πΌ Management Samenvatting
Windows LAPS (Local Administrator Password Solution) rotates local admin passwords automatically, preventing lateral movement via shared local admin credentials.
Aanbeveling
IMPLEMENT
Risico zonder
Critical
Risk Score
9/10
Implementatie
6u (tech: 4u)
Van toepassing op:
β Windows
β Intune
β Intune
Standaard: same local admin password over alle devices. Attacker compromises one device β gebruikt local admin password voor lateral movement to alle devices. LAPS: unique password per device, automatische rotation, centrally managed.
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Schakel in Windows LAPS via Intune. elke device gets unique local admin password, rotated elke 30-90 days, backed up to Azure AD, retrievable door geautoriseerde admins only.
- Intune β Devices β Configuration profiles β Windows LAPS
- Schakel in LAPS voor Azure AD
- Password rotation: 30 days
- wachtwoordcomplexiteit: 14+ characters
- Backup to Azure AD
- Implementeer to alle Windows devices
- Admins retrieve passwords via Azure AD device properties
Vereisten
- Windows 10/11
- Azure AD joined
- Intune subscription
- Windows 11 22H2+ (native LAPS) of LAPS client
Implementatie
- Intune β Devices β Configuration profiles β Windows LAPS
- Schakel in LAPS voor Azure AD
- Password rotation: 30 days
- wachtwoordcomplexiteit: 14+ characters
- Backup to Azure AD
- Implementeer to alle Windows devices
- Admins retrieve passwords via Azure AD device properties
Compliance en Auditing
- CIS Intune
- BIO 09.04
- ISO 27001 A.9.4.3
- NIS2 Artikel 21
Monitoring
Gebruik PowerShell-script laps-enabled-azuread.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script laps-enabled-azuread.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 09.04 - Local admin management
- ISO 27001:2022: A.9.4.3 - Privileged access
- NIS2: Artikel - credential management
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Account Policy: LAPS Enabled for Azure AD
.DESCRIPTION
CIS - Local Administrator Password Solution (LAPS) moet enabled zijn.
.NOTES
Filename: laps-enabled-azuread.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Feature: Windows LAPS|Expected: Enabled
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config"; $RegName = "BackupDirectory"
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "laps-enabled-azuread.ps1"; PolicyName = "LAPS Enabled"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Enabled"; Details = @() }; function Invoke-Revert { Write-Host "Revert via Intune policy removal" }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = "Enabled"; $r.IsCompliant = $true; $r.Details += "LAPS configured: $($v.$RegName)" }else { $r.CurrentValue = "Not Configured"; $r.Details += "LAPS niet volledig geconfigureerd" } }else { $r.CurrentValue = "Not Installed"; $r.Details += "LAPS niet geΓ―nstalleerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { Write-Host "LAPS moet geconfigureerd via Intune policy:" -ForegroundColor Yellow; Write-Host "Devices > Configuration profiles > Windows 10+ > Account Protection" -ForegroundColor Gray; Write-Host "Enable: Local admin account management" -ForegroundColor Gray }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Write-Host "Revert via Intune policy removal" }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Critical: Critical - Shared local admin passwords is lateral movement over alle devices. One compromise is network-wide access.
Management Samenvatting
Schakel in Windows LAPS. Unique local admin password per device, auto-rotated. voorkomt lateral movement. Voldoet aan BIO 9.04, NIS2. Setup: 4u.
- Implementatietijd: 6 uur
- FTE required: 0.05 FTE