Management of the Windows Local Administrator is notoriously difficult and fraught with security risks. Traditionally, organizations have had to balance speed or convenience with good security practices. We want to provide our IT staff and end users with flexibility so that they can move fast, but this often leaves organizations vulnerable.
You’re likely familiar with the common security concerns. For instance, if one end user is given the local administrator password they may share that password with other end users who can then install software applications of their choice, bypass security controls (like virus scans), reconfigure firewall settings, or even postpone vital security updates. Compromised identical local account credentials greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack and lateral movement through the organization. Fortunately, Microsoft developed a solution for central management of our local Windows passwords. Read on to learn how it helps and how it can be implemented.
The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. In this solution, passwords are stored in Active Directory (AD) and protected by an Access Control List (ACL), so only eligible users can read it or request its reset.
LAPS is great fit for any organization that faces the challenges below, when it comes to local administrator password management:
- Do you need to manage local administrative passwords in Windows?
- Do you need to automate resetting local administrative passwords?
- Do you need the administrative passwords on each managed computer to be unique?
- Do you need to store and retrieve administrative passwords?
How does LAPS help?
- LAPS is built upon AD infrastructure, so there is no need to install and support other technologies (such as SQL).
- The LAPS agent is a Group Policy Client Side Extension that is installed on managed machines and performs all management tasks.
- The management tools included with the solution allow for easy configuration and administration.
Ready to test LAPS out? Here are some steps for getting started.
1. Download LAPS from Microsoft. You can use this link. You can choose which architecture you prefer and download additional documentation for working with LAPS.
2. Install the LAPS fat client, PowerShell module, and Group Policy templates on a management computer.
3. Deploy LAPS to the client machines. You have some flexibility when it comes to deployment. You can manually deploy the client or you can use methods like GPO Software Installation and SCCM deployment. Of course, when you’re ready to roll the solution out broadly, you can include the LAPS agent in the Windows image when deploying windows with WDS, MDT, or SCCM.
4. Extend the AD schema using PowerShell on the management computer.
5. Grant computers the ability to update their password attribute using PowerShell.
6. Grant rights to users to allow them to retrieve a computer’s password with PowerShell.
7. Configure Group Policy for LAPS. The “Name of administrator account” GPO setting can specify a non-built-in administrative account. LAPS will monitor and change only one account, although that account doesn’t have to be the built-in Administrator account. The default administrator does not have to be specified, even if it has been renamed because it is a well-known SID.
8. Once LAPs is put in place, you can view the password settings of a managed computer using the PowerShell command below.
The Local Administrator Password Solution (LAPS) provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS retains flexibility and speed, without compromising security. LAPS resolves the problem by setting a unique, random password for the local administrator account on every managed computer in the domain.