When every local admin password is the same
Without LAPS, one cracked or dumped local administrator password often unlocks every workstation in the building. Here is why shared local admin is a lateral-movement superhighway, and the fix.
One machine falls, and because every machine shares the same local admin secret, they all fall.
What it is
When local administrator passwords are set from a common image or policy without rotation, every machine shares the same local admin secret. An attacker who dumps that hash from one box reuses it, via pass-the-hash, on every other machine, moving laterally across the fleet until they land on a host with a privileged session to harvest. This is T1078.003 (local accounts) with T1550.002 (pass the hash).
Why it works
One secret unlocks thousands of machines, and pass-the-hash needs only the hash, never the cleartext. It turns a single foothold into fleet-wide access.
How to detect it
Look for the same local admin account authenticating across many machines in a short window, and lateral admin logons from unusual sources; Event 4624 type 3 patterns.
The fix that holds
Deploy Windows LAPS so each machine has a unique, rotated local admin password stored in AD or Entra, deny network logon for local accounts, and segment so a workstation cannot freely reach others. Then one dumped hash unlocks one machine, not all of them.
Practice it
We built a shared-local-admin scenario in GraphLattice Range so teams see how fast pass-the-hash spreads and how LAPS breaks it.