7MS #523: Local Administrator Password Solution - RELOADED!
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Well friends, it has been a while since we talked about Microsoft's awesome Local Administrator Password Solution - specifically, the last time was way back in 2017!
Lately I've been training some companies on how to install it by giving them a live walkthrough in our Light Pentest LITE lab, so I thought it would be a good time to write up a refreshed, down and dirty install guide. Here we go!
- Download LAPS: https://www.microsoft.com/en-us/download/details.aspx?id=46899
- On a management workstation, log in as a Domain Admin, then run LAPS.x64.msi or LAPS.x32.msi as appropriate. When prompted, choose to install all elements to the local hard drive under AdmPwd GPO Extension and Management Tools.
- From an elevated PowerShell prompt, extend the schema
Import-module admpwd.ps
Update-admpwdadschema
- Make a list of OUs you want to apply LAPS to (do not apply LAPS to domain controllers!). Then check to see the permissions of who can read LAPS passwords on those OUs:
Find-AdmPwdExtendedRights -Identity "Workstations" | ft
Find-AdmPwdExtendedRights -Identity "Servers" | ft
...
By default only NT AUTHORITY\SYSTEM
and YOURDOMAIN\Domain Admins
should be in the list.
- To give another security group access to the
All extended rights
right so they can read confidential attributes, open Active Directory Users and Computers, and click View > Advanced Options*.* Then right-click an OU, click Properties*,* click the Security tab, and add the security group if it is not already listed. - Once the group is added, click it and then click the Advanced button. Find the group name again, click it and click Edit. In the permissions list that pops up, tick the box for All extended rights*.* Then click OK to any open windows.
- Make sure the new permissions were added properly:
Find-AdmPwdExtendedRights -Identity "Workstations" | ft -AutoSize
Find-AdmPwdExtendedRights -Identity "Servers" | ft -Autosize
...
- To give those security groups access to read LAPS passwords, add permissions like so:
Set-AdmPwdReadPasswordPermission –Identity "Workstations" –AllowedPrincipals "HelpDeskAdmins"
Set-AdmPwdReadPasswordPermission –Identity "Servers" –AllowedPrincipals "HelpDeskAdmins"
- Last, give computers inside these OUs to reset their own passwords:
Set-AdmPwdComputerSelfPermission –Identity "Workstations"
Set-AdmPwdComputerSelfPermission –Identity "Servers"
- In your domain's NETLOGON share (or create a new share all users can "read"), create a folder called LAPS and copy LAPS.x64.msi or LAPS.x32.msi to it.
- Open gpmc.msc, right-click Group Policy Objects and click New. Give it a name (like LAPS) and click OK. Right-click the new policy and click Edit. Under Computer Configuration > Policies > Administrative Templates > LAPS configure the following:
- Password settings: select Enabled and then tweak settings to your liking. Personally, I like my password policies how I like my mint hot cocoas. Strong.
- Name of administrator account to manage: careful here! If you're just going to use built in Administrator account, do not enable this setting. Otherwise do enable it and type in the account you want to manage (like localadmin or helpdesk or whatever you call your account that's deployed across your servers and workstations)
- Do not allow password expiration time longer than required by policy: set to Enabled.
- Enable local admin password management: set to Enabled.
In the same group policy, head under Computer Configuration > Policies > Software Settings > Software Installation. In the window on the right, right-click the mouse and select New > Package. Do this for both the x32 and x64 install as follows:
- For the x86 package, add it as Assigned. Once the package appears, right click it and click Properties. Then under Deployment > Advanced, untick the box that says Make this 32-bit x86 application available to Win64 machines.
- For the x64 package, add it as Assigned.
- Back at the gpmc.msc console, right-click the OUs that you want LAPS installed on, choose Link an Existing GPO and select the LAPS policy.
- Run a gpupdate.msc /force (or wait for GPO cycle, or run gpupdate and reboot systems and log into them so the GPO takes effect).
- To see where LAPS is installed, run the following PowerShell snippet:
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -Properties 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' | select dnshostname,ms-mcs-admpwd
To see where LAPS is not installed, run the following PowerShell snippet:
Get-ADComputer -filter {ms-mcs-admpwd -notlike "*"} | select dnshostname