The famous Latin phrase De mortuis nil nisi bonum (Of the dead, nothing unless good) came to mind last week when Microsoft announced the release of LAPS (Local Administrator Password Solution). Microsoft has been predicting the demise of passwords for over a decade.
Way back in 2004, Microsoft’s Chairman, Bill Gates predicted the death of passwords and again in 2006, he claimed that the end to passwords was at sight. And today, Microsoft releases a solution for password management, though only to manage local administrator accounts. Perhaps, by releasing LAPS now, Microsoft is paying an honest obituary. Or, is it a false eulogy?
All kidding aside, managing local administrator passwords is a contentious issue in IT teams and it is rather heartening to see Microsoft releasing a solution, belatedly though. In this aspect, ManageEngine has been years ahead of Microsoft; we brought in this feature in Password Manager Pro almost 9 years ago, exactly when Microsoft predicted that the end to passwords was at sight.
In unstructured or not-so-structured IT environments, the classic dilemma of an admin is whether to enable local admin accounts when provisioning workstations. If the local admin accounts are disabled, the vital option to get into the system when it fails to connect to the domain controller for some reason is lost.
However, enabling a local administrator account comes with a host of security issues:
- IT admins lose centralized control over the assets – end users tend to install software applications of their choice,bypass security controls like virus scans, reconfigure firewall settings, or even postpone vital security updates.
- If the local administrator passwords are weak, left unchanged, or the same password is used on multiple accounts, malicious users could gain unauthorized access to workstations.
- In the worst-case scenario, an attacker with access to a local admin account could disperse widely,navigate across the network, and could even elevate privileges to that of a domain administrator.
Although disabling local admin accounts altogether may not be feasible, you can mitigate security issues by adopting some best practices such as assigning strong, unique passwords to all accounts, frequently changing them, and automating this entire process. Manually doing this could be error-prone and time-consuming.
ManageEngine Password Manager Pro helps IT shops take total control of local admin accounts through a fully automated, policy-driven approach. All password access activities are audited and could be traced back to the user.
While Microsoft LAPS helps in managing just the local administrator account passwords on domain-joined computers, ManageEngine Password Manager Pro goes a lot further and helps manage privileged accounts across physical, virtual, and cloud environments. In addition to helping IT shops manage local admin passwords, Password Manager Pro helps manage Windows domain accounts and service accounts.
Among the physical instances, it supports a whole lot of target systems, including flavors of UNIX, databases, and network devices for password resets and access control. When it comes to virtual environment, VMWare ESX and ESXi accounts can be managed. In the cloud space, the management console or administration panel passwords of cloud services like Amazon Web Services, Microsoft Azure, Google Apps, and Rackspace can be controlled.
While discussing passwords and their management, it is pertinent to emphasize that passwords themselves have never been the problem; poor password management has been the problem always. With an effective password management solution like Password Manager Pro, the security issues associated with passwords can be mitigated considerably.
Deviating from the passwords are dead stance, through LAPS, Microsoft has now recognized the importance of managing local administrator accounts. Probably, they will neither talk about managing other types of passwords nor acknowledge that passwords are here for the long haul.