Local Administrator Password Solution (LAPS)

LAPS (Local Administrator Password Solution) is the recommended security solution to mitigate PtH (Pass the Hash) attacks of a local administrator account on your network.

Local administrator accounts are a bane to network administrators. Physical access can compromise the local account, and it is typically standardized across the domain as a secondary tool for the help desk and administrators when computers lose trust with their respective domain controllers. A compromised local administrator account has the potential to create havoc across your network.

LAPS can provide your environment with a local administrator password that is unique for each workstation, and provide basic password management, with manageable length, complexity, and age requirements based on your group policy. You can also determine what security groups are able to retrieve these passwords through a component (the Fat Client UI). This is discussed in more detail in the Microsoft Security Advisory 3062591:

https://technet.microsoft.com/en-us/library/security/3062591.aspx

The installation of LAPS comprises of the following steps:

  1. Download and install components on the management server
  2. Update the active directory Schema
  3. Set the permissions for viewing the local administrator password
  4. Push the client install component to the managed computers
  5. Set the group policies for LAPS
  6. Retrieving the password

 

Download and install components on the management server

The LAPS components can be downloaded from Microsoft at the following site:

https://www.microsoft.com/en-us/download/details.aspx?id=46899

There is both a 32 bit and a 64 bit msi that may be downloaded for your environment. We will create a GPO to deploy both based on the architecture later in the article.

In this article, the installation of the LAPS management components will be installed on a Windows Server 2012R2 Domain Controller.

Install LAPS
Install LAPS

 

 

 

 

 

 

 

 

Select all of the components, and complete the installation on your management server.

 

Update the Active Directory Schema

The management tools installed the PowerShell module on your management server. Run PowerShell as an administrator with an account that is a member of the built-in Schema Admins group.

Import the AdmPwd.ps module within the PowerShell prompt:

Import-Module AdmPwd.PS

Then update your schema with the following commandlet:

Update-AdmPwdADSchema

adm-pwd

 

 

 

 

 

 

 

 

 

Set the permissions for viewing the local administrator password

We will use ADSIEdit to manage the permissions on who is able to view the new attribute created.

Open ADSIEdit, the right click ADSI Edit and “connect to”

adsiedit

 

 

 

 

 

 

 

 

Then choose the “Default naming context”:

default_naming_context

 

 

 

 

You will now need to drill down through your OU’s to the correct container the computers to be managed. Right-click on the OU, and select “Properties”. Choose the “Security” tab and click on the “Advanced” button.

ou_security_tab

 

 

 

 

 

 

 

 

 

You now need to audit the accounts within the advanced security settings, ensuring that non-administrative accounts do not have the “All extended rights” permission. This is to be UNCHECKED.

all_extended_rights

 

 

 

 

 

 

 

Set the permissions for viewing the local administrator password

Next we need to allow the computers in are specific OU(s) the ability to update their password attributes, via the AdmPwdComputerSelfPermission PowerShell commandlet, specifying the correct distinguished name for each OU:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=SBSComputers, DC=infosoda, DC=local"

Hint: Right click on the OU, select “Properties”, choose the “Attribute Editor” tab, then “View” the distinguishedName to copy the correct distinguished name for your OU.

We then set the permissions per OU to the security groups that are allowed to retrieve the password set by LAPS using the AdmPwdReadPasswordPermission PowerShell commandlet, specifying the correct distinguished name for the OU and the correct security group:

Set-AdmPwdReadPasswordPermission -Orgunit "OU=SBSComputers, DC=infosoda, DC=local" -AllowedPrincipals "Help Desk Support"

In the above example, members of the security group “Help Desk Support” can retrieve passwords for all computers within the SBSComputers OU. Repeat this step as necessary to ensure that the correct groups have access to the correct OUs.

 

Push the client install component to the managed computers

We can now create a policy to push either the x64 or the x86 client out to the machines, based on their architecture. Create a folder in your netlogon directory, and drop both the LAPSx64 and the LAPSx86 msi’s that we downloaded earlier into the new folder:

netlogon

 

 

 

 

Now open up Group Policy Management, create a new group policy object named appropriately, end edit the new policy.

Computer Configuration -> Policies -> Software Settings -> Software Installation -> New -> Package

When creating the x86 installer, uncheck the “Make this 32-bit X86 application available to Win64 Machines

group_policy

 

 

 

 

Assign the policy to the correct OU’s to allow policy to push out the MSI to the computers. Once installed, “Local Administrator Password Solution” will appear as an installed application under “Programs and Features”.

 

Set the group policies for LAPS

Utilizing either the same Group Policy, or a separate policy, you now need to implement your settings for LAPS. These settings are located at:

Computer Configuration -> Policies -> Administrative Templates: Policy Definitions -> LAPS

There will typically be (3) settings to enable:

  • Password Settings
  • Do not allow password expiration time longer than required by policy
  • Enable local admin password management

laps_gpo

 

 

 

 

 

Password Settings (ENABLED): Choose password complexity, password length, and password age, recommended settings:

  • Password complexity: Large letters + small letters +numbers + specials
  • Password length: 20 characters
  • Password age (days): 30 days

Do not allow password expiration time longer than required by policy (ENABLED)

Enable local admin password management (ENABLED)

Link the policy to the correct OU’s if it is a separate policy, and allow the policy to deploy to the environment.

 

Retrieving the password:

The easiest way to retrieve a password configured by LAPS is to fire up the LAPS UI application installed on your management server. Launch the LAPS UI application, type in the computer name, and the application will retrieve the password and the current expiration date. By enabling “Advanced Features” within Active Directory Users & Computers (View -> Advanced Features), you can also view the Attribute Editor tab, and the specific attribute “ms-Mcs-AdmPwd” to retrieve the password:

password_retrieval

 

 

 

 

 

 

Deploying LAPS is a great way to add an additional layer of security to your environment. It also allows administrators the ability to easily manage and create local administrator policies for your environment.

Leave a Reply

Your email address will not be published. Required fields are marked *