Website under construction

120 
CHAPTER 4 | Security and identity 
credentials for this account with stricter requirements, you will be able to mitigate an attack if your 
user account is compromised. 
Securing the local administrator account was previously done during deployment and was rarely 
changed after it was set. The password was usually kept the same throughout the entire estate of 
workstations, which led to a huge problem if the password was compromised. However, if you don’t 
use the same password throughout the estate, you might have a more complicated problem trying 
to remember the unique password for each of the workstations. To help you manage the local 
administrator password for both workstations and servers, Microsoft provides a tool called Local 
Administrator Password Solution (LAPS). 
LAPS creates a unique password for each server and workstation in an environment and stores them 
in Active Directory as a confidential attribute in the computer object. They have an appropriate access 
control list applied to them so that only the appropriate accounts can access them and retrieve them 
as necessary. For more information on LAPS, go to 
http://aka.ms/LAPS.
 
The final key part of the short-term goals should be focused around creating Privileged-Access 
Workstations (PAWs). PAWs are hardened workstations implemented specifically to act as a controlled 
point of administration to more secure systems. PAWs would be restricted from accessing the Internet 
or unsecure resources, ensuring that their attack surface is held to an absolute minimum. Only a 
restricted set of authorized users would also be able to sign in to the PAWs, which in turn would 
reduce the ability to attack secure part of the networks. For more information on PAWs, go to 
http://aka.ms/CyberPAW.
Figure 4-3 illustrates the steps that you can take as part of your short-term plan. 

Download 13,37 Mb.

Do'stlaringiz bilan baham: