Skip to content

Commit 00dd6ed

Browse files
passtheticketpasstheticket
authored
Update README.md
1 parent a977b4d commit 00dd6ed

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ If the ```ms-DS-Machine-Account-Quota``` attribute value is default, there is no
1212
3. Read ms-mcs-admpwd attribute via AdmPwd.PS (if you are not a member of local administrators after updating GPO) (You must install AdmPwd.PS in the step 1)
1313
* ``Get-LapsAdmPwd -LapsInstalled``
1414

15+
If the ms-DS-Machine-Account-Quota attribute value is default and there is no delegation about domain join permissions to add computer to Active Directory , a domain user can add computer account to domain using the ms-ds-machine-account-quota attribute . So that domain user reads password of local administrator user and uses the password for persistence. For example, user can edit registry settings or add own account to local administrators group after GPO which removes undefined users from local administrators group. Also, this is information disclosure vulnerability, user can add computer and read LAPS password so that he can obtain information about complexity and length of other Administrator passwords. Because, LAPS carries out similar password property for all computer accounts that group policy is applied.
16+
1517

1618
## Mitigation
1719
Microsoft LAPS installation document don't handle this issue and they didn't update it. So don't configuration according to Microsoft LAPS_OperationsGuide.docx and LAPS_TechnicalSpecification documents only. https://www.microsoft.com/en-us/download/details.aspx?id=46899

0 commit comments

Comments
 (0)