Local Administrator Password Solution (LAPS)…a good start

Active Directory | May 21, 2015 | 2 min read

After attending the first Microsoft Ignite a few weeks ago, it is no surprise to see security tools and technologies being produced by Microsoft. With pass-the-hash (PtH) so prevalent, powerful, and nearly impossible to stop, Microsoft is taking large strides to help organizations reduce PtH attacks.

Microsoft released the Local Administrator Password Solution (LAPS) on May 5. The tool is geared to hit PtH attacks directly in the kneecaps to reduce the effectiveness of the attack. Of course we all know, or should know, that PtH is successful partly because the same password is used for many local administrator accounts on desktops and servers throughout the organization. If the PtH attacker gains access to one local administrator password hash, there is a good chance that access can be gained on many other desktops and servers.

LAPS utilizes Active Directory to store, control, and randomize the local administrator password for Windows computers that have joined the Active Directory domain. The power comes as a resulting unique password, and therefore hash, for every computer that LAPS controls. Of course, LAPS does not control every account that has elevated privileges, so it only has a small effect on PtH, but at least there is something that organizations can do to reduce PtH.

Like everything in the world, nothing is really free. Yes, LAPS is free to download and use. However, there is quite a bit of setup required in order to use the technology. Because the technology is new, your Active Directory enterprise does not understand LAPS. You will need to configure the following in order to get LAPS to work:

  • AD schema is the same as current solution

  • PowerShell cmdlet creates key pair

  • File with public key is transported to clients (path to key file configurable in GPO)

  • File with private key is kept centrally behind web service

  • PowerShell cmdlet retrieves encrypted password and calls web service that decrypts it with private key

I really don’t want to bore you with the details, which you can get here: https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789

Of course, many organizations want to have a more robust solution, which is just not possible with LAPS. I often see other organizations wanting their local administrator password management solutions to have the following features:

  • Integration with other process workflow systems

  • Alerting

  • Reporting

  • Session controls

  • More than Windows OS management

If you want a solution like this, ManageEngine provides you with some incredible, seasoned solutions through Password Manager Pro. You can download and see for yourself at https://www.manageengine.com/products/passwordmanagerpro/

While you are at ManageEngine, I highly suggest you also download ADAudit Plus, which will track all behavior performed by these privileged accounts. You can download ADAudit Plus at https://www.manageengine.com/products/active-directory-audit.

Track all actions performed by privileged accounts with ADAudit Plus. Try it now by downloading a free trial.

 

Tags : active directory / AD / ADAP / ADAudit / Admin / administrator / Alert / Derek / Derek Melber / directory services / DS / elevated / linux / local / manage / Melber / MVP / password / Password Management / pmp / privilege / privileged / random / randomized / report / session control; / session recording / unix
Derek Melber