Jump to content


A question about security and LAPS

  • Please log in to reply
4 replies to this topic

#1 johnlockie



  • Members
  • Pip
  • 2 posts

Posted 17 December 2015 - 12:50 AM

So my first question is: has anyone found a better way to restrict the data collection account?  Domain Admin is surely overkill.  We have techniques for reigning in DA accounts, but these accounts are like gold and we typically wouldn't ever allow a vendor's software to run with a service account that is a domain administrator because it's breaking every rule in the book.  Does anyone have any experience or advice, or have any of you found that you can use more restrictive group memberships to achieve the same level of auditing?


Another question: I notice that Netwrix monitors a lot / all of the AD schema.  When you deploy LAPS you extend the schema to create a new attribute "ms-Mcs-AdmPwd".  The permission / ACL entry is added for OUs (under "AdmPwdExtendedRights"), and is granted by default to Domain Administrators.  What this means is that the local password for Administrator on each domain joined workstation will be stored in ms-Mcs-AdmPwd.  Access to this field is granted to any account that has the AdmPwdExtendedRights permission.  So, depending on your LAPS policy, the workstation local Administrator account password is reset by the domain every "x" number of days.  When that happens, the schema object ms-Mcs-AdmPwd is updated for that acocunt (the computer account).  it is done in plain text, but secured in AD such that only accounts with AdmPwdExtendedRights can actually read it.  Well, that includes the Netwrix account.  Therefore, when ms-Mcs-AdmPwd is changed, Netwrix sees this and alerts......and of course.....the best part is that the new local Administrator password for the machine is included in the email alert!


Now, I am wondering if I can simply add ms-Mcs-AdmPwd to the omitproplist.txt file in C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing....and this should stop it from monitoring that object?  Or is there another way?  


I tried to remove Netwrix from domain administrators group, and then made a change to this object, but I still (strangely) got the alert.  So I am curious if maybe I am wrong about how this is working.  


At the end of the day, I need to stop Netwrix from emailing us whenever LAPS updates local Administrator passwords on workstations.....and possibly, remove this access entirely to prevent someone from using Netwrix to harvest these credentials themselves.  Make sense?


Sorry for the long post.

#2 jeffb


    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 17 December 2015 - 01:19 PM



You can use omitproplist.txt to omit any attribute.  Just follow the syntax of the examples already in that file.  Also, the installation and configuration documentation has a section specifically on permissions and the granular permissions required.  If you intend to use agents the account must be a domain admin however if you do not use agents the account must have the Manage Auditing and Security Log permission on the server.  Documentation can be found on our website by going to Support -> Documentation.



#3 johnlockie



  • Members
  • Pip
  • 2 posts

Posted 17 December 2015 - 03:41 PM

Jeff, I have read the docs.  I am familiar with what it says.  The problem is, many vendors claim to require domain administrator but when you really investigate it they are being lazy.  Granted, your docs do have some granularity, but most of that is moot when you blanket it with "domain administrator".  Running infrastructure and security for a financial institution doesn't allow me to just grant such access for service accounts without some serious scrutiny, risk analysis and mitigation.  So really, I was posting to the community to see if anyone has been able to ignore this requirement and be more specific with access controls to achieve the monitoring levels they want without granting domain administrator rights....


Editing the omitproplist.txt (adding *.ms-Mcs-AdmPwd) worked.  I would suggest that in future releases you add this line as a default to your deployments.  This is a pretty large security flaw given that you require domain admin, it will be sending local administrator login credentials over alert notifications.....

#4 vadimel



  • Members
  • Pip
  • 1 posts

Posted 20 December 2016 - 06:34 AM

I am sorry, that I can help nothing. I hope, you will be helped here by others. á

#5 JeroenD



  • Members
  • Pip
  • 1 posts

Posted 09 February 2017 - 02:23 PM

Hi johnlockie,


I'm having the same bad feeling giving netwrix service the domainadmin rights. Also it seems this service needs logon rights otherwise the Netwrix auditor gui doesn't start up.

We are also using LAPS and every change gets mailed but also its put in the eventlog of the netwrix server.


Those password changes are being written to \applications and services logs, subevent: "Netwrix Auditor". So not in the Windows Logs but still quite clear to be read.


This topic last got updated in december. What's the status with this product at your company now?



0 user(s) are reading this topic

0 members, guests, anonymous users