18.9.25.8 (L1) Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher

Information

This policy settings configures post-authentication actions which will be executed after detecting an authentication by the LAPS managed account. The Action refers to actions to take upon expiry of the grace period before executing the specified post-authentication actions.

Post-authentication actions:

- Reset password : upon expiry of the grace period, the managed account password will be reset.
- Reset the password and logoff the managed account : upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
- Reset the password and reboot the device : upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.

Warning: After an interactive logon session is terminated, other authenticated sessions using the Windows LAPS managed account may still be active. The only way to ensure that the previous password is no longer in use is to reboot the OS.

The recommended state for this setting is: Enabled: Reset the password and logoff the managed account or higher.

Note: Organizations that utilize third-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations.

Note #2: Windows LAPS does not support standalone computers - they must be joined to an Active Directory domain or Entra ID (formerly Azure Active Directory).

Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Reset the password and logoff the managed account or higher:

Computer Configuration\Policies\Administrative Templates\System\LAPS\Post-authentication actions: Actions

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LAPS.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v3.0 (or newer).

Impact:

After the grace period expires, the Windows LAPS managed account password will be reset and logged off the system or the OS will be restarted.

See Also

https://workbench.cisecurity.org/benchmarks/17689

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: Windows

Control ID: 0e2b0f6f9d933806cf0a390d37c3f8460d49e7744b835bcbc6139790ee9ce9e1