Microsoft Local Administrator Password Solution (LAPS) is just one part of a larger credential theft mitigation and monitoring strategy. But it’s an important pillar in your credential thread mitigation strategy. LAPS provides a centralized storage of local admin account passwords in Active Directory without additional servers. LAPS for Windows 10 devices.
Need for LAPS in Windows 10 Management?
Microsoft LAPS is stepping stone towards securing Windows 10 devices. This solution should be part of Privileged Access Management architecture. The LAPS tools gives an opportunity to automate local admin password management of all Windows 10 devices.
Do we have any solution for Azure AD joined Windows 10 devices similar to LAPS? Continue reading, I will discuss about this in bit details in the below section. LAPS for Windows 10 AAD joined devices.
The purpose of LAPS is to secure environment by ensuring that all Domain joined Windows 10 device have different local administrator passwords to comply with enterprise password policy. Each domain administrators determine which users, such as help-desk administrators are authorized to read the passwords.
Microsoft LAPS Use-Case?
The below diagram representation helps to understand use-case of an attack within a standardized local admin password environment. And LAPS implementation can prevent these kind of attacks. LAPS for Windows 10 devices will help you here. Also, there are some other mitigation options like Defender ATP etc.
- Local user account profile infected with malware
- End user approaches help-desk for remote assistance
- Help-Desk agent logs in using local administrator account
- Malware obtained the credentials of Local administrator
- Malware starts spreading to other devices using the same local account details
- Further malware distribution occurs with varying elevated accounts
How LAPS Helps to Rectify Windows 10 Security Challenges
In today’s IT security landscape the credential theft is a major problem. Local admin password compromised in an environment often triggers target for attackers. Re-use of valid credentials is one of the most common vulnerabilities in today’s networks. Hackers campaign shows Pass-the-Hash as an integral part.
Once a password is key logged or password hash is harvested, there is very little to stop an attack spreading across your entire network unabated in a scenario where passwords are common across the environment. With ransomware and malware threats, this offers the potential for a huge exposure.
LAPS (LAPS for Windows 10) takes a different approach do not eradicate the ability to Pass the Hash, rather it reduces the impact of Pass-the-Hash by making each local administrator password unique. This effectively helps to limit the attack after a single machine is compromised. Once the attacker gain access to a client workstation, they can no longer access every other workstation in the environment through the shared local admin account.
LAPS are designed to run in a least privilege model. No need to put a service account into the domain admins to manage the passwords, the password resets are done in the context of the computer/system. There is no additional server required to install and the passwords are stored in Active Directory.
LAPS, like many other controls of the security should be part of a overall solution. Just taking care of local administrator passwords is a great step to control and reduce in overall attack surface.
Architecture – LAPS for Windows 10 Devices
The following diagram is the simplistic view of Microsoft LAPS architecture. Your IT admins can centrally manage the local admin passwords of all your Windows 10 devices. This implementation will take care of most of the challenges explained in the above section. LAPS for Windows 10 devices will give you more secured environment. Active Directory will store the admin password and password expiration time.
LAPS Architecture mainly includes two core design elements
- LAPS Components
- AD Infra Considerations
Following list specifies all components of the solution and their responsibilities:
- LAPS Client (Client Side Extension – CSE) component is installed on all domain-joined computer. CSE will be responsible for the following tasks:
- Management of Administrator password
- Logging activity to the Application Event log
- IT Staff This solution contains below UI tools to retrieve passwords for IT staff:
- Simple fat client UI
- PowerShell module
Both types of UI offer the following functionality:
- Allow user to enter computer name
- Contact AD infrastructure in the security context of user who runs the tool
- Show the computer name and password to the user
- Provide the user with UI to force expiration of password for computer (immediate or planned for certain time)
AD Infra considerations
- Active Directory infrastructure will be responsible for the following tasks:
- Will be used as a password repository
- Will enforce security and auditing model upon passwords
- GPO Policy will be responsible for the following tasks:
- Triggering the execution of CSE on managed computer. CSE will be triggered every time GPO refresh event occurs on the computer
- LAPS ADMX templates ( admx and Ex-us\AdmnPwd.adml) will be used to define configuration options
- ADMX templates will be copied to AD centralized GPO store.
- AD Schema Extension It is required to extend the AD schema that store password of managed local Administrator account for each workstation and timestamp of password expiration. AD schema extension will be performed using the following PowerShell script provided by LAPS solution:
- Import-module AdmPwd.PS
- AD Attributes Below two attributes are added to computer class as part of AD schema extension
- AD Delegation and Permission It is required to delegate and assign permission for Desktop admins to read/set the computer password. Desktop admins refers here as members of security group which will have the extended rights holder’s permission on OU level where computers are residing.
LAPS Information Security
LAPS require AD attributes (as mentioned above in Architecture section) for managed custom local Administrator account in Active Directory
- By default, Domain administrators will have full control on computer objects in AD to read and write local admin password. To prevent domain administrators read the LAPS password, “All extended rights” to be removed.
- Computers are joined to domain using service account configured in SCCM task sequence hence standard users will not will not have ‘All Extended Rights’ permission
- When transferred over the network, both password and timestamp are encrypted by Kerberos encryption
- When stored in AD, both password and timestamp are stored in clear text.
LAPS Process Flow
- Windows 10 machine with LAPS client queries Group Policy and receives the LAPS policy settings defined
- Machine queries “AdmPwdExpirationTime”. if not set or expired, it will generate a new password and securely write this value to the “AdmPwd” attribute in Active Directory
- Password is now stored in Active Directory and is ready for use
- LAPS CSE will query this password expiration time value on each Group Policy update. When the AdmPwdExpirationTime is met, or the attribute is not set. it will re-generate a new password
- If machine cannot contact Active Directory, no changes are made
Azure AD Joined Windows 10 LAPS?
You don’t have any solution from Microsoft for Azure AD joined Windows 10 devices for privilege access management. I don’t know whether Azure AD will have some LAPS components in future or not.
There are some scripted solutions available for Windows 10 LAPS Azure AD devices. More details in the following discussion here.