MS LAPS

GOAL: Avoid using identical passwords for local accounts to prevent lateral attacker movement

Could avoid local accounts entirely, but:

◦If no cached admin, no way to log on if not on domain network

◦Cannot repair if computer trust account broken

Typical solution is to use a single administrator password on all workstations and all servers

Solution:

◦LAPS – Local Administrator Password Solution

◦Recommended by CIS baseline

◦Defense in Depth!

https://www.microsoft.com/en-us/download/details.aspx?id=46899