According to the survey, Identical passwords are used for local administrative users on different clients, and more rarely on servers.The passwords are stored as an NTLM hash. However, this still offers an attacker the opportunity to easily misuse this fact for the lateral movement in the network.

When installing new clients/servers, the question often arises of how to set the passwords for the local administrative users. The password can be set, for example, by installation scripts or by the Group Policy.

If an installation script is used, make sure that after installation the password is not still stored in the reversible form on the device. This is usually the case in the standard configuration.

Using a Group Policy to set the password is not recommended, as the password is only encrypted with a static AES key and the encrypted values are visible to each domain user. This information is publicly available (including the key used) [1] . Attackers can decrypt passwords that are defined by Group Policy using the key.

Even if measures are taken to ensure that the passwords are not stored in reversible, encrypted form, there is still the problem that the passwords on the devices are identical and are usually rarely updated.

The passwords of local users are stored as an NT LAN Manager (NTLM) hash in the Security Accounts Manager (SAM) database. If an attacker has local administrative rights through compromise or an employee through rights extension, he can easily read out the NTLM hashes from the system.

This is possible by copying the file “% windir% \ system32 \ config \ SAM” and reading the hashes on a secondary system, as well as the direct readout using programs such as Pwdump [2] or Mimikatz [3] .

mimikatz # lsadump :: sam 
Domain: comouter 
SysKey: 851699dfa1c3e97454cb3bbdd9dc1df5 
Local SID: S-1-5-21-1728647135-1167794982-1540262392 

SAMKey: 9af6039e47b5336fcb32b6e2704ee052 

RID: 000001f4 (500)
 User: Administrator
 LM:
 NTLM: 64F12CDDAA88057E06A81B54E73B949B

An attacker now has the ability to compute the clear-text password from the NTLM hash with an offline brute-force attack. This is relatively possible depending on password complexity and length. An 8-digit password with uppercase and lowercase letters as well as numbers (62 different characters) can be cracked with two current and fast graphics cards at the latest within 45 minutes.

However, the plaintext password is not required to log in to systems where the user has the same password. A pass-the-hash attack allows the NTLM hash value to be used directly to successfully log on to such a system. This is possible because, for security reasons, not the clear-text password but the hash for authentication is sent over the network.

The Python collection ” Impacket ” has various administration programs that allow logging in through the NTLM hash. A well-known example is Psexec [4] .

Setting a strong password does not prevent the attacker in any way. As long as the same user is using the same password on other devices.

To prevent such an attack, it is recommended to set a unique strong password for the local administrator user on each device. This is facilitated by the software “Local Administrator Password Solution” (LAPS), which Microsoft released in 2015.

With LAPS it is possible to manage the passwords of the local administrators through the ActiveDirectory. A random password is generated which is automatically regenerated after the expiration of a time interval determined by the GroupPolicy. The download and further information are documented under [5] and [6] .

For use, clients must have the “AdmPwd” -GroupPolicy extension installed. The ActiveDirectory server requires the management tools that manage the passwords. In addition, the built-in account “SELF” must be given write permission to the password attribute. This can be done with the following command for an entire organization unit (OU):

PS> Set-AdmPwdComputerSelfPermission -Identity "CN = Computers, DC = demo, DC = local"

The following example entry in GroupPolicy can be used to activate the LAPS:
Administrative Templates \ LAPS \ Enable local admin password management: Enabled 
Administrative Templates \ LAPS \ Password Settings: 
       Complexity: large letters + small letters + numbers + specials 
       Password Length:> 20 
Password Age: <100 
Administrative Templates \ LAPS \ Do not allow password expiration time longer than required by policy: Enabled

Enabling “Do not allow password expiration time longer than required by policy” prevents passwords that have a longer expiration date than the current policy from being reset after this time has expired.

The generated passwords can then be displayed by administrators in the ActiveDirectory using the “Attribute Editor” of the corresponding device, as well as via the following PowerShell command:
PS> Get-AdmPwdPassword –computer name “computer” | format-list

ComputerName: computer
DistinguishedName: CN = computer, CN = Computers, DC = demo, DC = local
Password: O9p2-2 # r% DAF467 [+ 40s82F8Yp; 5 $ a
ExpirationTimestamp: 10/11/2017 4:08:23 AM

ms-mcs-admpwdIf a password has to be reset prematurely, this is possible with the following command:

PS> Reset AdmPwdPassword -computername "COMPUTERNAME"

When using LAPS, it is important to set the access rights to the attributes so that only authorized persons can read the password. The following command lists all persons with the appropriate authorization:

PS> Find-AdmPwdExtendedRights -Identity "dc = demo, dc = local" 


Conclusion

The local administrative users on different clients and servers should not have identical passwords. Attackers can log on to other devices over the network based on the NTLM hash read from a system, using the same password for the user. For this reason, it is recommended to set unique, unique, and complex passwords for the local administrative users.
Microsoft’s Local Administrator Password Solution (LAPS) allows local users to assign unique, randomly generated passwords. It must be ensured that the authorizations for the password attribute are set in such a way that only authorized persons can read them out.


[1]:  https://msdn.microsoft.com/en-us/library/cc422924.aspx 
[2] :  http://www.openwall.com/passwords/windows-pwdump 
[3] :  https: // github.com/gentilkiwi/mimikatz 
[4] :  https://github.com/CoreSecurity/impacket/blob/master/examples/psexec.py 
[5] :  https://technet.microsoft.com/en-us/ library / security / 3062591.aspx 
[6] :  https://www.microsoft.com/en-us/download/details.aspx?id=46899