With the revelation in May 2014 that the CPasswords used in Group Policy Preferences were easily decrypted, organizations have been without a way to manage the local Administrator passwords on client systems. The release of Microsoft’s Local Administrator Password Solution, or LAPS for short, now gives organizations a way to securely manage those local Administrator passwords. In this article, I’ll cover the CPassword vulnerability and give an overview of LAPS.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Local Administrator accounts on workstations and servers are still a necessity in most enterprise environments today. These accounts are often needed for management purposes as an IT backdoor should the computer have network difficulties or issues contacting Active Directory. The problem with these accounts is that, most times, the passwords are set once at OS deployment time and they never change again. Even worse, the same password gets used over and over across hundreds or even thousands of computers. This opens up corporate networks to massive risk should an attacker get access to the local password database on one of these systems.

Managing administrator passwords with Group Policy Preferences ^

In the past, it was possible to use Group Policy Preferences to update local Administrator passwords for domain-joined computers. In the Group Policy Management Console (GPMC), right-click a Group Policy Object (GPO) and go to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. Right-click in the open area on the right and choose New > Local User.

On the New Local User Properties window, you can change the User Name field to Administrator (built-in), but you’ll quickly notice that the Password and Confirm Password fields are grayed out and can’t be used on any management station that is fully patched.

Password field grayed out in New Local User Properties

Password field grayed out in New Local User Properties

In May 2014, Microsoft released a security advisory, MS14-025, for passwords stored in Group Policy Preferences. These passwords that use the CPassword attribute use an easily reversible encryption. This means that any user with access to the Sysvol folder (which is everyone in AD) can pull any GPOs that contain CPasswords, reverse the encryption, and learn passwords for local accounts (including Administrator accounts) that are modified using Group Policy Preferences. In addition, because the password change is being pushed out to whole Organization Units (OUs) of systems, the attacker instantly knows the password to all the systems that are receiving the setting from the GPO.

The MS14-025 security advisory includes an update that disables the ability to use Group Policy Preferences for updating local user account passwords as well as other uses of CPassword such as mapping drives, services, scheduled tasks, and ODBC data sources. In other words, don’t use Group Policy Preferences for managing passwords to local Administrator accounts.

Introducing LAPS ^

The solution to this problem is the Microsoft Local Administrator Password Solution (LAPS for short) that was released on May 1, 2015. LAPS allows you to manage the local Administrator password (which is randomized, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorized users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.

The LAPS UI app

The LAPS UI app

LAPS requirements

LAPS requires the .NET Framework 4.0 and PowerShell 2.0 or higher. On server systems where LAPS will manage the local Administrator password, you must be running Windows Server 2003 SP1 or higher; on desktop systems, you must be running Windows Vista SP2 or higher. (Sorry, but there’s no support for Windows XP.) For all the desktop and server client systems, an MSI file that includes a Group Policy client side extension (CSE) must be installed for the local Administrator password to be managed.

Your Active Directory environment will need to be running at least Windows Server 2003 SP1 and will require a schema update to support LAPS to add the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes. These attributes are used for storing the local Administrator password and the password’s expiration time.

LAPS limitations

The biggest limitation of LAPS is the need to update the Active Directory schema. For some organizations, this isn’t an issue. But for other organizations, getting a schema change tested and approved through a change control process can be difficult.

LAPS is also only capable of managing the local Administrator account on domain-joined machines or a custom local Administrator account if you create your own local Administrator account. (Note: it can also manage the password of the local Administrator account if you’ve chosen to rename the account.) If the machine isn’t domain-joined, you won’t be able to use LAPS. LAPS also can’t manage other local service accounts for things such as SQL or scheduled tasks.

If you’re just looking for a way to rotate passwords on the local Administrator accounts for your workstations and servers, the Microsoft Local Administrator Password Solution is a free, easy-to-use option for your organization. In the next part of this series, I’ll cover setting up your Active Directory environment for LAPS.

Win the monthly 4sysops member prize for IT pros

Share
1+

Users who have LIKED this post:

  • avatar

15 Comments
  1. SyP 2 years ago

    The dependence on .NET and Powershell is only for the "Fat" client UI, meant for admins. On most clients the solution only requires that you register its DLL. While XP is not supported in the latest version, an older and functional version with XP support can be downloaded from Microsoft.

    0

    • Author
      Kyle Beckman 2 years ago

      Yes, you're correct, but I wouldn't recommend registering the DLL file over running the installer. Using the installer makes checking compliance much easier and will make upgrading the client piece much easier in the future when updates are released.

      0

  2. Prince 2 years ago

    Nice read. Thanks for sharing! There's nothing like keeping up to date with security especially in today's easily hackable enterprise.

    I just hope Microsoft will take note and eliminate the drawbacks on LAPS. I mean, it is so important that all Windows professional machines should come with LAPS built-in. The fact that you would have to install an agent to get this working just spell ridiculous to me--except of course the agent can be distributed domain-wide with exceptional removal protection.

    Regards,
    Prince

    1+

    • Author
      Kyle Beckman 2 years ago

      I agree completely. In a perfect world, Microsoft would put the new Group Policy client side extensions in Windows 10 and the schema additions in the Server 2016 AD schema similar to how they handled BitLocker recovery key escrow. The biggest upside to having the client updating the password is that you don't have to worry about firewalls. Clients in AD always have to be able to talk to Domain Controllers. By making this a Group Policy client side extension, the client can update the password as part of a normal Group Policy refresh. With many of the 3rd party products, the server running the password vault has to have access to the client over the network and Administrator rights (usually via a service account) over the PC. The LAPS solution doesn't have that additional infrastructure overhead.

      0

  3. Mike 2 years ago

    Requiring an agent to be installed is a deal-breaker for us. Already too many agents! Any other solutions out there that can help?

    0

  4. Anthony 2 years ago

    I don't mean to be nit picky, but you did state:

    "For all the desktop and server client systems, a small agent must be installed for the local Administrator password to be managed."

    And now you say it isn't an agent?

    Regardless, thanks for the write up. I am appreciating it greatly, even if it is a bit confusing.

    0

    • Author
      Kyle Beckman 2 years ago

      Sorry about the confusion! You're correct... I updated the wording of the article to more accurately describe what has to be installed on LAPS-managed machines. The MSI installer does not include an agent; it has a Group Policy client side extension. Typically, an agent is a service that runs at startup as a service on a computer. The LAPS Group Policy CSE is only in use when a Group Policy refresh runs.

      1+

  5. Ken Duncan 2 years ago

    Question: the Comment "If the machine isn’t domain-joined, you won’t be able to use LAPS."
    Does that mean you would not be able to use it on a machine that was on the domain but lost it's trust. Basically, I'm wanting to use it to login locally in order to re-join it back to the doman.

    0

    • Author
      Kyle Beckman 2 years ago

      You'll have to try the password that is stored in Active Directory and see if that's the current password on the system. If a machine has lost its connection to AD, it wouldn't be able to talk to a DC to update the stored password.

      0

  6. ken duncan 2 years ago

    Clarification question:

    If the password has been passed from AD to the computer at the last policy update and then falls off the domain. Which of these senarios applies:

    1. After 30 days (or the setting period whatever it is) the password changes in AD. Resulting in a difference between what is cached on the computer and AD. End result NO ACCESS!

    2. If AD cannot talk to the computer (because it fell off the domain) the last cached password on the pc should still be in AD.

    0

    • Author
      Kyle Beckman 2 years ago

      Thanks for the question, Ken! I've been getting a lot of questions and I'm currently working on an follow-up article with the most common questions I've received and scenario questions like this. I'll replicate this scenario in my lab environment and include it in the next article.

      0

  7. Vyacheslav Semin 1 year ago

    Alternative for LAPS from ThrustedSec, and seems it works with XP

    https://www.trustedsec.com/ships/

    0

  8. Corné Beerse 4 months ago

    With the use of this tool to handle local administrator passwords, I have the next questions to make you think:

    When do you realy need the local administrator password?

    as far as I know, only if the system has somehow lost connection with the AD. Typically after a restore from backup and/or revert to a snapshot

    What was the local administrator password at the time of backup (and/or snapshot)?

    or has the password been changed since the backup/snapshot?

    In the end... the major advantage is the setting of a reasonable random password...

    To gain access to the restored/reverted system, use your local admin password reset tools....

     

    1+

    Users who have LIKED this comment:

    • avatar

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account