{"id":1790,"date":"2015-09-15T20:46:36","date_gmt":"2015-09-16T00:46:36","guid":{"rendered":"https:\/\/adsecurity.org\/?p=1790"},"modified":"2016-11-14T14:04:08","modified_gmt":"2016-11-14T19:04:08","slug":"microsoft-local-administrator-password-solution-laps","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=1790","title":{"rendered":"Microsoft Local Administrator Password Solution (LAPS)"},"content":{"rendered":"

The Issue
\n<\/strong>The real problem with local accounts on a computer in an enterprise environment is that the term “local” is a misnomer. If 50 computers on a network have the local administrator account of “Administrator” and a password of “P@55w0rd1!”, first of all that’s a HORRIBLE password. Second of all and more to the point, if one of those computers is compromised, they will all be compromised. Windows is very helpful. So helpful that if you pass the local admin credentials to another computer with the same local credentials, access is granted as if you logged on with the target system credentials. Dump administrator credentials on one to get admin on all! The best way to mitigate this issue is to ensure every computer has a different local administrator account password that is long, complex, and random and that changes on a regular basis.<\/p>\n

The earlier attempt to provide a method for regularly changing the local administrator password from Microsoft was less than ideal (see Group Policy Preferences password storage security issue<\/a>). You should also never, ever use a script that includes a clear-text password to change the local admin password<\/a> since these scripts tend to be placed in easily accessible locations like SYSVOL (to leverage Group Policy).<\/p>\n

Even if you deploy LAPS or some other local Administrator account password management solution, it’s still recommended to install KB2871997 <\/a>(if required) and configure a Group Policy to block local accounts from authenticating across the network. KB2871997 adds two new local SIDs including LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP (S-1-5-114) for any local account that is a member of the administrators group. Configuring this SID in a Group Policy with the settings \u201cDeny access to this computer from the network\u201d and \u201cDeny log on through Remote Desktop Services\u201d prevents local accounts from connecting over the network (for workstations, test carefully before deploying to servers).<\/p>\n

I also posted about “Microsoft LAPS Security & Active Directory LAPS Configuration Recon<\/a>” in August 2016 which covers some of the more interesting LAPS security scenarios.<\/p>\n

 <\/p>\n

\n
Microsoft Local Administrator Password Solution (LAPS) Overview<\/strong><\/div>\n
Microsoft Local Administrator Password Solution (LAPS<\/span>) <\/a>provides automated local administrator account management for every computer in Active Directory (LAPS is best for workstation local admin passwords). A client-side component installed on every computer generates a random password, updates the (new) LAPS<\/span> password attribute on the associated AD computer account, and sets the password locally. LAPS<\/span> configuration is managed through Group Policy which provides the values for password complexity, password length, local account name for password change, password change frequency, etc.<\/div>\n
<\/div>\n<\/div>\n

<\/p>\n

\u00a0Microsoft Local Administrator Password Solution (LAPS<\/span>):<\/a><\/strong><\/div>\n
\n
\n
\n

For environments in which users are required to log on to computers without domain credentials, password management can become a complex issue. Such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack. The Local Administrator Password Solution (LAPS) provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.<\/p>\n

LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer\u2019s local administrator account in Active Directory, secured in a confidential attribute in the computer\u2019s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.<\/p>\n

Use LAPS to automatically manage local administrator passwords on domain joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure. The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution\u2019s management tools provide easy configuration and administration.<\/p>\n

How does LAPS work?<\/b>
\nThe core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:
\n\u2022 Checks whether the password of the local Administrator account has expired.
\n\u2022 Generates a new password when the old password is either expired or is required to be changed prior to expiration.
\n\u2022 Validates the new password against the password policy.
\n\u2022 Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
\n\u2022 Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
\n\u2022 Changes the password of the Administrator account.
\nThe password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.<\/p>\n

What are the features of LAPS?<\/b>
\nLAPS includes the following features:
\n\u2022 Security that provides the ability to:
\n\u2022 Randomly generate passwords that are automatically changed on managed machines.
\n\u2022 Effectively mitigate PtH attacks that rely on identical local account passwords.
\n\u2022 Enforced password protection during transport via encryption using the Kerberos version 5 protocol.
\n\u2022 Use access control lists (ACLs) to protect passwords in Active Directory and easily implement a detailed security model.
\n\u2022 Manageability that provides the ability to:
\n\u2022 Configure password parameters, including age, complexity, and length.
\n\u2022 Force password reset on a per-machine basis.
\n\u2022 Use a security model that is integrated with ACLs in Active Directory.
\n\u2022 Use any Active Directory management tool of choice; custom tools, such as Windows PowerShell, are provided.
\n\u2022 Protect against computer account deletion.
\n\u2022 Easily implement the solution with a minimal footprint.<\/p>\n<\/div>\n<\/blockquote>\n<\/div>\n

The Microsoft Security Advisory 3062591<\/a> includes additional information on LAPS.<\/div>\n
<\/div>\n
\n
Why is this important?<\/strong><\/div>\n
LAPS<\/span> solves the difficult issue of managing every computer\u2019s local administrator account password which is often only used in situations where a domain account cannot. Often a local administrator account password will remain the same throughout the lifetime of a computer and is often the same as many other computers on the network. The same local administrator account and password on multiple computers can be exploited by attackers to compromise a network. Ensuring local admin account passwords are different on every computer on the network mitigates an attackers ability to expand administrative control beyond a single system using local credentials.<\/div>\n
<\/div>\n
<\/div>\n
How is it configured?<\/strong><\/div>\n
LAPS<\/span> deployment has several steps:<\/div>\n
    \n
  1. Download LAPS files..<\/a>.This includes the Operations guide – please read it thoroughly before deploying<\/li>\n
  2. Active Directory schema update to add the 2 required LAPS<\/span> attributes for computer accounts.<\/li>\n
  3. Delegation at the domain or Organizational Unit (OU) level so the computers can update their LAPS<\/span> passwords.<\/li>\n
  4. Delegation at the OU level enabling AD groups to view or force a reset of computer local admin account passwords.<\/li>\n
  5. Installation of the LAPS<\/span> client-side component (via SCCM or similar) which performs the password change and updates the computer\u2019s attribute based on LAPS GPO settings.<\/li>\n
  6. A new Group Policy created to enable the LAPS<\/span> client-side component to change the local account password as well as provide LAPS<\/span> configuration for the client (password complexity, password length, local account name for password change, password change frequency, etc).<\/li>\n<\/ol>\n

     <\/p>\n

    Once LAPS is deployed, there are several methods approved users can view the computer local admin password(s):<\/div>\n