Protecting Windows networks: Get back to basics for the new year

It’s a new year, which tends to suggest it’s time to embrace new solutions or software or methods for protecting a Windows network. In fact, that’s a misleading instinct. It’s far better to go back to basics in our networks, which often get neglected as we layer on more software and more methods that clearly are not working.

It might be easier or more expedient to deploy new external protection tools, but they don’t get to the root of the problem: the ease with which attackers can take control once they’re inside a network. What we should be doing is ensuring the foundations of our domains and guarding against lateral movements, long a prominent attack technique employed by bad actors. Just by cracking a local administrator password, they can gain fast and easy access to accounts on many machines across a network.

Fully deploy Windows LAPS

To start with, every network should have a fully deployed and functional Windows Local Administrator Password Solution (LAPS). While in the old days, we used to have to install LAPS manually on every workstation, with Windows 10 and 11 and Server 2019 and Server 2022 since April 2023, the LAPS code is included in the platform. You can use either Active Directory or Entra (formerly Azure AD) to control and manage local password encryption.

Windows LAPS specifically provides the following benefits:

• Protection against pass-the-hash and lateral-traversal attacks.
• Improved security for remote help desk scenarios.
• Ability to sign in to and recover devices that are otherwise inaccessible.
• A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory.
• Support for the Entra role-based access control model for securing passwords that are stored in Entra ID.

Different devices use different methods to join a network, so it will be necessary to plan accordingly to manage the various methods employed for password backup in each case. For example, those devices that are joined only to Entra or Azure AD have their passwords backed up only to Entra or Azure AD.

Devices that are joined to Active Directory have their passwords backed up to Active Directory.  If a device is hybrid, its password can be backed up to either to Entra, Azure AD, or to traditional Active Directory.  If you are still using the legacy Microsoft LAPS solution, set aside time and resources for deploying Windows LAPS. Protecting the local administrator is only one of the potential ways to better protect a network. But often these additional protections require testing to ensure that the workstations still function as expected.