Securing Local Administrator Passwords

Published by Mike Dent on

In today’s rapidly evolving digital landscape, maintaining a robust security posture is imperative for businesses and organizations of all sizes. One essential aspect of this security posture is effective password management, which can often be overlooked.

Read more: Securing Local Administrator Passwords

A question I ask my customers quite often scares me with the response.

Me: How are you managing the local administrator passwords within your environment?

Response::

  • Option 1: We use a consistent local admin password across all of our servers for easy access.
    – Option 1a: We use a consistent local admin password and keep that in a password vault.
  • Option 2: We use a unique password, but it’s different and difficult to keep track of across the deployments.

Windows Laps

Let’s just say both of those answers leave a lot to be desired, not only from a security standpoint but also from a manageability standpoint.

In this blog post, we will delve into why Windows LAPS should be an essential part of a comprehensive security strategy. Let’s look at 4 reasons why password management, and by extension, Windows LAPS, is an essential part of a comprehensive security strategy for password management.

Windows LAPS (Local Administrator Password Solution) is a valuable tool that is pivotal in bolstering an organization’s cybersecurity….

Mitigating Credential-Based Attacks

Credential-based attacks, such as brute force attacks and credential stuffing, are among the most common threats faced by organizations. These attacks can lead to unauthorized access to sensitive systems, data breaches, and extensive damage. Windows LAPS addresses this concern by regularly rotating and securing local administrator account passwords on Windows machines. This frequent password rotation reduces the window of opportunity for attackers, making it significantly more challenging for them to compromise your systems.

Eliminating Shared and Stale Credentials

One prevalent issue in many organizations is the use of shared or unchanged default local administrator passwords across multiple machines. This practice creates a massive security vulnerability since a single compromised machine can potentially grant access to an entire network. Windows LAPS ensures that each machine has a unique, strong password for its local administrator account. It also ensures that stale passwords are promptly updated, minimizing the risk associated with static credentials.

Protecting Against Insider Threats

Insider threats pose a significant risk to organizations, as they can come from trusted employees or contractors with legitimate access to systems. Windows LAPS helps mitigate this risk by regularly changing local administrator passwords without the need for human intervention. Even if a malicious insider attempts to misuse these credentials, the frequent password changes will limit the duration of their access and increase the likelihood of detection.

Simplifying Password Management

Manual password management is prone to human error and often results in weak or shared passwords. Windows LAPS automates the process, reducing the burden on IT staff and ensuring that passwords are consistently strong and regularly rotated. This streamlines password management tasks and helps maintain a more secure environment.

Password Management Recommendation

In almost every environment I either deploy or work within, I stress the use of Windows LAPS to regularly rotate and manage local administrator account passwords and get these benefits:

  • Protection against pass-the-hash and lateral-traversal attacks.
  • Improved security for remote help desk scenarios.
  • Ability to sign in to and recover devices that are otherwise inaccessible.
  • A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory.
  • New for Windows LAPS: Support for the Entra role-based access control model for securing passwords stored in Microsoft Entra ID.

So let’s take a quick look at LAPS and see why it can be valuable. Yes, you should be deploying it!

LAPS Options

There are 2 versions of LAPS out there, I’ll briefly touch on each.

  1. Microsoft LAPS (Legacy)
  2. Windows LAPS (New Goodness!)

Microsoft LAPS

Microsoft developed LAPS (“(Local Administrator Password Solution”) – will be referred to as Legacy LAPS vs the newer Windows LAPS from here on out – to provide a solution to help with password management, specifically a local administrator password, either the well-known SID of the Built-In Administrator or another local administrator created in Windows.

While this tool worked well, it could be confusing and cumbersome to deploy, let’s see why:

  1. A Local Agent must be installed on any workstation/server to be managed.
    1. While this could be handled thru a master image deployment or something like Intune/SCCM, it was manual and hard to track compliance.
  2. Passwords were saved in plain text within Active Directory.

To get started, one would extend the AD Schema to support LAPS, set permissions on what OU(s) would be targeted, added permissions to who could retrieve and expire passwords, deployed the GPO .adml and .admx files to DC’s, created the GPO to set the password policies, and then finally needed to install the agent on any machine to be managed.

You also needed to install a GUI tool to retrieve the password, which could be a security risk as it was difficult to track where that tool was deployed.

Windows LAPS

Due to these limitations and a more security-based focus, Microsoft builds the LAPS tools directly into Windows, and is now available on the following OS platforms with the specified update or later installed:

  • Windows 11 22H2 – April 11 2023 Update
  • Windows 11 21H2 – April 11 2023 Update
  • Windows 10 – April 11 2023 Update
  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

One of the benefits of Windows LAPS is that it’s now built into the OS, and no additional agent is needed, which helps with initial deployment and ongoing lifecycle management – no agents to update! Additionally, with Windows LAPS we no longer need to install a tool to retrieve the local admin password, as it’s now built into the Computer object in Active Directory Users and Computers.

So let’s do a quick feature set of why Windows LAPS is much more valuable than Legacy LAPS:

  1. No Agent installation required, built into Windows.
  2. Passwords can be stored in Active Directory or Azure Active Directory.
  3. Password Encryption when being stored in Active Directory.
  4. DSRM Administrator account password managed and backed up by Active Directory.
    -I’ve been lucky on this one in the past, but I’ve also heard horror stories, this one is a nice one to have!

One area that I will not be going into in this article is using Windows LAPS with Entra ID, which is a function that is still in Preview. By default Microsoft Entra ID doesn’t allow managed devices to post new Windows LAPS passwords to Microsoft Entra ID. You MUST first have your IT admin enable the feature at the Microsoft Entra tenant level. If your devices are hybrid-joined to on-premises Windows Server Active Directory, you can deploy policy by using Windows LAPS Group Policy.

So let’s see why the new Windows LAPS is a better option and a brief walk-through of the deployment.

Windows LAPS Review

As I’ve mentioned, Windows LAPS in more recent released of Windows Desktop and Server Operating Systems now include LAPS as a built in function, rather than the installed agent. This makes getting LAPS deployed, configured and under management much easier.

AD Scheme Extension

With both LAPS options, we needed to extend the AD schema to support the local password management. First off, make sure all the domain controllers (either Server 2019 or 2022+) are at or above the minimum version of April 2023 update to use Windows LAPS.

Our first step is to extend the AD schema to support this. To do so, run the powershell commands:

Import-Module LAPSUpdate-LapsAdSchema -Verbose

The first command will import the LAPS module, and the 2nd command will extend the AD schema to support the management of passwords.

In my case, I’ve already done this, but showing the results anyway.

Once this is complete, if you open a Computer object in Active Directory Users and Computers, you’ll now see the LAPS tab attached to the object. The password isn’t managed just yet, but we’re getting there.

Set AD Computer Object Permissions

Once we’ve extended the AD Schema, we need to enable the managed devices to update their passwords. This is done on an Organizational Unit (“OU”) basis, so we can target any OU (and Nested OU) that will contain Computer objects that we want to leverage with LAPS.

In my case, I only a single OU (Named Servers) that contains Servers that I want to have LAPS managing the passwords for. To enable this, staying in Powershell run the following command, with your OU or OU(s) that you will have enabled for LAPS:

Set-LapsADComputerSelfPermission -Identity "OU=Servers,OU=Lab,DC=etherbacon,DC=net"

If you need to add more, just rerun the Powershell command for each targeted OU.

LAPS Group Policy Object

The final step is to enable the GPO for LAPS. In my case, I have a GPO that’s applied to my Servers OU, which already has other settings in there, such as RDP, Restricted Groups, etc. With Windows LAPS, all of the policy settings are found under Computer Configuration > Policies > Administrative Templates > System > LAPS.

I won’t go through each Policy Settings, as your mileage and requirements will vary, but in my case I enabled the following:

  • Password Backup Directory = Active Directory
  • Password Encryption = Enabled
  • Password Settings = Default of Large letters + small letters + numbers + specials
    – Password Length = 14– Password Age = 30 (days)

In my case, I’m not targeting my Domain Controllers with this policy, so enabling the password backups for DSRM accounts won’t provide any value, as enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled.

If you wanted to enable extra security on who has the ability to see the passwords on the Computer Object, you could also enable the option to Configure Authorized Password decryptor option, which enables the feature of “Configure this setting to control the specific user or group who is authorized to decrypt encrypted passwords.”. If you don’t configure or keep this disabled, the password is decryptable by the Domain Admins group.

Once you have your settings set, don’t forget to apply the GPO and update the policy on those machines!

Validating LAPS is working

With the AD Schema extended and the GPO applied, we can validate that LAPS is correctly managing the local administrator password from the ADUC Computer Object, specifically the LAPS tab.

Summary

Windows LAPS is the preferred choice for managing local administrator passwords on Windows machines due to its official support, security enhancements, integration with Microsoft tools, and automation capabilities. Legacy LAPS, while still an option, may not provide the same level of security and ease of management.

In conclusion, Windows LAPS is an indispensable component of a robust security posture for any organization that relies on Windows-based systems. By addressing common password-related vulnerabilities, mitigating threats, and simplifying compliance, Windows LAPS significantly enhances your organization’s overall security. Implementing this solution not only protects your systems and data but also reinforces your commitment to cybersecurity best practices in an ever-evolving threat landscape.

Categories: Uncategorized
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Zero Day Threat – Cisco Remote Access on ASA/FTD

Cisco recently patched two critical vulnerabilities in their firewall products, discovered after probable nation-state actors targeted them in a campaign dubbed “Arcane Door”. These zero-day vulnerabilities, found in devices running ASA and FTD software, were Read more…

Mastering Maintenance Mode Operations in Nutanix: A Guide for AHV and ESXi: Part 2

Welcome back to my series on maintenance operations with Nutanix! In Part 1, I reviewed some scenarios on using maintenance mode with Nutanix AHV, using both Maintenance Mode functions within Prism Element and the CLI. Read more…

Mastering Maintenance Mode Operations in Nutanix: A Guide for AHV and ESXi

As with years past, as we come to a close on year’s end, I take some time to clean up the As-Built documentation templates I maintain for deployments; as part of this activity, I always Read more…