So local password management, thats a bit of a pain isn’t it…………., in a domain environment as we all know domain admin accounts can be easily managed via AD, but what about your local server admin accounts, these can become a major weak point within your network, if a hacker was to get local admin rights to your box they can cause all sorts of issues and headaches without your knowledge, you can also lose control of your server should they remove it from the domain all together. The main issue with local admin accounts is how do you manage them, do you just set a super complex password and disable them and hope for the best? These and many more are the questions i have been asking myself for a while following a recent penetration test, luckily the very cleaver gentleman who penetrated my network was a good guy and provided me with an insight into Microsoft LAPS.
Microsoft LAPS (Local Administrator Password Solutions) allows you to manage local account passwords of domain joined computers, when you have LAPS implemented passwords are stored in Active Directory and protected by ACL (Access Control Lists), so only eligible users can read or request them. This is Microsoft’s offical wording regarding LAPS
“For environments in which users are required to log on to computers without domain credentials, password management can become a complex issue. The Local Administrator Password Solution (LAPS) provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as help desk administrators, are authorized to read passwords.
So LAPS basically changes the local admin password and stores it into AD for certain people to view, if you dont have permissions you basically cant view the details, so now we have covered the details of what it actually does, lets get installing and looking at the setup of this. You can download LAPS from the Microsoft direct from this link making sure you get the correct 32 or 64 bit version, once you have download the correct version its a very simple install on the machine, just follow the prompts which are pretty much next next finish. Should you require you can also install via a script with a silent install using the following “msiexec /i <file location>LAPS.x64.msi /quiet or msiexec /i <file location> LAPS.x86.msi /quiet” just making sure you have the correct file location path, the software can also be deployed via group policy using the software installation option to push out the package.
So now we have the software installed on the servers we require, lets move on to configuring Active Directory for LAPS, first thing we need to do is to extend the AD Schema, make sure that the user account that you use for this is a member of Schema Admins Active Directory group. The Active Directory Schema is extended by two new attributes that store the password of the managed local Administrator account for each computer and the timestamp of password expiration. Both attributes are added to the maycontain attribute set of the computer class.
ms-Mcs-AdmPwd – Stores the password in clear text
ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password
To update the Schema you first need to import the PowerShell module. Open up an Administrative PowerShell window and use the below command:
Update-AdmPwdADSchema (This command updates the schema)
Once you run the above commands, you will find the status of operation as Success.
In the next step we will grant computers the ability to update their password attribute using the Set-AdmPwdComputerSelfPermission command. In this example I have got the client computers in “Comps OU”. The Write permission on the ms-McsAdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password. This is done using PowerShell. You may need to run Import-module AdmPwd.PS if this is a new window. Set-AdmPwdComputerSelfPermission -OrgUnit Repeat this procedure for any additional OUs that contain computer accounts.
Removing the extended rights – To restrict the ability to view the password to specific users
and groups you need to remove “All extended rights” from users and groups that are not
allowed to read the value of attribute ms-Mcs-AdmPwd. This is required because the All Extended rights/permissions permission also gives permission to read confidential attributes. If you want to do this for all computers you will need to repeat the next steps on each OU that contains those computers. You do not need to do this on subcontainers of already processed OUs unless you have disabled permission inheritance.
1. Open ADSIEdit
2. Right Click on the OU that contains the computer accounts that you are installing this
solution on and select Properties.
3. Click the Security tab.
4. Click Advanced.
5. Select the Group(s) or User(s) that you don’t want to be able to read the password and then
6. Uncheck All extended rights.
To quickly find which security principals have extended rights to the OU you can use
PowerShell cmdlet. You may need to run Import-module AdmPwd.PS if this is a new
Find-AdmPwdExtendedrights -identity “OU NAME”
In the next step we will grant rights to users to allow them to retrieve a computer’s password. We will use Set-AdmPwdReadPasswordPermission command to do this. Set-AdmPwdReadPasswordPermission -OrgUnit -AllowedPrincipals
Now onto the configuration of group policy, Launch the Group Policy Management console. I prefer to create a new policy to apply the password settings. Right click on the OU where your domain computers are present and click on Create a GPO in this domain and link it here. Specify a name to this GPO and click OK. Next, edit the GPO.
The settings are located under Computer Configuration > Administrative Templates > LAPS. You can see that there are 4 settings present. We will configure the ones that are required. Right click on the policy setting Enable local admin password management and click properties. As we want to manage the local administrator password, we will enable the policy setting. Click OK.
The second policy setting that we will be enabling will be password settings. By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days. You can change the values to suit your needs by editing a Group Policy. You can change the individual password settings to fit your needs. Click OK.
Administrator account name – If you have decided to manage custom local Administrator account, you must specify its name in Group Policy. I have not configured this policy setting. Protection against too long planned time for password reset – If you do not want to allow setting planning password expiration of admin account for longer time than maximum password age, you can do it in GPO.
If you want to view the password settings of a computer using the powershell, GetAdmPwdPassword
will help you.
Get-AdmPwdPassword -Computername “name of computer“
What happens if a user who hasn’t been granted rights to see the local Administrators
password tries to access it? If they were to gain access to the GUI interface the password
won’t be displayed.