What is LAPS:
Local Administrator Password Solution (LAPS) is a free tool by Microsoft that allows organizations to set random and unique passwords across all the endpoints that are joined via domain and then store these passwords in the Active Directory (AD). Passwords are automatically updated regularly by LAPS. These passwords can be retrieved from the Active Directory by System Administrators with privileges. In environments where users cannot log on to computers using domain credentials, password management is a colossal problem. LAPS provides a solution to this problem by generating and assigning unique and random passwords for the local administrator account on each endpoint.
Note: You can download LAPS installation media from the link below:
https://www.microsoft.com/en-us/download/details.aspx?id=46899
Implementing LAPS:
Implementing the LAPS tool requires:
- An update in the Active Directory Schema
- The installation of Group Policy Client Side Extension (CSE) on target endpoints (By choosing AdmPwd GPO Extension while installation)
- Creating a GPO to configure LAPS
- Installing the administrative template files (admx files)
- Configuring the settings by admx files according to requirements
- Applying the GPO to the desired Organizational Unit (OU)
Only local administrator account passwords can be managed by LAPS so it must not be used directly on the Domain Controllers because DC’s do not have a customary local administrator account. So, it is highly recommended that LAPS CSE and LAPS GPO should only be deployed on the member endpoints.
LAPS vulnerability:
LAPS has some security gaps which need to be eliminated such as:
- Strong authentication and authorization are not supported by LAPS
- Administrator accounts are always vulnerable to attacks because LAPS do not provide jit (just-in-time) access
- Attackers can use stolen passwords as there is no force password reset
- All the users must know their account passwords which implicate security issues
- If Active Directory is not available in a disaster recovery scenario the passwords for local Administrator accounts cannot be retrieved and local password reset is required using tools such as DaRT (Disaster and Recovery Toolset)
LAPS Security Recommendations:
There are some security recommendations that must be followed while using LAPS:
- LAPS policies must be assigned to users via Item-Level Targeting
- Organization must deny the ability to retrieve a password for the LAPS Readers Group
- While configuring LAPS, set “Do Not Allow Longer Expiration” to enabled
- While configuring LAPS, configure the password length and strength strong
- “All Extended Rights” permission must be removed for users and groups that are not allowed to retrieve passwords
Policy Path:
If LAPS is installed then you will be able to see the “AdmPwd.dll” file in the following path:
C:\Program Files\LAPS\CSE\AdmPwd.dll
Registry Settings:
If the following registry value is present then LAPS GPO/CSE extension is installed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D087DE603E3EA}:DllName
Default Value:
By default, LAPS is not installed