What is Microsoft Local Administrator Password Solution (LAPS)?

Share on facebook
Share on twitter
Share on linkedin
Share on email
microsoft laps

Over time, we have seen passwords being leaked regularly. The majority of these passwords are common words or words with a simple combination of numbers and special characters, which makes the hashes of such passwords easier to crack.

Cybersecurity firm SplashData comes up with the top 25 most commonly used passwords each year. That list comprises passwords made using simple and common words and numbers, like ‘qwerty123’, ‘iloveyou’, ‘password123’, and so on.

top 25 most commonly used passwords by splashdata

Hash/password cracking is a reasonably straightforward process; it requires a good, lengthy and relevant wordlist. The more complex and long your password is, the more time it takes to crack the hash and get the plaintext password.

But then, remembering passwords is also an issue, and if people keep long and complex passwords, they will start forgetting passwords more frequently. Hence, here the role of Password Managers comes into play.

Password managers are solutions that generate a long and random password for your online/offline accounts and store them within themselves. Hence, people neither have to worry about creating long and complex passwords nor do they have to worry about forgetting passwords.

What is Microsoft’s local administrator password solution?

Microsoft Local Administration Password Solutions is a password manager that manages and rotates passwords for Windows local administrators across each Windows end-points in an AD environment.

LAPS Microsoft ensures that the passwords of your local administrators across each of your Windows end-points are randomised, which in turn prevents password brute-forcing (and hash cracking) and lateral movement in the domain-joined environment.

Features of Microsoft LAPS

Security features

Random passwords:

Randomly generate unique and complex passwords automatically updated on machines managed by a local administrator password solution.

Protection against lateral movement:

Protects Pass the Hash and other lateral movement attacks that require local admin credentials.

Traffic encryption:

Encrypts password 

Uses ACLs:

Uses ACLs to protect passwords in AD.

Manageability features

Set password parameters:

Set password length, complexity and age.

Enforce password reset:

Has the ability to force a password reset.

Integration with AD security model:

It uses a security model that is integrated with the AD.

Account deletion protection:

Protects against computer account deletion.

How does Microsoft LAPS work?

LAPS solutions perform the following tasks and then take the following actions as a GPO update:

  1. Check whether the local admin password has expired or not by looking at the ms-Mcs-AdmPwdExpirationTime AD attribute.
  2. Generates a new password if the password has expired or is required to be changed before the expiry date and time.
  3. Validates the newly generated randomised password against the AD password policy.
  4. Reports the new password to AD and makes changes in the ms-Mcs-AdmPwd attribute.
  5. Reports the new expiration date and time to AD and updates it in the ms-Mcs-AdmPwdExpirationTime attribute.
  6. Finally, it changes the password of the local admin account.

Setting up Microsoft LAPS

Setting up LAPS in your environment requires a few steps, and the entire process is well-documented in the guide that comes when you download LAPS M Microsoft. However, in this article, we’ll explain the necessary steps to configure and set up Microsoft LAPS for a domain-joined environment.

LAPS requirements

Before we dive into setting up and configuring LAPS, first, we need to know its prerequisites:

AD domain: An Active Directory domain-joined environment.

Windows remote server administration tools: A computer running Windows 10 or Windows Server 2012 (or upwards) with the Remote Server Administrative Tools (RSAT) installed.

Membership of Domain Admins and Schema Admins groups: An account in the domain is a member of both Domain Admins and Schema Admins groups.

Locked-down AD attributes: LAPS stores passwords for each local administrator in the domain environment in the AD attribute called the ms-Mcs-AdmPwd. LAPS also needs to know when the passwords expire, so it stores the password expiry time in another AD attribute, called the ms-Mcs-AdmPwdExpirationTime.’

GPO settings: LAPS Microsoft also requires some GPO settings so that it may successfully change the password of a computer in the domain. If the GPO setting is linked to more than one computer, then LAPS settings also get distributed to each of the computers.

How do you use Microsoft LAPS?

Once LAPS has been installed and configured in an AD environment, there are several ways an authorised user can use LAPS and view local administrator passwords:

Powershell: Powershell AD Module enables users to access LAPS and view local admin passwords using the following command:

Get-AdmPwdPassword -ComputerName 

Active Directory users and computers: User and computer accounts who are authorised to access LAPS in the domain network can view the passwords by considering the value of the ms-Mcs-AdmPwd computer attribute.

LAPS Client: LAPS fat client offers a GUI interface to access LAPS and view the local admin passwords.

Pros and cons of using Microsoft LAPS

Using Microsoft LAPS has its perks and limitations, with some of the critical ones discussed below:

LAPS advantages

Installation & configuration

Installation and configuration do not take a lot of time.

Increased security

Increased device and network security.

Unique passwords

Unique and randomised local admin passwords on each computer.

No additional servers

Does not need any other servers.

Encrypted traffic

Password update traffic is encrypted and uses Kerberos version 5 protocol.

Automated and scheduled

Fully automated and password update change happens on a schedule.

Easily manageable

Managed easily via GPO.

Restricted to self-account

Through access control, computer accounts can only read/write/update their local admin password (ms-Mcs-AdmPwd).

LAPS limitations or disadvantages

Cleartext passwords

Passwords are stored in cleartext and may be exposed if the permissions are improperly configured.

The current password is present.

Only the current password is stored and available for retrieval.

LAPS security depends on DC security

If the domain controller is compromised, then all the local admin passwords in the domain will be compromised.

Accessed any time

Passwords can be accessed and viewed at any time by those who have the correct permissions to view them.

Insecure extended rights

Extended rights may configure LAPS in the domain, which could allow unauthorised users to access and view the passwords in LAPS.

No support for non-Windows OS

It can only be used on Windows operating systems.

LAPS security

Since LAPS is used for password management and stores passwords in cleartext, it becomes a crucial target for attackers.

LAPS offers protection against password brute-force and dictionary attacks and also prevents lateral movement attacks to some extent; however, there are some security concerns when using Microsoft LAPS. 

This section will discuss some of the security issues concerning a Microsoft LAPS deployment in an Active Directory environment and see how much data about the entire domain itself can an attacker gather from a LAPS installation.

Password storage and transmission

Passwords of the local administrators in the AD are stored in cleartext in LAPS. The ms-Mcs-AdmPwd attribute of the Computer Object stores these passwords. By default, this attribute is only accessible and viewable by some authorised users and groups. However, these rights can be delegated to other users if the group policies are misconfigured.

However, a particular security concern here is that the user who joins a Windows system to the domain is added, by default, as the owner in the Computer object and has full permissions on the same, and can read the cleartext passwords stored in the ms-Mcs-AdmPwd attribute.

Client-Server communication

If LDAP Signing is not enabled, then there is a possibility of a Man-In-The-Middle (MITM) Attack, where the attacker can set up a rogue server and redirect LDAP traffic to their rogue server. This attack is called LDAP-Relaying Attack.

rogue ldap server

Client components

If the AdmPwd.dll is not installed by MSI but is installed manually, it should be placed in a directory where users do not have to write permissions. Otherwise, this DLL can be overwritten by a malic ous DLL. An attacker, who has managed to gain administrative access in the domain, can use this technique to make his session persistent. The malicious DLL may be used to intercept cleartext passwords.

Attacker drops malicious AdmPwd.dll on the server

LAPS configuration recon

LAPS configuration recon

When the schema extension is performed, and LAPS is deployed, two new attributes are created for the computer objects in the Active Directory environment:

  • ms-mcs-AdmPwd: A confidential attribute that stores cleartext credentials for local administrators in the domain. Only the domain admins are allowed to view the attribute.
  • ms-mcs-AdmPwdExpirationTime: This stores the expiration date/time of the local admin password. This attribute is left blank until a password is changed.

Identifying if LAPS is installed on a computer

When Microsoft LAPS is installed on a computer, the Group Policy Client Side Extension (CSE) is configured on the system, which basically is a DLL file (AdmPwd.dll) located in the following directory:

C:\Program Files\LAPS\CSE

And configured as the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions

Discovering LAPS in an active directory domain

When LAPS is installed in an AD environment, it requires the ‘ms-mcs-admpwd’ computer object to be present in the domain.

The PowerShell command for this is:

PS> Get-ADObject ‘CN=ms-mcs-admpwd,CN=schema,CN=Configuration,DC=,DC=,DC=’

Discovering LAPS in an active directory domain

Identifying LAPS password view access

AD objects and their attributes are usually accessible and viewable by Authenticated Users, including ACLs (Access Control Lists). Therefore, an attacker can enumerate permissions and delegated rights (if any) to view the passwords stored in Microsoft LAPS.

This can be done using PowerView by the following command:

PS> Get-NetOU -FullData | Get-ObjectACL -ResolveGUIDs | WhereObject {($_.ObjectType -Like ‘ms-Mcs-AdmPwd’) -And ($_.ActiveDirectoryRights -Match ‘ReadProperty’)} | ForEach-Object { $_ | Add-Member NoteProperty ‘IdentitySID’ $(Convert-NameToSid $_.IdentityReference).SID; $_ }

Identifying LAPS password view access

This gives us the name of the groups that have read access to the ‘ms-mcs-admpwd’ attribute in the AD and can view the cleartext local admin passwords stored in LAPS.

We can, then, get the list of user accounts from these groups that have permission to view the passwords in LAPS.

Discuss your concerns today

Permissions to view LAPS password data

Suppose a group in the AD is delegated ‘All Extended Rights’ to an Organisational Unite (OU) on a computer managed by LAPS. In that case, that group can view the confidential AD attributes, including the ‘ms-mcs-admpwd’ attribute, which contains cleartext local admin passwords.

This can be enumerated using the LAPS Powershell Module, using the following command:

PS> Import-Module admpwd.PS
PS> Get-AdmPwdExtendedRights -Identity Workstations

Permissions to view LAPS password data

Discovering LAPS password data

If we have the required rights, we can pull the cleartext passwords from LAPS with the following command:

PS> Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like ‘*’} -properties ‘ms-mcs-admpwd’,’ms-mcs-admpwdexpirationtime’

Discovering LAPS password data

Identifying LAPS computer management

When LAPS is installed in the domain, it creates two new computer object attributes, i.e. the ‘ms-mcs-admpwd’ and ‘ms-mcs-admpwdexpirationtime’, which can be used to enumerate systems managed by Microsoft LAPS and those which are not.

The PowerShell command for enumerating the above is:

PS> Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like ‘*’} -properties 'ms-mcs-admpwdexpirationtime'

Identifying LAPS computer management

FAQs – Microsoft LAPS

Does the Microsoft Local Administrator Password Solution (LAPS) require n agent? I don’t want to install yet another agent on my computers.

Microsoft LAPS doesn’t require n agent, and it only requires a Group Policy Client Side Extension (CSE), which is not n agent. It runs at Group Policy refresh cycles.

What is Group Policy Client Side Extension (CSE) if it’s not an agent?

An agent is a service or application that runs on system startup and continues to run in the background, and is installed as a separate entity or as an extension to the service to send and receive data. The CSE is not an agent; it is a CSE that only runs when the Group Policy refreshes or is updated.

Can I use LAPS without installing the Active Directory schema changes?

No, one cannot use LAPS without installing AD schema changes. Upon installation and configuration, LAPS creates two new computer object attributes, i.e. Ms-Mcs-AdmPwd and Ms-Mcs-AdmPwdExprirationTime.

Does LAPS require additional infrastructure such as other application servers or SQL?

No, LAPS only requires an update in the AD schema, where it adds two new computer object attributes and a Group Policy Client Side Extension to be installed.

Is storing the Administrator password in AD in plain text secure?

The Ms-Mcs-AdmPwd attribute is a confidential attribute protected by ACLs. Users and groups with unique permissions and privileges only can access this attribute and view the passwords held by it.

If the passwords are stored in AD, can’t anyone with AD access view them?

No, only users and groups with unique permissions and privileges can view the p passwords. The ‘Find-AdmPwdExtendedRights’ cmdlet can view groups and users with reading permissions on the Ms-Mcs-AdmPwd a tribute. The ‘Set-AdmPwdReadPasswordPermission’ can be used to grant permissions to specific user objects.

Can I require two-factor authentication (2FA) to view the passwords LAPS has stored in AD? 

Access to LAPS passwords requires the AD user’s credentials; if 2FA is implemented on the AD logon, then 2FA will be required to access LAPS; however, implementing 2FA just for LAPS is not possible.

What happens if an admin’s account is compromised? Wouldn’t the compromised account have access to the stored passwords? 

If an admin account is compromised, then all the passwords in LAPS might be compromised. However, an attacker in the domain with administrative privileges might already have the required privileges to access the user’s passwords and change them. A benefit of having a LAPS installation is that you can force reset a compromised admin’s password and track if they have changed it.

Can LAPS manage the password of the local Administrator account and a custom local administrator account with a different name simultaneously? 

No, only a single admin account can be managed with LAPS.

What happens if the computer loses its connection/trust with Active D rectory? Will LAPS change the local Administrator password on the computer but fail to update t in AD? If this happens, I won’t know the local Administrator’s password.

It would help if you connected the computer back to the AD domain for the password change update to work because the Group Policy CSE runs in sync with the AD.

Can LAPS manage the local Administrator passwords on non–domain-joined machines?

No, only domain-joined computers can be managed by Microsoft LAPS.

Can LAPS change the stored password for a service if it is using the local Administrator account?

No, LAPS can only update the local admin account passwords.

Aren’t there elaborate solutions that can do more than randomising the local Administrator password? What if I need to rotate passwords for service accounts or do something more advanced? 

Microsoft LAPS enables you to randomise local or custom admin passwords without implementing any additional infrastructure and cost. But, if the requirement is not met by what LAPS already offers, then there are paid solutions that can be implemented at the additional cost of implementing the necessary infrastructure.

Is there a log on the client I can use to audit password changes or troubleshoot LAPS?

By default, LAPS only log errors. You can enable additional logging by making the following change in the registry:

1. Create a new REG_DWORD value named ExtensionDebugLevel in:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}\ .

2.Set it to 0 (default value), 1 (to log errors) and 2 (for verbose logging).

Is there a log in Active Directory for LAPS?

By default, there are no logs for LAPS in Active Directory, but you can enable logging for changes made to the LAPS attributes if you enable logging in AD. Event ID 4662 can be used to track these changes, but it is extremely noisy.

Can I audit who accesses the passwords in AD?

Yes, you can enable auditing to assess who accesses the passwords in AD. The following PowerShell command can be used to do so:

PS> Import-Module AdmPwd.PS
PS> Set-AdmPwdAuditing -OrgUnit $OU-of-Computers-to-Audit -AuditedPrincipals:$Group-to-Audit

I’m currently using Group Policy Preferences (insecure CPasswords) to change the passwords, and I need to migrate to LAPS. What do I need to do to stop the Group Policy Preference from overwriting the password that LAPS now manages? 

You need to remove the Group Policy Preferences for modifying the local admin account before you can transition to Microsoft LAPS.

How quickly after a password expires does the client change the local Administrator password? 

As soon as the group policy refresh is run, the password will be updated.

Can I specify the password that LAPS uses on the client?

No, LAPS randomises all passwords and forcing a particular password may void one or more reasons to use LAPS. Password randomisation protects against dictionary attacks and Pass-the-Hash attacks.

Does LAPS detect if someone changes the local Administrator password?

No, the Group Policy CSE only checks for the password expiration time and updates the password accordingly. It doesn’t check if the password stored in the AD is actually the same as the local admin password.

Can LAPS re-apply the password that is stored in active directory AD if a user with local Admin rights changes it? 

No, the Group Policy CSE only checks the password expiration date and updates the local admin password accordingly. It doesn’t check if the password has changed from what was stored in the AD.

How do I manage the local Administrator password with LAPS if a user with local Admin rights can change it? 

LAPS doesn’t provide the solution to this problem. However, you can create a secondary admin user that LAPS manages. If the primary admin user changes the password, you still have access to the system via the secondary user.

Discuss your concerns today

My Security/Information Security/CyberSecurity Department is concerned that, if our AD schema database (NTDS.dit) gets stolen, the attacker will have access to all of the local Administrator passwords on our network stored in pl in text. With that information, an attacker could easily take control of computers on our network. How do I address that concern?

The NTDS.dit file is a gold mine of the entire Active Directory environment; if an attacker gets hold of that file, they can do whatever they want in the domain. Having a LAPS installation or not cannot prevent anything if an attacker gets hold of the NTDS.dit file.

We believe that the local Administrator password on several machines has been com romised. How do we force all of these systems to update the local Admin password? 

The Reset-AdmPwdPassword cmdlet can be used to force a password change of local administrators in the AD domain. The PowerShell command is:

Get-ADComputer -Filter * -SearchBase “OU=Computers_OU,DC=corp,DC=yourdomain,DC=ext” | Reset-AdmPwdPassword -ComputerName {$_.Name}

The password for the local Administrator account has been changed, and/or the password stored in Active Directory s wrong. How do I access the admin local account on the computer? 

If you’re connected to the domain, you can do a forced password reset of all the local admin accounts and then force a group policy refresh to update the passwords.

How can I dump the passwords for several computers at once?

The Get-AdmPwdPassword cmdlet can be used to view all the passwords stored in LAPS. The PowerShell command for this is:

Get-ADComputer -Filter * -SearchBase “OU=Computers_OU,DC=corp,DC=yourdomain,DC=ext” | Get-AdmPwdPassword -ComputerName {$_.Name}

I have a management requirement that the local Administrator passwords cannot be too complex. How do I implement LAPS?

You can set a relaxed password policy for LAPS.

BOOK A CALL