Deploy and Configure

Microsoft LAPS

Step by step guide and useful tips

2

Table of Contents Challenges today ........................................................................................................................................... 3

What is LAPS ................................................................................................................................................. 4

Emphasis and Tips ......................................................................................................................................... 5

How LAPS Work ............................................................................................................................................ 6

Components .............................................................................................................................................. 6

Prepare, Deploy and Configure LAPS ............................................................................................................ 8

Requirements ............................................................................................................................................ 8

Active Directory .................................................................................................................................... 8

Windows OS Support (Client and Managed PC) ................................................................................... 8

Management tools ................................................................................................................................ 8

Membership .......................................................................................................................................... 8

Deploy ........................................................................................................................................................... 9

Install on Managed Server and Client ........................................................................................................... 9

Configure LAPS settings in Active Directory ............................................................................................... 10

Update Active Directory Schema ........................................................................................................ 10

Configure Group Policy to enable and set the relevant policies......................................................... 13

Check Active Directory Schema and Extended Rights ........................................................................ 15

3

Challenges today Today credential theft is a major problem in the security landscape, matching local administrator

passwords in an environment often contribute to that problem and are a popular target for attackers.

Far more than zero days or malware, credentials are what allow attackers to be successful in your

network.

Hackers, incident responders, and penetration testers know that valid credential reuse is one of the

most common real-world vulnerabilities in today’s networks. Valid credential reuse dominates as the

top vulnerability.

Since Pass-the-Hash is such an integral part of hackers campaign, internal penetration testing and real-

world incidents, we are taking a first look at how this security advisory addresses the underlying issues

with Pass-the-Hash and how it affects hackers of all sorts, both good and evil.

LAPS take a different approach. LAPS do not eliminate the ability to Pass the Hash, rather it reduces the

impact of Pass-the-Hash by making each local administrator password unique. This effectively helps limit

the attack after a single machine is compromised. Once an attacker gains access to a client workstation,

they can no longer access every other workstation in the environment through the shared local admin

account.

LAPS are designed to run in a least privilege model. No need to put a service account into the domain

admins to manage passwords, the password resets are done in the context of the computer/system.

There’s no additional server to install and the passwords are stored in Active Directory. This has led to

some interesting discussion on the Internet, with some saying, that makes AD a clear target. Active

Directory has always been a clear target for attackers and has always held “golden keys” that would

allow an attacker to take complete control of an infrastructure.

Domain Admin level compromise, the Golden Ticket post exploitation technique, etc. LAPS, just like

many other security controls, should be part of a holistic solution. Just taking care of local administrator

passwords is a great step and a massive reduction in overall attack surface, but without the other

mitigating controls in an environment it’s true that attackers will still be able to gain a foothold and

compromise your entire network. Randomizing local passwords is just a step in a security strategy, but

it’s a necessary step which is now easy and free with LAPS.

4

What is LAPS The Local Administrator Password Solution provides a centralized storage of secrets passwords in Active

Directory without additional computers. Each domain administrators determine which users, such as

helpdesk admins, are authorized to read the passwords.

For occasions when login is required without domain credentials, password management can become

complex. LAPS simplify password management while helping customers implement recommended

defenses against cyberattacks. It mitigates the risk of lateral escalation that results when customers

have the same administrative local account and password combination on many computers.

A lot of organizations will use the same local administrator password across all machines, which is a bad

idea for many reasons. At a basic level, if this password is learnt, it allows anyone to install software as

an administrator – at a higher level it facilitates things such as pass the hash, MimiKatz and general

reconnaissance against your machines (usually with the goal of elevating to Domain Admin).

If you currently deploy your Local Administrator Account via Group Policy Preferences, this makes things

even easier for an attacker to obtain the shared local administrator password. The cpassword value is

easily searchable against SYSVOL and Microsoft provide the 32 byte AES key which can be used to

decrypt the cpassword.

So, what can we do?

Local Administrator Password Solution! As you know this is Microsoft solution to managing Local

Administrator account passwords across an organization. LAPS solution features include:

• Sets a unique randomly generated password PER machine

• Automatically change the Local Administrator Password

• Stores Local Administrator Passwords as an attribute in Active Directory

• Password is protected in AD

• Granular security model can be easily implemented

• Password is protected during the transport via Kerberos encryption

Why use LAPS instead of other password managers or vaults?

Other password managers typically require either, additional hardware, trusting a third party, or ad hoc practices

LAPS provide a streamlined approach to:

• Periodically randomizing local administrator passwords

• Ensures password update to AD succeeds before modifying locally

• Centrally store secrets in existing infrastructure in Active Directory

• Control access via AD ACL permissions

• Transmit encrypted passwords from client to AD

5

Emphasis and Tips During the implementation It’s important to pay attention to some points

• Delegation model and a workflow for using the passwords.

If your ou structure isn’t laid out based on policy boundaries, or if you don’t already have well

defined RBAC this can will be a challenge. Your workflow for accessing the passwords will dictate

a lot of how you design the access. Do you plan to use the passwords sometimes? you want to

block attackers?

• LAPS only randomize one local account password.

By default, it randomizes the built-in admin account (the one with 500 SID account) and

discovers it by well-known SID. A different local account can be specified via GPO, but

remember that it can discovered by name.

• Embrace the 500 SID account

the 500 SID account is always there, always an admin and always something you can re- and

LAPS will always find it and manage it.

• Local accounts are tricky to manage, and you need to manage with Local Account principle. The

strategy is to have one local administrator account – the built-in one!

• Make LAPS part of your larger Credential Theft Mitigation strategy

Implement the best practice steps in the Pass the Hash documentation, use Restricted Groups to

be authoritative on who is an admin, deny Local Accounts access over the network and manage

machines in secure way.

• Monitor local accounts creation

These are indicators of compromise and the successful logon of the local administrator account

is a far more accurate metric of danger than auditing access to the password in many

organizations.

• Monitor for Lateral Movement

Stopping Lateral Account Movement from stolen credentials and preventing the attacker

wandering unfettered around your network is the thing that would have made the Incident

Responses I’ve been to this year less of an Incident.

• Reset Password and Technician side

Since ms-MCS-adminpwd only stores one password, some customers have expressed concerns

for what this means for a system restored from backup. The supported scenario there would be

to reset the password with a supported tool such as DART.

• LAPS and Password Expiration

By enable the password expiration with higher value and with LAPS there will be a conflict

because LAPS will thing that you mean to other values.

• Auditing

To audit LAPS you need to work with Windows Event Forwarding which means that need access

and tracked via AD Attribute logging and event 4662. So, the meaning is a lot of events.

6

• Access LAPS and Settings

Access to the password is allowed via control access right on the attribute. Control access is an

extended right in Active Directory, which means if admin granted for extended permissions he

will view all password therefore LAPS includes the Find-AdmPwdExtendedrights cmdlet to track

who has those permissions.

• LAPS and Plain Text

LAPS stored in a Plain Text therefore the LAPS settings must to be with stronger ACLs and

restrict access to irrelevant admins.

How LAPS Work The LAPS process

1. Machine with LAPS queries Group Policy and receives the LAPS policy settings defined above 2. Machine queries ms-Mcs-AdmPwdExpirationTime, if not set, or expired it will generate a new

password and set this locally and securely write this value to the mc-Mcs-AdmPwd attribute in Active Directory

3. Password is now set locally, stored in Active Directory and is ready for use 4. The LAPS CSE will query this value on each Group Policy update, when the ms-Mcs-

AdmPwdExpirationTime is met, or the attribute is not set it will re-generate a new password 5. If machine cannot contact Active Directory, no changes are made

Components • Agent - Group Policy Client-Side Extension that installed via MSI

o Event logging

o Random password generation - written from client computer to AD computer object

• PowerShell module

o Solution configuration

• Active Directory Centralized Control

o Audit in security log of Domain Controller

o Computer object and confidential attribute

Solution automatically manages the with X500 account

password on domain joined computers, so the password must

to be:

• Unique on each managed computer

• Randomly generated

• Stored in existing AD infrastructure

Solution is built upon AD infrastructure, so there is no need to

install and support other technologies.

7

Solution itself is a Group Policy Client-Side Extension that is installed on managed machines and

performs all management tasks

Management tools delivered with the solution allow for easy configuration and administration.

Core of the solution is GPO Client-Side Extension that performs the following tasks during GPO update:

• Checks whether the password of local Administrator account has expired or not

• Generates the new password when old password expired or is required to be changed

• Changes the password of Administrator account

• Reports the password to password Active Directory, storing it in confidential attribute with

computer account in Active Directory

• Password then can be read from AD by users who can do so

• Password can be forced to be changed by eligible users

8

Prepare, Deploy and Configure LAPS The first step is to check the if the environment is compatible with LAPS, the requirement is on Active

Directory level and Client level.

Requirements

Active Directory

• Forest Level based on Windows Server 2003 and higher

• Domain Level based on Windows Server 2003 and higher

• FSMO configured on Windows Server 2003 SP1 and higher

• Managed DC based on Windows 2003 SP1 and higher

• RODC installed in the environment and must have the value of the attribute ms-Mcs-AdmPwd

*Itanium-based machines are not supported

Windows OS Support (Client and Managed PC) • Windows Server 2016

• Windows Server 2012 R2 (Datacenter, Standard, Essentials, Foundation)

• Windows 8.1 (Enterprise, Pro)

• Windows Server 2012 (Datacenter, Standard, Essentials, Foundation)

• Windows 8 (Enterprise, Pro)

• Windows Server 2008 R2 Service Pack 1

• Windows 7 Service Pack 1

• Windows Server 2008 Service Pack 2

• Windows Vista Service Pack 2

• Microsoft Windows Server 2003 Service Pack 2

*Itanium NOT supported

Management tools • .NET Framework 4.0

• PowerShell 2.0 or above

Membership

• The Admin member that run the schema update must be part of Schema Admins

9

Deploy Now that we prepared and have all requirements we can continue to next step and to prepare the

Active Directory, configure policies, deploy client and configure all other settings.

LAPS deployment can be divided into few steps:

1. Installs LAPS on management machine

2. Configure LAPS settings in Active Directory

3. Deploying LAPS client to those machines you wish to manage

4. Configure Group Policy to enable and set the relevant policies

5. Configure post settings

6. Perform simulation attack on client pc

Install on Managed Server and Client First, we need to download and install the LAPS that includes the PowerShell module, Group policy

template on management pc or server, download both 64 bit and 32 bit versions from Microsoft official

site Local Administrator Password Solution (LAPS)

10

Configure LAPS settings in Active Directory

Update Active Directory Schema

LAPS PowerShell commands

Now that we’ve the relevant PowerShell command we can update the schema on Active Directory from

the AdmPwd module

Now let’s check that we’ve the relevant PowerShell command with:

Get-Command *admpwd*

And Get-Command *admpwd*|GM

11

Now that we know what commands are available to use, we should update the schema so our computer

account objects have the required attributes.

Import AdmPwd Module with the following command:

Import-Module admpwd.ps

Update Active Directory Schema

Update Active Directory Schema with the following command:

Update-AdmPwdADSchema -Verbose

The AD Schema extended includes few changes:

• Admin account to manage will member of Schema Admins Active Directory group

• extended by two new attributes

o ms-Mcs-AdmPwd that stores the password in clear text

o ms-Mcs-AdmPwdExpirationTime that stores the time to reset the password

Grant Permission to Objects

Grant computers the ability to update their password attribute using the Set-

AdmPwdComputerSelfPermission command below

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local”

Note: AdmPwdComputerSelfPermission delegate rights allow the computer object to write to the ms-

MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.

12

Removing the extended rights

You must restrict the ability to view the password and remove “All extended rights” from users and

groups that are not allowed to read the value of attribute ms-Mcs-AdmPwd

Grant Permissions to Specific Admin group

To grant permissions for users to allow them to retrieve a computers password right the command

below:

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local” -

AllowedPrincipals "Domain Admins"

Set-AdmPwdResetPasswordPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local” -

AllowedPrincipals "Domain Admins"

13

Configure Group Policy to enable and set the relevant policies Once we prepare and set all configuration in Active Directory, objects and permission we need to

prepare LAPS policy with specific settings on Group Policy.

• Password Settings

This is where you’ll choose your password policy. The default is complex passwords, 14 chars

and a password age of 30 days.

• Password Settings

The default is complex passwords; 14 chars and a password age of 30 days and machines will

automatically change their password when this is met.

14

• Enable local admin password management

Enables management of password for local administrator account

• Do not allow password expiration time longer than required by policy

Planned password expiration longer than password age dictated by “Password Settings” policy is

NOT allowed. When such expiration is detected, password is changed immediately, and

password expiration is set according to policy.

15

Check Active Directory Schema and Extended Rights Quick report to see all of the accounts and groups with this permission

Get-ADOrganizationalUnit -Filter *|Find-AdmPwdExtendedRights -PipelineVariable OU

|ForEach{$_.ExtendedRightHolders|ForEach{[pscustomobject]@{OU=$Ou.ObjectDN Object = $_ } } }

Another way to look at the settings before it configured is to run the following command:

Get-AdmPwdPassword -ComputerName ESLAB-CL01 | fl

From ADUC we can check the Computer object attribute