LAPS (Local Administrator Password Solution) is the recommended security solution to mitigate PtH (Pass the Hash) attacks of a local administrator account on your network.
Local administrator accounts are a bane to network administrators. Physical access can compromise the local account, and it is typically standardized across the domain as a secondary tool for the help desk and administrators when computers lose trust with their respective domain controllers. A compromised local administrator account has the potential to create havoc across your network.
LAPS can provide your environment with a local administrator password that is unique for each workstation, and provide basic password management, with manageable length, complexity, and age requirements based on your group policy. You can also determine what security groups are able to retrieve these passwords through a component (the Fat Client UI). This is discussed in more detail in the Microsoft Security Advisory 3062591:
The installation of LAPS comprises of the following steps:
- Download and install components on the management server
- Update the active directory Schema
- Set the permissions for viewing the local administrator password
- Push the client install component to the managed computers
- Set the group policies for LAPS
- Retrieving the password
Download and install components on the management server
The LAPS components can be downloaded from Microsoft at the following site:
There is both a 32 bit and a 64 bit msi that may be downloaded for your environment. We will create a GPO to deploy both based on the architecture later in the article.
In this article, the installation of the LAPS management components will be installed on a Windows Server 2012R2 Domain Controller.
Select all of the components, and complete the installation on your management server.
Update the Active Directory Schema
The management tools installed the PowerShell module on your management server. Run PowerShell as an administrator with an account that is a member of the built-in Schema Admins group.
Import the AdmPwd.ps module within the PowerShell prompt:
Then update your schema with the following commandlet:
Set the permissions for viewing the local administrator password
We will use ADSIEdit to manage the permissions on who is able to view the new attribute created.
Open ADSIEdit, the right click ADSI Edit and “connect to”
Then choose the “Default naming context”:
You will now need to drill down through your OU’s to the correct container the computers to be managed. Right-click on the OU, and select “Properties”. Choose the “Security” tab and click on the “Advanced” button.
You now need to audit the accounts within the advanced security settings, ensuring that non-administrative accounts do not have the “All extended rights” permission. This is to be UNCHECKED.
Set the permissions for viewing the local administrator password
Next we need to allow the computers in are specific OU(s) the ability to update their password attributes, via the AdmPwdComputerSelfPermission PowerShell commandlet, specifying the correct distinguished name for each OU:
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=SBSComputers, DC=infosoda, DC=local"
Hint: Right click on the OU, select “Properties”, choose the “Attribute Editor” tab, then “View” the distinguishedName to copy the correct distinguished name for your OU.
We then set the permissions per OU to the security groups that are allowed to retrieve the password set by LAPS using the AdmPwdReadPasswordPermission PowerShell commandlet, specifying the correct distinguished name for the OU and the correct security group:
Set-AdmPwdReadPasswordPermission -Orgunit "OU=SBSComputers, DC=infosoda, DC=local" -AllowedPrincipals "Help Desk Support"
In the above example, members of the security group “Help Desk Support” can retrieve passwords for all computers within the SBSComputers OU. Repeat this step as necessary to ensure that the correct groups have access to the correct OUs.
Push the client install component to the managed computers
We can now create a policy to push either the x64 or the x86 client out to the machines, based on their architecture. Create a folder in your netlogon directory, and drop both the LAPSx64 and the LAPSx86 msi’s that we downloaded earlier into the new folder:
Now open up Group Policy Management, create a new group policy object named appropriately, end edit the new policy.
Computer Configuration -> Policies -> Software Settings -> Software Installation -> New -> Package
When creating the x86 installer, uncheck the “Make this 32-bit X86 application available to Win64 Machines
Assign the policy to the correct OU’s to allow policy to push out the MSI to the computers. Once installed, “Local Administrator Password Solution” will appear as an installed application under “Programs and Features”.
Set the group policies for LAPS
Utilizing either the same Group Policy, or a separate policy, you now need to implement your settings for LAPS. These settings are located at:
Computer Configuration -> Policies -> Administrative Templates: Policy Definitions -> LAPS
There will typically be (3) settings to enable:
- Password Settings
- Do not allow password expiration time longer than required by policy
- Enable local admin password management
Password Settings (ENABLED): Choose password complexity, password length, and password age, recommended settings:
- Password complexity: Large letters + small letters +numbers + specials
- Password length: 20 characters
- Password age (days): 30 days
Do not allow password expiration time longer than required by policy (ENABLED)
Enable local admin password management (ENABLED)
Link the policy to the correct OU’s if it is a separate policy, and allow the policy to deploy to the environment.
Retrieving the password:
The easiest way to retrieve a password configured by LAPS is to fire up the LAPS UI application installed on your management server. Launch the LAPS UI application, type in the computer name, and the application will retrieve the password and the current expiration date. By enabling “Advanced Features” within Active Directory Users & Computers (View -> Advanced Features), you can also view the Attribute Editor tab, and the specific attribute “ms-Mcs-AdmPwd” to retrieve the password:
Deploying LAPS is a great way to add an additional layer of security to your environment. It also allows administrators the ability to easily manage and create local administrator policies for your environment.