Another in the series of ADCS PKI Worst Practices:
Having a common local admin password for any CA and any other machine.
Having the same local admin password on multiple machines enables what I call “invisible lateral traversal” - you can compromise one machine, and move through a network, compromising host after host, without creating a logon record on a domain controller! All using one password and common local account!
I call it invisible because you’d need log collection or an agent on each machine to spot this behaviour, and most orgs aren’t (weren’t?) geared up for that.
And - in my experience - many service providers will use this technique to ensure access to the target systems. In a totally legitimate-seeming way.
So: If there’s a “serviceprovidername” account in the local admins group on all your servers - yeah, that’s probably a common-password account which needs to be randomized (as well).
(NB: If there’s more than one, you have a Proper Problem, and should randomize every local Admin password forthwith!)
So: As it’s a Worst Practice anyway, uniquify your local admin passwords! All of them! LAPS only does one, but it can at least muck a few others up with a little planning.
But. Then. You may still be susceptible to administrative compromise - as any Tier 0 resource might be - from domain accounts, service accounts, and tier incursions from Tier 1 - particularly control planes/management software run by less-protected administrator credentials.
As Frank Herbert might’ve said*:
“If you can run a command on a thing, you control that thing”
So consider that from the viewpoint of Hypervisor admin; Azure/AWS/GCP admin; SCCM/SCOM/YourMonitoringSolution admin; Antivirus admin; Arc Admin; and we’ll keep going from there.
* he literally never said… that but it’s his point, right? The actual quote might’ve gone “who has the power to destroy a thing, controls a thing.” or words to that effect involving towels and hitchhiking? All froody.