VULNERABILITY DIGEST FROM ACTION1

Patch Tuesday and third-party updates | This Wednesday | 12 PM EST / 6 PM CET

Action1 5 Blog 5 How to Securely Manage Local Administrator Accounts Without Using LAPS

How to Securely Manage Local Administrator Accounts Without Using LAPS

June 5, 2024

By Gene Moody

As admins, we often need to remote access systems where no user is present, or perform tasks requiring administrative credentials but cannot reach authentication servers. For these reasons and more, many admins prefer to maintain local administrator accounts. One industry-standard method for managing these accounts is Microsoft’s LAPS (Local Administrator Password Solution). While a great product, LAPS requires forethought to implement and an Active Directory domain environment to store and manage passwords.
So, what happens when you need this functionality but have not or cannot set up a product like LAPS? Static local administrator accounts with generic, non-rotating passwords are a bad security practice and should be avoided. Manually maintaining local administrator passwords in large environments is a resource drain, likely leading to poor maintenance and becoming a security risk.

With Action1, you have the ability to run scripts on endpoints in an elevated context. Using this access, you can go through the steps of adding a user from the terminal, adding them to the administrators group, setting passwords, disabling the account when not needed, etc. Or you could simply load a handy endpoint script I created to automate this process for you.

Introducing the LocalAdminSolution.ps1 Endpoint Script

The LocalAdminSolution.ps1 endpoint script automates this process and includes some general maintenance tasks. By default, it will create a configurable local administrator account named “A1Admin”. This account will be assigned a randomly generated 14-character password, broken into hyphenated groups of 4 for easy remembering. If the account is already present, the script will enable it and set a new password. The new password is then returned in the endpoint results in the Action1 console.

For security, the account auto-maintains itself. It will remain enabled for only 5 minutes, until it is used to log into the system, or the system is rebooted—whichever comes first. When any of these events occur, the account is disabled, the password is re-randomized, and not logged or transmitted back to Action1. This means any password previously logged in the script history is invalid no more than 5 minutes after it is set.

There is also a companion data source that allows you to create a report to detect all systems where this solution has been employed. Together, they form a functional system for situations like these, or if you need to give a user temporary local admin access for any reason. If you use this solution, be aware of the risks associated with it and all local admin solutions.

Action1 makes using this script as simple as any other script in Action1, and that is to say, seamless. However, the script is not exclusive to Action1 and can be used in any endpoint management system capable of running PowerShell scripts in an appropriately elevated context.

Using this script in Action1

Log in to the Action1 Platform or sign up for an account, the first 100 endpoints are free with no feature limitations.

Setup in minutes to reduce your cyber risks and costs:

No credit card. 100 endpoints free. No feature limits.

Then follow the instructions below for adding new data sources and reports to the system.

1. Click to create a new data source or follow these steps:

    • Go to Configuration | Data Sources, click [+New]
    • Enter data source name, such as ‘Local Admin Solution’, [Next]
    • Copy and paste the script above, [Next]
    • Run on a test endpoint*, [Finish]

    *This step WILL run the script on the endpoint, so ensure whatever system is being tested on has a proper backup recovery procedure.

2. Click to create a new automation or follow these steps:

    • Go to Automaton | Automations, click New Automation | Run Script
    • Select your new data source (e.g. ‘Local Admin Solution’)
    • Choose your new script (e.g. ‘Local Admin Solution’), [Next]
    • Select endpoints to run on, [Next]
    • Choose to run now or later, [Finish]

For more insights and updates, keep an eye on our blog and join our upcoming webinars.

See What You Can Do with Action1

 

Join our weekly LIVE demo “Patch Management That Just Works with Action1” to learn more

about Action1 features and use cases for your IT needs.

 

spiceworks logo
getapp logo review
software advice review
trustradius
g2 review
spiceworks logo

Related Posts

6-Step Patch Management Process

Regular patching is essential for protecting your endpoints from cyberthreats, it is a well-known fact that hackers often exploit unpatched vulnerabilities in order to penetrate...

read more