PowerShell: Local Administrator Password Solution (LAPS)

[German]Here is a tip for administrators in the corporate environment that I recently came across. It’s about the PowerShell script of the week, Local Administrator Password Solution (LAPS), which allows you to manage passwords for local accounts on domain computers.


Advertising

Passwords are stored in Active Directory (AD) and are protected by ACL (Access Control Lists) so that only authorized users can read them or request a reset. In a tweet, Windows IT Pro (from Microsoft) points to a PowerShell solution for managing local administrator passwords.

Local Administrator Password Solution (LAPS)

In environments where users must log on to computers without domain credentials, password management can become a complex issue. Such environments significantly increase the risk of a Pass-the-Hash (PtH) Credential Replay attack. The Local Administrator Password Solution (LAPS) provides a solution to the problem of using a shared local account with an identical password on each computer in a domain.

LAPS solves this problem by setting a different, random password for the shared local administrator account on each computer in the domain. Domain administrators using the solution can determine which users, such as help desk administrators, are authorized to read passwords.

LAPS simplifies password management and helps customers implement recommended defenses against cyber attacks. In particular, the solution reduces the risk of lateral escalation. This happens when customers use the same administrative local account and password combination on their computers.


Advertising

LAPS stores the password for the local administrator account of each computer in Active Directory, which is stored in a confidential attribute in the corresponding Active Directory object of the computer. The computer can update its own password information in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

How does LAPS work?

The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:

 

  • Checks whether the password of the local Administrator account has expired.
  • Generates a new password when the old password is either expired or is required to be changed prior to expiration.
  • Validates the new password against the password policy.
  • Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
  • Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
  • Changes the password of the Administrator account.

The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

hat are the LAPS features?

The PowerShell LAPS solution includes the following features:

  • Security that provides the ability to
    • Randomly generate passwords that are automatically changed on managed machines.
    • Effectively mitigate PtH attacks that rely on identical local account passwords.
    • Enforced password protection during transport via encryption using the Kerberos version 5 protocol.
    • Use access control lists (ACLs) to protect passwords in Active Directory and easily implement a detailed security model.
  • Manageability that provides the ability to:
    • Configure password parameters, including age, complexity, and length.
    • Force password reset on a per-machine basis.
    • Use a security model that is integrated with ACLs in Active Directory.
    • Use any Active Directory management tool of choice; custom tools, such as Windows PowerShell, are provided.
    • Protect against computer account deletion.
    • Easily implement the solution with a minimal footprint.

he LAPS PowerShell script is available for the following versions of Windows:

  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Additionally required:

  • Active Directory: (requires a D schema extensi)
    • Windows 2003 SP1 or higher
  • Managed machines:
    • Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later. Itanium-based machines are not supported.
  • Management-Tools:
    • .NET Framework 4.0
    • PowerShell 2.0 or later

The PowerShell solution can be downloaded free of charge from this Microsoft site. You will also find instructions on how to install the package. Maybe it’s helpful.


Advertising
This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *