What is LAPS?
A lot of organisations will use the same local administrator password across all machines, which is a bad idea for a number of reasons. At a basic level, if this password is learnt, it allows anyone to install software as an administrator – at a higher level it facilitates things such as pass the hash, mimikatz and general reconnaissance against your machines (usually with the goal of elevating to Domain Admin).
If you currently deploy your Local Administrator Account via Group Policy Preferences, this makes things even easier for an attacker to obtain the shared local administrator password. The CPASSWORD value is easily searchable against SYSVOL and Microsoft provide the 32-byte AES key which can be used to decrypt the CPASSWORD. Alan has a great post here why you should stop using Group Policy Preferences for deploying Local Administrators.
So what can we do?
LAPS – Local Administrator Password Solution! This is Microsoft’s solution to managing Local Administrator account passwords across an organisation. LAPS solution features include:
• Sets a unique randomly generated password PER machine
• Automatically change the Local Administrator Password every x days
• Stores Local Administrator Passwords as an attribute of the Computer Object in Active Directory
• Password is protected in AD by AD ACL, so granular security model can be easily implemented
• Password is protected during the transport via Kerberos encryption
This post will cover preparing Active Directory and deploying LAPS to the machines you wish to manage. Part 2 will cover enabling LAPS via Group Policy, and general usage.
Management Machine
First off, we’re going to install the management portion of LAPS. Download LAPS here and next, next through the installation. On the custom setting page choose all of the management tools. The AdmPwd GPO Extension is required if the machine you’re installing the management portion on will also be managed by LAPS.
Image may be NSFW.
Clik here to view.
Follow ‘Preparing Active Directory’ on the management machine.
Preparing Active Directory
1. Extending the Active Directory Schema
The Active Directory Schema needs to be extended to add two attributes to the computer class. These are ms-MCS-AdmPwd which stores the password in clear text, and ms-Mcs-AdmPwdExpirationTime which stores the password expiration time. You will need to be a member of the Schema Admins security group.
Import-module AdmPwd
Update-AdmPwdADSchema
Image may be NSFW.
Clik here to view.
2. Adding Machine Rights
You need to delegate to right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=SA Computers,DC=thesysadmins,DC=co,DC=uk”
This sets the following permissions against all computer objects within the OU specified, including all child objects.
Image may be NSFW.
Clik here to view.
This is what the Set-AdmPwdComputerSelfPermission cmdlet does behind the scenes on the computer objects ACL:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
3. Check ExtendedRights permissions on OU
To get information on the groups and users able to read the password (ms-MCS-AdmPwd) for a specific Organizational Unit (OU), run the following.
Find-AdmPwdExtendedRights -identity:"OU=SA Computers,DC=thesysadmins,DC=co,DC=uk" | Format-Table ExtendedRightHolders
Image may be NSFW.
Clik here to view.
4. Remove ExtendedRights permission on OU
If you need to remove the permission to view the password (ms-MCS-AdmPwd) for a group or user, carry out the following.
- Open ADSIEdit
- Right Click on the OU that contains the computer accounts that you are installing this solution on and select Properties
- Click the Security tab
- Click Advanced
- Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit
- Uncheck All extended rights
Image may be NSFW.
Clik here to view.
5. Delegate a Security group the rights to view and reset LAPS
Here I’m delegating the Security Group ‘LAPS’ the right to view the LAPS Password and to have the ability to reset the password (more on that in part 2). I’ve re-run the ExtendedRights cmdlet, and you can now see that the LAPS group has been added.
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=SA Computers,DC=thesysadmins,DC=co,DC=uk " -AllowedPrincipals "LAPS"
Set-AdmPwdResetPasswordPermission -OrgUnit " OU=SA Computers,DC=thesysadmins,DC=co,DC=uk " -AllowedPrincipals "LAPS"
Image may be NSFW.
Clik here to view.
This is what the Set-AdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission cmdlets are doing behind the scenes on the computer objects ACL:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Active Directory is now prepared!
Deploying LAPS
Deploying LAPS is very straight forward, and can be deployed via Group Policy, SCCM, Login Script, manual install etc…
Examples:
Deploying LAPS to x64 machines (by default no management tools are installed, only the CSE required to manage the computer)
msiexec /q /i \\server\share\LAPS.x64.msi
Deploying LAPS to x86 machines
msiexec /q /i \\server\share\LAPS.x86.msi
Optional Deploying LAPS to x64 machines and create a custom admin account “LocalAdmin” during setup
msiexec /q /i \\server\share\LAPS.x86.msi CUSTOMADMINNAME=LocalAdmin
Group Policy
Image may be NSFW.
Clik here to view.
If you want to deploy a new custom Local Administrator Accounts via Group Policy, due to the limitation of software installation you will need to use Orca or InstEd to generate a MST to pass the CUSTOMADMINNAME value. Edit the Property Table, and replace __null__ with the name of the Local Administrator you’d like to create.
Image may be NSFW.
Clik here to view.
SCCM
Image may be NSFW.
Clik here to view.
To confirm the installation has succeeded, confirm that C:\Program Files\LAPS\CSE\AdmPwd.dll is present.
The bulk of the deployment has now been completed. In part 2 we will cover Group Policy which will essentially turn LAPS on, how to view passwords and some general discussion on the solution.
Microsoft Local Administrator Password Solution (LAPS) – Part 2 Coming soon
The post Deploying Microsoft LAPS – Part 1 appeared first on The Sysadmins.