Local Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server.
What’s great about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it’s free!
LAPS relies on something that is called a Client-Side Extension, which are a set of .dll files that contains the settings, that have been applied to a targeted computer.
The Client-Side Extension performs multiple administrative tasks, such as checking if the Built-in Administrator password has been expired, and if it has been expired. It would rotate the password automatically and store it in a confidential AD attribute, that is only readable for users with the right permissions. This can be managed through AD ACL’s.
One of the benefits with deploying LAPS is that it would mitigate attackers from moving laterally across each machine in the network, because the Built-in Administrator had the same password on all the workstations.
A common reason that the password of the Built-in Administrator account is often the same is, because of a system preparation process.
Sysprep is Microsoft’s System Preparation tool intended to clone an existing Windows OS installation to multiple workstations. This means that it would also clone the local SAM database of an existing Windows installation to a workstation.
Good news is that LAPS can rotate the password of these accounts automatically, so if an attacker has compromised a Built-in Administrator account on one workstation. It wouldn’t be possible to move laterally with it, because the password is different on each individual workstation and server.
If you’re organization is using the Built-in Administrator (RID-500) account for any administrative task. It is highly recommended to deploy LAPS.
The first thing you need to do is assign yourself temporary the Schema Admin privileges in Active Directory and then download Microsoft LAPS solution.
Make sure that you don’t forget to install the management tools as well during the installation.
After you have downloaded LAPS. You will need to make a Schema change, which means that two new attributes will be extended. One attribute is the ms-MCS-AdmPwd that stores the Built-in Administrator password of a computer, and the second attribute is ms-Mcs-AdmPwdExpiration that contains the expiration time of a password.
As you can see, there are the two new attributes that we’re talking about.
Now we need to delegate rights on an OU that contains the workstations, where we want to have LAPS on. When we delegate the rights on the targeted OU.
We allow the Computer accounts to write to the ms-MCS-AdmPwd & ms-Mcs-AdmPwdExpiration attribute, so lets say that if a password has expired. It would write automatically to the ms-MCS-AdmPwdExpiration attribute to specify a new password expiration time, and it would update the ms-MCS-AdmPwd attribute with a new password.
In this example. I’ll decide to pick the Workstations OU.
Delegate now the permissions on the Workstations OU to allow computer accounts write to the specified attributes.
Now we need delegate rights to an AD group that is allowed to reset and view the plain-text password that is generated by LAPS.
We are nearly done with rolling LAPS out, but we need first need to create a new file share to store the LAPS files on it, which is both LAPS.x64 & LAPS.x86.
In this example, I’ve created a file share on the FILESERVER, where I’ve added Domain Computers to it with ”Read” permission.
Here is the path to our path: \\FILESERVER\laps
Open Group Policy Management Console and create a new GPO. Link the GPO to the Workstations OU.
Edit the Group Policy and go to Software Settings and then select Software installation. Create a new package and select LAPS.x64 & LAPS.x86 that is located on the FILESERVER. The exact path is \\FILESERVER\laps.
What you now have to do is expand the Administrative Templates and configure the LAPS settings. Yes, we’re nearly done.
- Password Settings: Enabled
- Do not allow password expiration time longer than required by policy: Enabled
- Enable local admin password management: Enabled
It can take some time before the Group Policy has processed, but after it has finished. You can see that the password of the Built-in Administrator account has automatically been rotated.
There is also the LAPS UI that you might prefer to use, instead of the PowerShell cmdlets.
Keep LAPS secure:
The first thing you need to be aware about are the users and groups, that have access to the plain-text password.
Keep in mind when you delegate permissions on the Workstations OU. In this example, I’ve decided to grant Alice ”GenericAll” (Full control) permission on the Workstations OU. This means that Alice is able to query the ms-MCS-AdmPwd attribute and obtain the plain-text passwords.
Now when we’re logged in as the user, Alice. We are able to query the plain-text passwords.
Make sure that you don’t randomly delegate permissions on the OU’s that contains all the LAPS password(s).
The second thing that you need to be aware is, which users have manually been delegated on computer accounts. People are still doing this for no reason.
Users with AllExtendedRights or equivalent are able to retrieve the plain-text password as well, because AllExtendedRights includes the ms-MCS-AdmPwd attribute.
In this example. Mario would for example be able to retrieve the plain-text password of the Client2 machine.
- Deploy LAPS, don’t do it for me. Do it for yourself!
- Monitor all the AD groups that have read access to the LAPS password
- Do not use the Account Operators group, because users in this group have wide permissions and can grant themselves access to the LAPS passwords.
- Don’t delegate permissions on the OU that stores the LAPS passwords.