Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is Microsoft LAPS: Security, Installation, and FAQs

Microsoft LAPS

Microsoft Local Administrator Password Solution (LAPS) is a powerful tool for safeguarding administrator passwords and preventing unauthorized access to sensitive systems and information. It ensures security by randomizing administrator passwords within a domain, reducing the risk of all passwords being compromised if one is breached. This feature encourages administrators to use unique passwords that change regularly, eliminating the use of default or duplicate passwords within the system.

What is Microsoft LAPS

Microsoft Local Administrator Password Solution (LAPS) is a tool that handles the management of local administrator passwords and shared permissions by storing them in Active Directory. It ensures that passwords are regularly randomized and updated, minimizing the risk of hacking. This prevents system administrators from using the same password across the network or using predictable naming conventions, thus increasing overall system security.

LAPS Security Best Practices

To ensure the security of LAPS and prevent unauthorised access, you can employ the following best practices.

Use PowerShell permission scripts: To carefully manage access permissions to the attributes added by LAPS, you should verify and apply correct permissions using permission scripts. These scripts, which are readily available online, can check existing attribute access and automatically apply new permissions when necessary.

Remove ‘All Extended Rights’: It is advisable to remove the default “All Extended Rights” permission in LAPS to prevent unauthorized viewing of local administrator account passwords. This action ensures that passwords, stored as text attributes in PowerShell, cannot be accidentally discovered due to extended permissions.

Restrict password reset permissions: In LAPS, password reset capabilities should be restricted solely to the local administrator. As a rule of thumb, it is important to establish strict limitations on password resets, and this holds true for LAPS as well.

Conduct security awareness training for administrators: To promote secure installation, configuration, and utilization of LAPS, it is crucial to conduct training sessions for administrators. Administrators should be educated about potential vulnerabilities in LAPS and instructed on how to prevent unauthorized users from accessing passwords or unintentionally modifying settings.

Use a threat detection and response solution: Beyond implementing proper configurations, it is advisable to incorporate threat detection and response software into your data protection strategy. This software can alert you to any unauthorized access or users, serving as an additional defense layer for LAPS and your overall IT ecosystem.

Installing and Setting Up LAPS

To install Microsoft LAPS, you need to meet several technical requirements. You must have the .NET Framework 4.0 and PowerShell 2.0 installed. Additionally, you need to be running at least Windows Server 2003 SP1 or higher for managing the local administrator password. On desktop systems, Windows Vista SP2 or higher is necessary. In your Active Directory environment, you also need to be running Windows Server 2003 SP1 or higher. LAPS requires a schema update to support certain attributes for storing the local administrator password and its expiration time. Providing your Microsoft technology stack is up-to-date, you should not face significant issues in meeting these requirements. Once LAPS is installed, you will need to complete the following steps:

  1. Check for required components: Ensure that you have all required LAPS components such as the Fat Client UI, Powershell module, Group Policy templates, and AdmPwd GPO Extension.
  2. Extend the Active Directory schema: Use a Powershell module to add the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes to the AD schema, which store the administrator password and expiry time.
  3. Configure password settings: Set password complexity, length, and expiration date in the LAPS Password Settings to generate strong passwords that change regularly.
  4. Grant access to the administrator: Name the administrator managing the account, enter their details, and grant them access. Alternatively, use the default administrator account provided with LAPS.
  5. Configure LAPS via Group Policy: Create a group policy in the Group Policy Management Editor to configure the LAPS client component.

After completing these steps, LAPS will generate/change passwords according to the specified complexity and time intervals, accessible only by designated administrators.

Microsoft LAPS FAQs

Is Microsoft LAPS secure?

Yes, Microsoft LAPS is secure as long as proper permissions are set in Active Directory.

What is the purpose of LAPS?

LAPS is used to prevent weak passwords and potential data breaches by ensuring that passwords are sufficiently complex and change regularly.

How does LAPS work?

LAPS works by using a GPO client-side extension to perform tasks such as checking and generating a new password for the local Administrator account, validating the password against the policy, and storing it in Active Directory. The password can then be accessed by eligible users for password changes.

What are the core features of LAPS?

LAPS allows you to:

  • Generate passwords at random and automatically update them on managed machines.
  • Prevent Pass-the-Hash attacks by eliminating identical local account passwords.
  • Ensure secure password transmission through encryption using the Kerberos version 5 protocol.
  • Protect passwords in Active Directory through access control lists (ACLs) and a flexible security model.
  • Configure options for password parameters like lifespan, complexity, and length.
  • Force password resets on individual machines.
  • Safeguard against accidental computer account deletion.

How much does LAPS cost?

LAPS is a free tool provided by Microsoft, with installation and management being the only cost.

Where can I download LAPS?

You can download LAPS from Microsoft’s website.

How can Lepide help to secure LAPS?

Lepide can help secure Local Administrator Password Solution (LAPS) by providing a comprehensive set of security features. Here are some ways Lepide can help:

Centralized management: Lepide provides a single console to view and manage all the LAPS configurations, policies, and events.

Password rotation: Lepide can automatically rotate the passwords of local administrator accounts on managed endpoints.

Real-time monitoring: Lepide records all LAPS related activities and provides real-time alerts for any suspicious or unauthorized access attempts.

Privileged account management: Lepide makes it easier to define roles and assign permissions to different users within your organization, ensuring that only authorized personnel can view or modify LAPS configurations and passwords.

Integration with Active Directory: Lepide seamlessly integrates with Active Directory, ensuring that the LAPS implementation is synchronized with your existing directory service.

If you’d like to see how the Lepide Data Security Platform can improve the security of LAPS, schedule a demo with one of our engineers.