SlideShare a Scribd company logo

Microsoft LAPS - Local Administrator Password Solution

Download as PPTX, PDF
Int64 Software Ltd
Int64 Software Ltd

A brief guide to Microsoft LAPS, how it works, what it means for your network security; and how to install and configure it.

Related slideshows

Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
1 of 16
MICROSOFT L.A.P.S. THE LOCAL ADMINISTRATOR PASSWORD SOLUTION By Matt Stacey, Managing Director of Int64 Software Ltd @Int64Software or @matt_is_ready
What is Microsoft LAPS?  Local Administrator Password Solution  Automatic regular randomisation of Local Administrator account passwords on domain computers (Windows only)  Automatic No manual intervention necessary  Regular Maximum password age can be defined (default 30 days)  Randomisation No two computers will have the same password, preventing Pass-the-hash type attacks
Local Administrator Accounts  Created and enabled by default  Named “administrator” on all computers unless changed by policy  Typical password management solutions include:  Single common shared password built into image Vulnerable to pass-the-hash attacks  Procedural (formulaic) password design, set manually or by a script May get leaked, hacked, or discovered through brute force
How Microsoft LAPS Works  Installed as a Group Policy Client Side Extension (CSE)  Runs every time Group Policy is updated  Reads “ms-Mcs-AdmPwdExpirationTime” Active Directory property for the current computer object to see if password has expired.  If expired, generates a new random password based on Group Policy settings.  Attempts to record new password (in “ms-Mcs-AdmPwd”) and next expiration time in Active Directory computer object.  If successful, it only then sets the Administrator account password.
How Microsoft LAPS Works GP Refresh Check if expiry time is blank or passed Generate a new random password Set password and expiry in Active Directory Change Local Administrator password If expired or blankOnly if successful
But my Admin accounts are disabled…?  Admin accounts are there by default and cannot be removed, but can be disabled.  However, re-enabling a disabled account is trivial for someone who knows what they’re doing.  Disabling them does not negate the need for strong, frequently changed passwords.
Installing LAPS  1. Install the management tools (PowerShell module and GPO template)  2. Extend the Active Directory schema  3. Setup Active Directory permissions  4. Configure Group Policy  5. Install Clients
PowerShell Module and Group Policy Template  Launch the LAPS installer appropriate for your system  Select to install:  PowerShell module  GPO Editor templates  “AdmPwd GPO Extension” is the CSE, “Fat Client UI” is the default Windows forms interface. Neither are required at this stage.
Extend the AD Schema  Launch PowerShell as a user which is a member of the “Schema Admins” group.  Import the LAPS PowerShell module  Run the Update-AdmPwdADSchema command to extend the schema.  If you get Permission Denied, check your user rights.
Remove Extended Rights  Run the “Find-AdmPwdExtendedrights” command to users with “All extended rights” permission.  This must be targeted to an OU, but will also list any sub-containers which inherit their permissions.  Users with this permission can view the stored passwords of computers in the container, and may need to have it revoked.  For more information, consult the LAPS Operations Guide.
Grant Computer Rights  Computers need the permission to view their own password’s expiry date, and to write a new password.  Use the “Set-AdmPwdComputerSelfPermission” command.  This must be done for each computer container unless it inherits the permission from a parent.
Add User Management Rights  If necessary, grant permission for users to view the stored password with the “Set-AdmPwdReadPasswordPermission” command.  Similarly, use the “Set-AdmPwdResetPasswordPermission” command to grant permission to expire a password (triggering a reset during the computer’s next Group Policy update).
LAPS Group Policy Settings  Create a new GPO and navigate to the LAPS administrative template.  Here you can enable LAPS by changing the “Enable local admin password management” setting to Enabled.  For more information on the other settings, see this link: https://int64software.com/blog/2018/06/28/a-look-at-the-microsoft-laps- group-policy-settings/
Deploy the Client Side Extensions  Deploy the same LAPS MSI installer to your clients using your preferred method of software delivery.  By default the MSI will only install the LAPS CSE, no customisation or modification is required.
Verify Client Side Extensions  Run a Group Policy update on a test client computer and then restart it.  LAPS may take a while to run the first time  Once it has set the client’s Local Administrator password, you will be able to see the password and expiry in Active Directory
What’s Next  Congratulations! Your client-side devices are now much better protected against hackers.  If you have cause to access the passwords frequently, or when away from your main computer, you may want to try an alternative to the basic tools that Microsoft provide.  OVERLAPS Pro 1.2 provides a web-based interface with much greater functionality.  https://int64software.com/overlaps/

More Related Content

Microsoft LAPS - Local Administrator Password Solution

  • 1. MICROSOFT L.A.P.S. THE LOCAL ADMINISTRATOR PASSWORD SOLUTION By Matt Stacey, Managing Director of Int64 Software Ltd @Int64Software or @matt_is_ready
  • 2. What is Microsoft LAPS?  Local Administrator Password Solution  Automatic regular randomisation of Local Administrator account passwords on domain computers (Windows only)  Automatic No manual intervention necessary  Regular Maximum password age can be defined (default 30 days)  Randomisation No two computers will have the same password, preventing Pass-the-hash type attacks
  • 3. Local Administrator Accounts  Created and enabled by default  Named “administrator” on all computers unless changed by policy  Typical password management solutions include:  Single common shared password built into image Vulnerable to pass-the-hash attacks  Procedural (formulaic) password design, set manually or by a script May get leaked, hacked, or discovered through brute force
  • 4. How Microsoft LAPS Works  Installed as a Group Policy Client Side Extension (CSE)  Runs every time Group Policy is updated  Reads “ms-Mcs-AdmPwdExpirationTime” Active Directory property for the current computer object to see if password has expired.  If expired, generates a new random password based on Group Policy settings.  Attempts to record new password (in “ms-Mcs-AdmPwd”) and next expiration time in Active Directory computer object.  If successful, it only then sets the Administrator account password.
  • 5. How Microsoft LAPS Works GP Refresh Check if expiry time is blank or passed Generate a new random password Set password and expiry in Active Directory Change Local Administrator password If expired or blankOnly if successful
  • 6. But my Admin accounts are disabled…?  Admin accounts are there by default and cannot be removed, but can be disabled.  However, re-enabling a disabled account is trivial for someone who knows what they’re doing.  Disabling them does not negate the need for strong, frequently changed passwords.
  • 7. Installing LAPS  1. Install the management tools (PowerShell module and GPO template)  2. Extend the Active Directory schema  3. Setup Active Directory permissions  4. Configure Group Policy  5. Install Clients
  • 8. PowerShell Module and Group Policy Template  Launch the LAPS installer appropriate for your system  Select to install:  PowerShell module  GPO Editor templates  “AdmPwd GPO Extension” is the CSE, “Fat Client UI” is the default Windows forms interface. Neither are required at this stage.
  • 9. Extend the AD Schema  Launch PowerShell as a user which is a member of the “Schema Admins” group.  Import the LAPS PowerShell module  Run the Update-AdmPwdADSchema command to extend the schema.  If you get Permission Denied, check your user rights.
  • 10. Remove Extended Rights  Run the “Find-AdmPwdExtendedrights” command to users with “All extended rights” permission.  This must be targeted to an OU, but will also list any sub-containers which inherit their permissions.  Users with this permission can view the stored passwords of computers in the container, and may need to have it revoked.  For more information, consult the LAPS Operations Guide.
  • 11. Grant Computer Rights  Computers need the permission to view their own password’s expiry date, and to write a new password.  Use the “Set-AdmPwdComputerSelfPermission” command.  This must be done for each computer container unless it inherits the permission from a parent.
  • 12. Add User Management Rights  If necessary, grant permission for users to view the stored password with the “Set-AdmPwdReadPasswordPermission” command.  Similarly, use the “Set-AdmPwdResetPasswordPermission” command to grant permission to expire a password (triggering a reset during the computer’s next Group Policy update).
  • 13. LAPS Group Policy Settings  Create a new GPO and navigate to the LAPS administrative template.  Here you can enable LAPS by changing the “Enable local admin password management” setting to Enabled.  For more information on the other settings, see this link: https://int64software.com/blog/2018/06/28/a-look-at-the-microsoft-laps- group-policy-settings/
  • 14. Deploy the Client Side Extensions  Deploy the same LAPS MSI installer to your clients using your preferred method of software delivery.  By default the MSI will only install the LAPS CSE, no customisation or modification is required.
  • 15. Verify Client Side Extensions  Run a Group Policy update on a test client computer and then restart it.  LAPS may take a while to run the first time  Once it has set the client’s Local Administrator password, you will be able to see the password and expiry in Active Directory
  • 16. What’s Next  Congratulations! Your client-side devices are now much better protected against hackers.  If you have cause to access the passwords frequently, or when away from your main computer, you may want to try an alternative to the basic tools that Microsoft provide.  OVERLAPS Pro 1.2 provides a web-based interface with much greater functionality.  https://int64software.com/overlaps/