Listen to this Post
Securing local administrator accounts is critical to prevent lateral movement in case of a breach. Below is a comprehensive guide to implementing Group Policy Objects (GPO) for securing local administrator accounts, including LAPS (Local Administrator Password Solution) deployment.
1. Enable Account Lockout for Local Administrator
Available for Windows 11 22H2+ and Server 2022+.
GPO Settings:
Path:
`Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy`
- Account lockout threshold: `10` invalid attempts (recommended)
- Account lockout duration: `15 minutes`
- Reset account lockout counter after: `15 minutes`
New Setting (Post-2022 Updates):
Path:
`Computer Configuration > Administrative Templates > System > Local Security Authority`
– “Allow Administrator account lockout” → Enabled
If missing, update ADMX files or apply via Registry:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "AllowAdminAccountLockout" /t REG_DWORD /d 1 /f
2. Deploy LAPS (Local Administrator Password Solution)
Use Windows LAPS (not legacy LAPS).
Steps:
1. Extend AD Schema (one-time):
Update-AdmPwdADSchema
2. Enable LAPS via GPO:
Path:
`Computer Configuration > Administrative Templates > System > LAPS`
- Enable password backup: `Enabled` (Choose Active Directory)
- Password complexity: `Enabled` (Strong password)
- Password age: `30 days`
- Administrator account name: Leave blank for default `Administrator`
Requirements:
- Workstations: Windows 10/11 (latest updates)
- Domain Controllers: Windows Server 2016+
3. Apply GPO to Admin Workstations
- Create an OU for admin workstations.
- Move relevant PCs to this OU.
- Link the GPO to this OU.
Force Policy Update:
gpupdate /force
4. Audit and Verify
- Check Security Logs (Event Viewer):
- Filter for Event ID 4740 (Account Lockout)
- Verify LAPS Passwords via PowerShell:
Get-LapsADPassword -Identity "PC-NAME"
You Should Know:
Additional Security Measures:
- Disable Default Administrator Account:
net user Administrator /active:no
- Enable Windows Defender Attack Surface Reduction (ASR):
Set-MpPreference -AttackSurfaceReductionRules_Ids <RuleID> -AttackSurfaceReductionRules_Actions Enabled
- Restrict RDP Access:
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes action=Allow
- Enable PowerShell Logging:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v "EnableScriptBlockLogging" /t REG_DWORD /d 1 /f
What Undercode Say:
Securing local administrator accounts via GPO and LAPS is a must in enterprise environments. Attackers frequently exploit weak local admin passwords for lateral movement. Implementing account lockout policies, LAPS, and strict auditing significantly reduces attack surfaces.
Expected Output:
- Locked-down local admin accounts with randomized passwords.
- Auditable logs for failed login attempts.
- Prevented credential reuse attacks via LAPS.
Prediction:
As cyber threats evolve, Microsoft will likely integrate more AI-driven security policies into GPO and LAPS, automating threat response for local admin accounts.
Relevant URLs:
References:
Reported By: Phuong Nguyen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
