Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)

As you might recall, Microsoft offered a solution to systems administrators to set the local administrator password on domain-joined devices using Group Policy Preferences, but ended the solution, almost a year ago, when the encoding mechanism was decoded and an attack was created towards this vulnerability (CVE-2014-1812).

 

Introducing LAPS

Yesterday, Microsoft introduced version 6 of their solution to set passwords for local administrators: Local Administrator Password Solution (LAPS).

Note:
Previously, this solution was only available to Microsoft Services customers and known as AdmPwd. This abbreviation is found throughout the solution, still.

LAPS provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, randomly generated password for the common local administrator account on every device joined to the Active Directory domain. Domain administrators who use this solution can determine which users, such as helpdesk administrators, are authorized to read passwords.

The local passwords can be configured with a maximum age, complexity and length. They can be server-based reset on a per-machine basis, if need be.

 

Implementing LAPS

To implement Microsofts Local Administrator Password Solution, you must first download it. It can be found in the Microsoft Download Center here.

Install the LAPS.msi corresponding with the architecture of the Operating System you’re using to extend the schema and manage the solution (either LAPS.x64.msi or LAPS.x86.msi). These packages include:

  • The Local Administrator Password Solution Group Policy Client Side Extensions
  • The Local Administrator Password Solution Management Tools
    • Fat Client User Interface (UI)
    • PowerShell Module
    • Group Policy Editor templates

Default Installation Options for the Local Administrator Password Solution (click for original screenshot)

Meeting the Requirements

Your Active Directory Domain Controllers need to run at least Windows Server 2003 with Service Pack 1.

Devices managed with the Local Administrator Password Solution (LAPS) need to run at least Windows Vista with Service Pack 2 (on client devices) or at least Windows Server 2003 with Service Pack 2 (on server devices). Both x64 and x86 versions of the above Operating Systems are supported, but Itanium-based devices are not supported.

To manage the Local Administrator Password Solution (LAPS), you will need to run .NET Framework 4.0 (or up) and PowerShell 2.0 (or up).

1. Extending the Active Directory schema

Because the Local Administrator Password Solution (LAPS) stores the local administrator password values in Active Directory, the schema needs to be extended by two new attributes:

  1. The first atrtibute is used to store the password of the built-in Administrator account for each device (ms-Mcs-AdmPwd)
  2. The second attribute is used to store the timestamp of password expiration (ms-Mcs-AdmPwdExpirationTime).

Both attributes are added to the may-contain attribute set of the computer class.

Extending the schema is done using a device that is equipped with the Local Administrator Password Solution (LAPS) Management PowerShell module. On this system use the following two PowerShell commands:

Import-Module AdmPwd.PS

Update-AdmPwdADSchema

In environments with Read-only Domain Controllers where you need to replicate the value of the ms-MCS-AdmPwd attribute, you will, additionally, need to change the 10th bit of the searchFlags attribute value for ms-Mcs-AdmPwd schema object to 0 (substract 512 from the current value of the searchFlags attribute) to add it to the Filtered Attribute Set.

2. Allowing devices to write passwords

The Write permission on the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes of all computer accounts has to be added to the SELF built-in account. This is also done using PowerShell, per Organizational Unit (OU):

Set-AdmPwdComputerSelfPermission -OrgUnit OU ShortName

Update-AdmPwdADSchema en Set-AdmPwdComputerSelfPermission in PowerShell (click for original screenshot)

You do not have to run this command for Organizational Units (OUs) that are subcontainers of configured Organizational Units (OUs).

3. Installing the Client Side Extensions (CSE) on devices

Since the Local Administrator Password Solution already comes as an *.msi file, it’s easy to distribute it using Active Directory Software Installation. The *.msi package contains a lot more tools that you don’t need or want on all devices, but its default installation procedure is to install the AdmPwd Client Side Extensions only.

Tip!
When you deploy the Local Administrator Password Solution (LAPS) through MSI, you can modify the installation on management workstations afterwards, using the Programs and Features Control Panel applet (appwiz.cpl). LAPS will be listed as Local Administrator Password Solution from Microsoft Corporation.

To create a Group Policy object (GPO) to assign the Local Administrator Password Solution (LAPS) to domain-joined devices from a shared folder, perform these steps:

  • Log on with an account with sufficient privileges to create and/or modify group policy to a Domain Controller or a management workstation equipped with the Group Policy Management Console (GPMC).
  • In the Start Menu of Start Screen, search for Group Policy and then select the Group Policy Management Console from the search results. Alternatively run or search for gpmc.msc.
  • In the left pane, navigate to Group Policy objects. Right-click the container and select New from the context menu. Give the new object a meaningful name. Alternatively, edit an existing Group Policy object (GPO) that contains other software you assign.
  • Now, expand the Group Policy Objects node and select your newly created Group Policy Object. Right-click it and select Edit from the context menu.
  • In the left pane of the Group Policy Management Editor window, navigate to Computer Configuration \ Policies \ Software Settings \ Software Installation.
  • Right-click Software Installation and select New from the context menu and then click on Package… in the second context menu.
  • In the Open dialog window, type the full UNC path of the shared LAPS package you want to assign.
  • Click on the Open button.

Assign a software package for Active Directory Software Installation (click for original screenshot)

  • Click on Assigned and then click OK.
  • Close the Group Policy Editor to save your changes.

Now in the Group Policy Management Console, right-click every Organizational Unit (OU) containing computer objects, where you want to assign the Local Administrator Password Solution (LAPS) to, and Link an Existing GPO… to link the newly created Group Policy object (GPO).

Afterwards, close the Group Policy Management Console (gpmc.msc).

4. Delegating access

After we enable the Local Administrator Password Solution (LAPS), the passwords for the local administrator accounts on domain-joined devices will be stored in Active Directory. Every admin will have access to read this information. This might not be something you or your organization wants.

By default, members of the Enterprise Admins and Domain Admins groups have access to the attributes. Fortunately, you can granularly delegate access to the password values. You can even remove the Enterprise Admins and Domain Admins groups, although Microsoft didn’t test this scenario.

Again, you can use PowerShell to delegate read access to the password information:

Set-AdmPwdReadPasswordPermission -OrgUnit "OU ShortName" -AllowedPrincipals "users or groups shortname"

Tip!
You can specify multiple groups and users in this PowerShell oneliner by separating them with commas.

To get information on the groups and users able to read password information for a specific Organizational Unit (OU), use the following PowerShell oneliner:

Find-AdmPwdExtendedRights -identity:"OU Shortname" | Format-Table

Set-AdmReadPasswordPermission and Find-AdmPwdExtendedRights in PowerShell (click for original screenshot)

Managing LAPS

With all the components in place, managing local passwords set by the Local Administrator Password Solution (LAPS) is pretty straight-forward.

Managing password settings

To manage the password settings for the Local Administrator Password Solution (LAPS), edit the settings in an appropriate Group Policy object (GPO). To manage these settings, LAPS need to be installed with the LAPS Group Policy Editor templates, or the LAPS Group Policy Editor templates need to be copied to a Central Policy Store.

GPMCLAPSSettings

There are four Group Policy settings located in Computer Configuration, Policies, Administrative Templates and then LAPS:

  • Password Settings
  • Name of the administrator account to manage
  • Do not allow password expiration time longer than required by policy
  • Enable local admin password management

To manage password settings, first, enable the Enable local admin password management Group Policy setting. Its default setting is Not Configured.

Then, open the Password Settings Group Policy setting and select appropriate settings for the local administrator passwords. Options include password complexity, password length and password age (in days).

The Do not allow password expiration time longer than required by policy Group Policy setting, when enabled, will make the Local Administrator Password Solution (LAPS) change passwords before they expire (as configured in the previous Password Settings Group Policy setting).

The Name of the administrator account to manage Group Policy setting allows you to manage custom local administrator accounts. You do not need to use this setting when you have renamed the local administrator account (LAPS detects the local administrator account using its RID). Instead, you can use this setting for any of your own local administrator account when you’ve opted for one and kept the local administrator accounts on devices disabled.

Reading passwords

Once everything is configured, and Group Policy has refreshed on targeted devices, (delegated) admins can look at the properties of computer objects and see the new settings.

The password is stored in plain text. The Expiration date is stored as the number of 100-nanosecond intervals that have elapsed since the 0 hour on January 1, 1601 untill the date/time that is being stored. The time is always stored in Greenwich Mean Time (GMT) in the Active Directory

Now, of course, using the Attribute Editor in Active Directory USers and Computers (dsa.msc) or Active Directory Administrative Center (dsac.exe) is not the most useful way to read the passwords.

On management workstations equipped with the LAPS Fat Client User Interface (UI), a program is available labeled LAPS UI. Through this Graphical User Interface, a domain-joined device can be searched, after which its password information is presented in human-readable formatting:

The LAPS User Interface displaying the password information for PC1 (click for original screenshot)

Alternatively, you can use the Get-AdmPwdPassword PowerShell Cmdlet.

Resetting passwords

To manually reset the password click the Set button in the LAPS UI or use the Reset-AdmPwdPassword PowerShell Cmdlet.

Auditing read permission usage

The Local Administrator Password Solution (LAPS) also has granular accounting as a feature. Using PowerShell, you can enable auditing on principals when reading password information. Use the following PowerShell oneliner to this purpose:

Set-AdmPwdAuditing -OrgUnit "OU ShortName" -AuditedPrincipals "users or groups shortname"

When a password is successfully read, an event with Event-ID 4662 and source Microsoft Windows security is logged in the Security log of the Domain Controller.

 

Concluding

With Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) attacks being used to breach even the most secure networking environments, preventing lateral movement between domain-joined devices is welcome. Microsofts Local Administrator Password Solution (LAPS) presents a solution. It’s not perfect, but it’s something.

Further reading

Download Local Administrator Password Solution (LAPS)
Local Administrator Password Solution (LAPS) Now Available
Solution for management of built-in Administrator account's password via GPO
Local Administrator Password Solution (LAPS) from Microsoft
Microsoft makes Local Administrator Password Solution official
Microsoft Local Administrator Password Solution

29 Responses to Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.