One of the best ways to protect your network is that you won’t actually be able to fully protect your network, and at some point, it will be breached by attackers: the “value breach” approach forces you to protect assets. . on your network – especially high value targets such as domain servers.
In an ideal world, you would always use domain accounts to log into servers when you need to run administrative tasks that require elevation of privileges, because then you can manage them with password rules. But this doesn’t work for troubleshooting machines that have lost their connection to a network or domain, and in practice, even domain-joined computers often have a local administrator account. To make it simple for busy IT teams, the password for those accounts is often the same for all those machines, but it’s usually a weak password that’s easy to remember and never changes.
See: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (Tech Republic)
That’s because changing passwords has to be done manually and individually, plus you have to find a way to keep everyone updated on the latest strong password unique to each server without having to store those passwords where an attacker can find them, like passwords. .XLS Spreadsheet.
Local Administrator Password Solver is a tool offered by Microsoft since 2015 that addresses exactly that problem. It generates unique, strong passwords for the local administrator account on every computer in your domain using your policy for password complexity, stores them in your Active Directory, and automatically replaces them with new passwords using your password aging policy. The default is 14 character passwords that change every 30 days, but you can choose longer passwords with special rules such as numbers, uppercase letters and special characters, different schedules for changes and force changes for individual systems without requiring a login. .
As long as they are part of the correct security group in AD, IT staff can use PowerShell commands or the LAPS GUI tool to retrieve the password needed to run administrator tasks, but because passwords are protected by per-attribute access lists. , ordinary users cannot see those details. Even if an attacker manages to get into a server protected by LAPS, they cannot retrieve its administrator password from AD even when running LAPS tools or remote server administration tools, let alone reading passwords for other systems.
LAPS is built and ready
As useful as LAPS is, it should always be installed on each computer with the client-side extension for Group Policy and the PowerShell module, plus you need to add an ADMX template that extends your AD schema with new attributes to store passwords. and password expiration timestamp for each computer. This can make inexperienced administrators think they have LAPS deployed on all machines when in truth they only protect the administrator account.
Now Microsoft is finally integrating LAPS into the next version of Windows 11 and Windows Server: the preview is part of Windows 11 Insider Preview Build 25145 and Windows Server Preview Build 25151.
You no longer see the LAPS app on managed PCs: you now work with it through PowerShell (and Group Policy Editor). This is probably a good thing, as the font in a rather older app can make it difficult to distinguish an uppercase l from a lowercase l, and many administrators routinely copy and paste passwords into Notepad. If you are already used to using LAPS with PowerShell, some of the commands have new names.
You still need to update your AD schema, but you can do so by running the Update-LapsADSchema cmdlet in the new LAPS PowerShell module with Update-AdmPwdADSchema. You must configure permissions for those attributes and to give authorized users and groups access to view stored passwords, run the Set-LapsADComputerSelfPermission cmdlet on the computers you plan to manage and create a Group Policy with the settings you want for password management.
You’ll find all the settings in the Group Policy Editor under Computer Configuration > Administrative Templates > System > LAPS. Start by adding a new LAPS Group Policy object, configure the Password Backup Directory setting, and make the Backup Store Active Directory.
If you don’t want to wait for the normal GPO refresh interval you can run the gpupdate /target:computer /force command or use the Invoke-LapsPolicyProcessing PowerShell cmdlet to create and back up a new password, which you can retrieve via Gate. -LapsADPassword cmdlet.
You will see in the event log when the password is stored. This new event logging is an improvement over the previous, rather noisy logging and auditing approach that often required actions such as sending events to the store.
New LAPS functionality
LAPS has some useful new options, such as being able to reset the administrator password, reboot the computer or log off the administrator account after the administrator has logged in and made changes – but not immediately. You don’t want to leave a computer running with advanced credentials if it gets infected, so a post-authentication action policy automates the cleanup. You don’t want the machine you’re working on to log off or restart you while you’re in the middle of troubleshooting, so you can set a grace period that cleans up after a few hours.
Remote workers who regularly use the local administrator account don’t have to worry about losing access if they’re not connected when LAPS is set to cycle their passwords: the password will only change if the PC can reach the domain controller.
You can now also set the name of the local administrator account that you want LAPS to manage.
Originally, Microsoft decided not to encrypt LAPS stores administrator passwords in AD because of the complexity for administrators to manage the encryption scheme and the perception that AD is generally well-protected to protect passwords. If you’re looking for defense in depth, you can now encrypt those passwords and choose which users and groups can decrypt them.
For this to work, you need to have a domain controller with Windows Server 2016 functionality to get the necessary privileged access management, although it may be running a later version of Windows Server). If you activate the Password Encryption Group Policy with an old domain controller setup that cannot handle encryption, it will not save them.
With the added security of encryption, you can now use LAPS to handle other types of account passwords as well as local administrators—specifically, the Directory Services restore mode administrator password that lets you boot a domain controller into a special mode where you can perform maintenance. Or restore Active Directory. You set a DSRM password when you first promote a server to a domain controller, and it’s both very powerful and rarely used, making it a credential you probably don’t think about unless you have an emergency.
Since Windows Server 2008, you’ve been able to synchronize the DSRM administrator password to a domain user account, but you have to do it manually with the NTDSUTIL command. LAPS can store the password and rotate it regularly when you enable password backup for the DSRM account group policy, but you need to enable encryption.
Another useful new option that requires encryption lets you choose how many previous passwords will be stored in AD for each computer. If you need to roll back a machine using a backup taken before LAPS rolled over the password, you may not be able to retrieve the old admin password from AD if it was previously updated unless you have an AD backup from the same period. In that case, you need a tool like Microsoft Diagnostics and Recovery Toolset to recover the computer. Now you can use the configured size of encrypted password history to match the number of old passwords you keep in your backup policy: If you keep six months or a year of backups for computers, you can make sure you store more passwords as well.
But the biggest change in LAPS is that you are no longer restricted to using on-premises AD to store passwords. If you’re using Azure AD, you’ll be able to set it up as a backup store for passwords, although this is currently available to a small number of organizations in the Windows Insider Program.