{"id":994,"date":"2017-03-15T13:40:25","date_gmt":"2017-03-15T18:40:25","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=994"},"modified":"2017-03-15T16:42:43","modified_gmt":"2017-03-15T21:42:43","slug":"laps-for-local-computer-administrator-passwords","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=994","title":{"rendered":"LAPS For Local Computer Administrator Passwords"},"content":{"rendered":"

Overview<\/strong><\/p>\n

LAPS <\/a>is Microsoft’s solution to a long-existing problem within a corporation using Windows computers: when you image computers, all of the local administrator passwords are the same. Now some organizations implemented a process to routinely change that password, but someone who is able to compromise the local administrator password on one box basically owns all of the other imaged workstations until the next password change.<\/p>\n

Because\u00a0your<\/em> computer’s local administrator password is the same as everyone else’s, IT support cannot just give you a local password to access your box when it is malfunctioning. This\u00a0means remote employees with incorrect system settings end up driving into an office just to allow an IT person to log into the box.<\/p>\n

With LAPS, there is no longer one ring to rule them all \u2013 LAPS allows us to maintain unique local administrator passwords on domain member computers. A user can be provided their local administrator password without allowing access to all of the other domain-member PCs (or a compromised password one one box lets the attacker own only that box). A compromised box\u00a0is still a problem, but access to other boxes within the domain would only be possible by\u00a0retrieving other credentials stored on the device.<\/p>\n

Considerations<\/strong><\/p>\n

Security: The end user is prevented from accessing the password or interacting with the process. The computer account manages the password, not the user (per section 4 LAPS_TechnicalSpecification.docx from https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899<\/a>).<\/p>\n

Within the directory, read access is insufficient (per https:\/\/blogs.msdn.microsoft.com\/laps\/2015\/06\/01\/laps-and-password-storage-in-clear-text-in-ad\/<\/a>) to view the attribute values. In my proposed deployment, users (even those who will be retrieving the password legitimately) will use a web interface, so a single service acct will have read access\u00a0to the confidential ms-Mcs-AdmPwd attribute and write access to ms-Mcs-AdminPwdExpirationTime. There are already powershell scripts published to search an improperly secured directory and dump a list of computer names & local administrator passwords. You should run\u00a0Find-AdmPwdExtendedrights -identity :<OU FQDN><\/strong>\u00a0to determine who has the ability to read the password values to avoid this\u00a0really<\/em> embarrassing oversight.<\/p>\n

Should anyone have access to read the ms-Mcs-AdmPwd value beyond the service account? If the web interface goes down for some reason, is obtaining the local administrator password sufficiently important that, for example, help desk management should be able to see the password through the MS provided client? Depends on the use cases, but I’m guessing yes (if for no other reason than the top level AD admins\u00a0will<\/em> have access and will probably get rung up to find the password if the site goes down).<\/p>\n

In the AD permissions, watch who has write permission to ms-Mcs-AdminPwdExpirationTime as write access allows\u00a0someone to bump out the expiry date for the local admin password. Are we paranoid enough to run a filter for expiry > GPO interval? Or does setting “not not allow password expiration time longer than required by policy” to Enabled sufficently mitigate the issue? To me, it does … but the answer really depends on how confidential the data on these computers happens to be.<\/p>\n

With read access to ms-Mcs-AdmPwdExpirationTime, you can ascertain which computers are using LAPS to manage the local administrator password (a future value is set in the attribute) and which are not (a null or past value). Is that a significant enough security risk to worry about mitigating? An attacker may\u00a0try to limit their attacks to computers that do not use LAPS to manage the local admin password. They can also ascertain how\u00a0long the current password will be valid.<\/p>\n

How do you gain access to the box if the local admin password stored in AD does not work (for whatever reason)? I don\u2019t think you\u2019re worse off than you would be today \u2013 someone might give you the local desktop password, someone might make you drive into the office \u2026 but bears considering if we\u2019ve created a scenario where someone might have a bigger problem than under the current setup.<\/p>\n

Does this interact at all with workplace join computers? My guess is no, but haven\u2019t found anything specific about how workplace joined computers interact with corporate GPOs.<\/p>\n

Server Side<\/strong><\/p>\n

Potential AD load \u2013 depends on expiry interval. Not huge, but non-zero.<\/p>\n

Schema extension needs to be loaded. Remove extended rights from attribute for everyone who has it. Add computer self rights. Add control access for web service acct \u2013 some individuals too as backup in case web server is down??<\/p>\n

Does a report on almost expired passwords and notify someone have value?<\/p>\n

Client Side<\/strong><\/p>\n

Someone else figures this out, not my deal-e-o. Set GPO for test machines, make sure value populates, test logon to machine with password from AD. Provide mechanism to force update of local admin password on specific machine (i.e. if I ring in and get the local admin password today, it should get changed to a new password in some short delta time).<\/p>\n

Admin Interface<\/strong><\/p>\n

Web interface, provide computer name & get password. Log who made request & what computer name. If more than X requests made per user in a (delta time), send e-mail alert to admin user just in case it is suspicious activity. If more than Y requests made per user in a (longer delta time), send e-mail alert to admin user manager.<\/p>\n

Additionally we need a function to clear the password expiry (force the machine to set a new password) to be used after local password is given to an end user.<\/p>\n

User Interface<\/strong><\/p>\n

Can we map user to computer name and give the user a process to recover password without calling HD? Or have the manager log in & be able to pull local administrator for their directs? Or some other way to go about actually reducing call volume.<\/p>\n

Future Considerations<\/strong><\/p>\n

Excluding ms-Mcs-AdmPwd\u00a0 from repl to RODC \u2013 really no point to it being there.<\/p>\n

Do we get this hooked up for acquired company domains too, or do they wait until they get in the WIN domain?<\/p>\n

Does this facilitate new machine deployment to remote users? If you get a newly imaged machine & know its name, get the local admin password, log in, VPN in \u2026 can you do a run-as to get your<\/em> creds cached? Or do a change user and still have the VPN session running so you can change to a domain user account?<\/p>\n

LAPS For Servers<\/strong>: Should this be done on servers too? Web site could restrict who could view desktops v\/s who could view servers \u2026 but it would save time\/effort when someone leaves the group\/company there too. Could even have non-TSG folks who would be able to get access to specific boxes \u2013 no idea if that\u2019s something Michael would want, but same idea as the desktop side where now<\/em> I wouldn\u2019t give someone the password \u2018cause it\u2019s the password for thousands of other computers \u2026 may be people they wouldn\u2019t want having local admin on any<\/em> WIN box they maintain \u2026 but having local admin on the four boxes that run their app \u2026 maybe that\u2019s a bonus. If it is deployed to servers, make sure they don’t put it on DCs (unless you want to use LAPS to manage the domain administrator password … which is an interesting consideration but has so many potential problems I don’t want to think about it right now especially since you\u2019d have to find which<\/em> DC updated the password most recently).<\/p>\n

LAPS For VDI:<\/strong> Should this be done on VDI workstations? Even though it’s a easier to set the password on VDI the base VDI images than each individual workstation, it’s still manual effort & provides an attack vector for all of the *other* VDI sessions. Persistent sessions are OK without any thought because functionally no different than workstations. Non-persistent with new name each time are OK too – although I suspect you end up with a BUNCH of machine objects in AD that need to be cleaned up as new machine names come online. Maybe VDI sorts this … but the LAPS ‘stuff’ is functionally no different than bringing a whole bunch of new workstations online all the time.<\/p>\n

Non-persistent sessions with same computer name … since the password update interval probably won’t have elapsed, the in-image password will be used. Can implement an on-boot script that clears AdmPwdExpirationTime to force change. Or a script to clear value on system shutdown (but that would need to handle non-clean shutdowns). That would require some testing.<\/p>\n

 <\/p>\n

Testing Process<\/strong><\/p>\n

We can<\/em> have a full proof of concept type test by loading schema into test active directory (verify no adverse impact is seen) and having a workstation joined to the test domain. We could<\/em> provide a quick web site where you input a computer name & get back a password (basically lacking the security-related controls where # of requests generate some action). This would allow testing of the password on the local machine. Would also allow testing of force-updating the local admin password.<\/p>\n

Once we determine that this is worth the effort, web site would need to be flushed out (DB created for audit tracking). Schema and rights would need to be set up in AD. Then it\u2019s pretty much on the desktop \/ GPO side. I\u2019d recommend setting the GPO for a small number of test workstations first \u2026 but that\u2019s what they do for pretty much any GPO change so not exactly ground breaking.<\/p>\n","protected":false},"excerpt":{"rendered":"

Overview LAPS is Microsoft’s solution to a long-existing problem within a corporation using Windows computers: when you image computers, all of the local administrator passwords are the same. Now some organizations implemented a process to routinely change that password, but someone who is able to compromise the local administrator password on one box basically owns …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[68,135,136],"class_list":["post-994","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-active-directory","tag-laps","tag-windows"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=994"}],"version-history":[{"count":5,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/994\/revisions"}],"predecessor-version":[{"id":1001,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/994\/revisions\/1001"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}