SOLVED

LAPS - Splunk account reading ms-Mcs-AdmPwd

%3CLINGO-SUB%20id%3D%22lingo-sub-2242426%22%20slang%3D%22en-US%22%3ELAPS%20-%20Splunk%20account%20reading%20ms-Mcs-AdmPwd%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2242426%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20used%20LAPS%20for%20a%20few%20years%2C%20and%20recently%20we%20started%20using%20a%20logging%20service%20called%20Splunk%2C%20and%20as%20it%20turns%20out%2C%20this%20logging%20service%20account%20is%20reading%20the%20ms-Mcs-AdmPwd%20attribute%20in%20Active%20Directory%20and%20sending%20it%20in%20cleartext.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20account%20we%20use%20that%20runs%20on%20the%20machines%20is%20a%20member%20of%20the%20%22Administrators%22%20but%20also%20%22Domain%20Admins%22%20group%20on%20the%20machines%20via%20a%20GPO%20(the%20%22Restricted%20groups%22%20setting).%20However%2C%20I've%20removed%20the%20%22All%20extended%20attributes%22%20ACL%20on%20the%20Domain%20Admins-group%20in%20our%20domain%20and%20I've%20also%20used%20the%20%22Find-AdmPwdExtendedRights%22%20on%20our%20two%20OU%3As%20where%20we%20have%20computer%20objects%20with%20LAPS%2C%20and%20this%20doesn't%20show%20the%20account%20(or%20the%20%22Domain%20admins%22-group)%20any%20longer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20am%20I%20missing%20here%3F%20Is%20there%20an%20ACL%20I'm%20missing%20or%20am%20I%20thinking%20this%20wrong%3F%20Any%20help%20or%20ideas%20would%20be%20appriciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2242426%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Elaps%20splunk%20password%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251247%22%20slang%3D%22en-US%22%3ERe%3A%20LAPS%20-%20Splunk%20account%20reading%20ms-Mcs-AdmPwd%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251247%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F983089%22%20target%3D%22_blank%22%3E%40JoniLjungqvist%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20isn't%20necessarily%20a%20MDI%20topic%2C%20but%20here%20are%20a%26nbsp%3Bfew%20recommendations%20I'd%20look%20into%3A%3CBR%20%2F%3E1.)%20Run%20the%20Splunk%20UF%20and%20associated%20account%20in%20low%20priv%20mode.%20Don't%20let%20your%20security%20monitoring%2Flogging%20infra%20be%20leveraged%20against%20you.%3C%2FP%3E%3CP%3E2.)%20Configure%20your%20inputs.conf%20and%20mask%20that%2C%20e.g.%26nbsp%3B%3C%2FP%3E%3CDIV%3Esedcmd-pwdmask%20%3D%20s%2F(ms%5C-Mcs%5C-AdmPwd%5C%3D).%2B%2F%23%23%23%23%23%23%23%23%23%23%2Fg%3C%2FDIV%3E%3CDIV%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.splunk.com%2FDocumentation%2FSplunk%2F7.2.4%2FData%2FAnonymizedata%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.splunk.com%2FDocumentation%2FSplunk%2F7.2.4%2FData%2FAnonymizedata%3C%2FA%3E%3C%2FDIV%3E%3CDIV%3E3.)%20Go%20back%20and%20remove%20all%20those%20entries%20from%20splunk%20or%20rotate%20laps%20pws.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all,

 

We have used LAPS for a few years, and recently we started using a logging service called Splunk, and as it turns out, this logging service account is reading the ms-Mcs-AdmPwd attribute in Active Directory and sending it in cleartext.

 

The account we use that runs on the machines is a member of the "Administrators" but also "Domain Admins" group on the machines via a GPO (the "Restricted groups" setting). However, I've removed the "All extended attributes" ACL on the Domain Admins-group in our domain and I've also used the "Find-AdmPwdExtendedRights" on our two OU:s where we have computer objects with LAPS, and this doesn't show the account (or the "Domain admins"-group) any longer.

 

What am I missing here? Is there an ACL I'm missing or am I thinking this wrong? Any help or ideas would be appriciated.

1 Reply
best response confirmed by JoniLjungqvist (Occasional Contributor)
Solution

@JoniLjungqvist 

This isn't necessarily a MDI topic, but here are a few recommendations I'd look into:
1.) Run the Splunk UF and associated account in low priv mode. Don't let your security monitoring/logging infra be leveraged against you.

2.) Configure your inputs.conf and mask that, e.g. 

sedcmd-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/##########/g
3.) Go back and remove all those entries from splunk or rotate laps pws.
www.000webhost.com