Local administrator accounts should be disabled wherever possible to reduce attack surface. When this is not feasible, Windows LAPS is used to securely manage local administrator passwords with automated rotation, encryption, and restricted access.
Passwords are backed up to Microsoft Entra ID, enabling secure, cloud-based retrieval with RBAC-controlled access. Automatic account management is enabled to ensure regular password rotation and enforcement of policy.
You can use passphrases to simplify manual entry by the helpdesk for example, with a length of 6 words to ensure usability.
Passwords are rotated every 30 days, and expiration protection is enabled to prevent delays in password changes. Additionally, the local administrator username is changed regularly to reduce predictability and increase resistance to targeted attacks.
| The Windows LAPS automatic account management feature is only supported in Windows 11 24H2, Windows Server 2025 and later releases. Windows LAPS account management modes | Microsoft Learn |
Design decisions
| Setting | Value | Justification |
|---|---|---|
| Backup Directory | Microsoft Entra ID | Centralized and secure cloud storage for passwords; integrates with Intune and supports RBAC for access control. |
| Automatic Account Management | Enabled | Ensures the local administrator account is automatically managed and rotated. |
| Password Type | Passphrase | Passphrases are easier for helpdesk staff to manually input when required. |
| Passphrase Length | 6 words | Offers a balance between usability and entropy, and is more user-friendly for manual access scenarios. |
| Password Length (if not using passphrase) | 18 characters | Provides strong security, resisting brute-force attacks while remaining usable. |
| Password Complexity | 4 (Uppercase, lowercase, numbers, special characters) | Ensures strong, complex passwords that meet best practices. |
| Password Age | 30 days | Ensures passwords are rotated frequently without overburdening the system. |
| Password Expiration Protection | Enabled | Forces immediate password rotation if expiration policies are violated. |
| Automatic Account Management Name Or Prefix | For example PCADMIN | Use a custom prefix that fits your organization. |
Ontdek meer van Rockit One
Abonneer je om de nieuwste berichten naar je e-mail te laten verzenden.