Cyber Advisors Blog

LAPS – A Simple, Must-Have Solution

Posted by Terence Kolstad on Sep 14, 2016 9:00:00 AM
Security is a big topic these days in both big businesses and small. With ransomware and cyber-attacks proliferating, IT's job of securing the internal infrastructure is becoming paramount. As with most areas, there are always simple solutions that can be implemented to help mitigate some of the risk posed to your network.
 
Consider this: in many corporate environments the local administrator password is often similarly set (all systems have the same password) or not managed (anything goes!). If the local administrator account is the same on all machines and that password is compromised, an attacker can run laterally throughout the network hopping from system to system! We've also seen the local administrator account password set via GPO, but that password is now stored within SYSVOL. Though not in clear text, it is discoverable to all of the users in the Authenticated Users group. Neither of these are very secure situations.
 
Microsoft developed the Local Administrator Password Solution (LAPS) to help address these scenarios. LAPS sets the local administrator password for each domain-joined workstation with a different random, complex password and stores this password in an attribute within the computer account inside Active Directory.
 
In the setup of this solution, the Active Directory schema is extended with the attributes necessary for the solution to function properly. A LAPS agent is deployed to the end user's machine and this allows the following tasks and can enforce the following actions during a GPO update:
 

• Checks whether the password of the local Administrator account has expired.

• Generates a new password when the old password is either expired or is required to be changed prior to expiration.

• Validates the new password against the password policy.

• Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
• Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
• Changes the password of the Administrator account.
(Source: microsoft.com)

The password can be read from Active Directory by users in a group that is setup in the deployment process. Also, users who are eligible can request a password change for his/her computer. 

This solution helps address one of the many security risks that are posed to admins today and is definitely worth deploying in your environment. 

If you'd like to have a further discussion on how we can help implement this or other solutions to address your growing security needs, feel free to reach out! 

Here is the download link for LAPS as well as the LAPS blog if you are interested.

Topics: Tech Article