local accounts with elevated privileges. Zero 
budget for commercial products. Thank you.

Vel Pavlov | Coordinator, IT Security
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE,
Security+, CNA, MPCS, ITILv3F, A+
Big Rapids, MI 49307
VelPavlov () ferris edu<mailto:VelPavlov () ferris edu>
[cid:image001.png@01D24414.DC8BCD70]

Notice:This email message and any attachments are for the confidential use of the intended recipient. If that isn’t 
you, please do not read the message or attachments, or distribute or act in reliance on them. If you have received this 
message by mistake, please immediately notify VelPavlov () ferris edu<mailto:VelPavlov () ferris edu> and delete this 
message and any attachments. Thank you.




--
============================================================
Eric C. Lukens       IT Security Compliance & Policy Analyst
Information Security           Innov Teaching & Tech Ctr 107
University of Northern Iowa       Cedar Falls, IA 50614-0301
(319) 273-7434                   
http://www.uni.edu/elukens/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.uni.edu_elukens_&d=DgMFaQ&c=aFamLAsxMIDYjNglYHTMV0iqFn3z4pVFYPQkjgspw4Y&r=JrbIFxzuluL0ijQ95hrKtw&m=3-u4ernas73mMcG9QxlsOOiagpufB1gLV3NMuWDOTB4&s=VJ-Qc6h2bhW6tujvgODg4tumNBPPVqB5R_aJJNlMtPM&e=>
============================================================