Microsoft, building on decision to remove local administrator account password control from Group Policies and enhance overall security for Operating Systems, has released a new LAPS tool to randomize and manage local administrator accounts on domain computers within organizations.
“Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
Compromised identical local account credentials could allow elevation of privilege if an attacker uses them to elevate from a local user/administrator to a domain/enterprise administrator. Local administrator credentials are needed for occasions when logon is required without domain access. In large environments, password management can become complex, leading to poor security practices, and such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack.
LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.
Recommendation. Install LAPS to automatically manage local administrator account passwords on domain-joined computers so that passwords are unique on each managed computer, randomly generated, and centrally stored in Active Directory infrastructure.
LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.
The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.
For more information, see:
What is the scope of the advisory?
For computers joined to an Active Directory domain. Each organization’s domain administrators determine which users, such as helpdesk administrators, are authorized to read and reset the passwords.
Why use LAPS instead of other password managers?
Other password managers typically require either additional hardware, trusting a third-party product, or using other unsecure practices, such as managing Excel spreadsheets of passwords.
Can LAPS manage a local administrator account not named “administrator”?
What are the advantages of using LAPS to store and manage passwords?
LAPS provides a streamlined approach to:
- Periodically randomize local administrator passwords to ensure that password updates to Active Directory succeed before modifying local secrets and passwords.
- Centrally store secrets in the existing Active Directory infrastructure.
- Control access through Active Directory access control list (ACL) permissions.
- Transmit encrypted passwords from computers to Active Directory via encryption using the Kerberos version 5 protocol and the Advanced Encryption Standard (AES) cypher by default.
LAPS customer support is available through Microsoft Premier Support Services.
How does LAPS work?
The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:
- Checks whether the password of the local Administrator account has expired.
- Generates a new password when the old password is either expired or is required to be changed prior to expiration.
- Validates the new password against the password policy.
- Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
- Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
- Changes the password of the Administrator account.
The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.
What are the features of LAPS?
LAPS includes the following features.
Security that provides the ability to:
- Randomly generate passwords that are automatically changed on managed machines.
- Effectively mitigate PtH attacks that rely on identical local account passwords.
- Enforced password protection during transport via encryption using the Kerberos version 5 protocol.
- Use access control lists (ACLs) to protect passwords in Active Directory and easily implement a detailed security model.
Manageability that provides the ability to:
- Configure password parameters, including age, complexity, and length.
- Force password reset on a per-machine basis.
- Use a security model that is integrated with ACLs in Active Directory.
- Use any Active Directory management tool of choice; custom tools, such as Windows PowerShell, are provided.
- Protect against computer account deletion.
- Easily implement the solution with a minimal footprint.
What are the solution requirements?
LAPS includes the following requirements.
- Windows Server 2003 Service Pack 1 (SP1) or later.
- Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.
Note Itanium-based machines are not supported.
- .NET Framework 4.0
- Windows PowerShell 2.0 or later
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.”