- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Why LAPS is important
Admins commonly use the same local administrator password across Windows machines, which makes these accounts easy targets for an attacker. Microsoft LAPS automates configuring and rotating local administrator passwords, helping strengthen password security.
Built-in LAPS UI requires an admin workstation
The Microsoft LAPS solution has a built-in UI for retrieving local administrator accounts managed with LAPS. However, it is an installed application that requires an admin workstation. When you launch the LAPS installer, it allows you to install the management tools, including the fat client UI.
Once the LAPS UI is installed, you can query a specific workstation to view the current LAPS-controlled password.
LAPS WebUI
LAPS WebUI is an open source project that enables viewing LAPS passwords from a web interface. It can easily be provisioned using a Docker container.
Prerequisites
There are a few prerequisites for LAPS WebUI, including the following:
- Active Directory with Microsoft LAPS installed
- An operating system supporting .NET Core 6.0 (Ubuntu/Debian/CentOS/Alpine Linux/Windows/macOS) or a Docker host
Installing LAPS WebUI using Docker
The Docker host installation method is the easiest way to install LAPS WebUI quickly. You can configure and run the LAPS UI with a simple Docker run command. You will need to have the address of an Active Directory domain controller and use either LDAP port 389 for non-secure or 636 for SSL. If using the secure port 636, you will set UseSSL=true.
If you need to adjust the external port (on the left) if this conflicts with another container, you can configure any free port you want to use. Make sure you leave the internal port 8080 (on the right side).
docker run -d \ --name=lapswebui \ -e LDAP__Server=dctest1.neptune.local \ -e LDAP__Port=389 \ -e LDAP__UseSSL=false \ -e LDAP__SearchBase=DC=neptune,DC=local \ -p 8080:8080 \ --restart unless-stopped \ ghcr.io/seji64/laps-webui:1.4.1
After pulling the container, you can verify that it is running correctly using the docker ps command.
If you don't want to use a Docker container, you can perform a bare-metal setup on Linux, Windows, or macOS. Download the latest installation here.
LAPS WebUI interface
After you have installed LAPS WebUI, browse to the web URL of your Docker container or bare-metal installation. You will need to log in with an Active Directory user with permissions to view the extended properties for the OU object in which LAPS-controlled workstations are located.
To easily find these permissions, run these PowerShell cmdlets:
Import-Module AdminPwd.PS Find-AdmPwdExtendedRights -Identity "<your OU>" | ft
In this example, the Domain Admins group has permissions to view LAPS passwords for the OU.
Log in with a user with permissions to view the LAPS passwords. As a security note, the Docker implementation of LAPS WebUI does not configure the connection for HTTPS in the web browser. Therefore, you will want to place a reverse proxy like Traefik in front of the solution to ensure your browser traffic is encrypted, or your password will be sent in clear text.
For a classic installation, you can, of course, configure the web server to serve the app over HTTPS.
After logging in, you can search for the LAPS-controlled workstation and view the password.
Wrapping up
LAPS is a recommended tool for securing local passwords in a Windows environment. The LAPS WebUI project provides an easy way to access LAPS passwords using a web browser. Otherwise, they are accessible only using the legacy application packaged with LAPS.
Subscribe to 4sysops newsletter!
The free and open-source project LAPS WebUI allows quick installation of a web interface using either Docker or a bare-metal installation. As mentioned, admins must ensure that the browser connection is secured to the LAPS WebUI interface to avoid sending credentials in clear text.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Not super stoked that you chose to demonstrate the solution without using LDAP over TLS.
I know it’s not super simple, but you really should show how to add the AD PKI Certificate Authority certificates and connect to the DC in a more secure manner. You are accessing passwords after all…
Isn’t Windows LAPS replacing Microsoft LAPS? So won’t this be deprecated soon? Even Microsoft is recommending you migrate to Windows LAPS