In October 2022, I published a blog post titledThe 10 most important details about the upcoming Windows LAPS solution, which revealed that Microsoft is developing a new LAPS solution calledWindows LAPS. This solution will address the long-awaited support for cloud-only devices. From April 11, 2023,Windows LAPS για Windows Server Active Directoryis now publicly available. Previously, Windows LAPS was only accessible via private preview. Unfortunately,Windows LAPS για Azure Active Directoryremains in private preview and is not open to new customers. However, theAzure Active Directory LAPS scriptit is expected to be publicly previewed in the second quarter of 2023. In this blog post, I will share my initial impressions of testing Windows LAPS withWindows Server Active Directory (on-premises)scenario.
- Supported platforms
- The advantages of Windows LAPS over Legacy Microsoft LAPS
- # Seamless integration
- # Encryption with password
- # More new features
- Windows LAPS for Windows Server Active Directory – Configuration
- Windows LAPS Requirements
- Prepare Windows LAPS ADMX templates
- Update the Windows Server Active Directory schema
- Give the managed device permission to update its password
- Windows LAPS License Grant
- Configure policy settings for Windows LAPS
- Windows LAPS for Windows Server Active Directory – Admin Experience
- Read Windows LAPS password
- Windows LAPS password rotation
- Get Windows LAPS password history
- Password backup for DSRM accounts
- conclusion
Supported platforms
When Microsoft first announced the new LAPS solution, it was not yet known which operating systems would be supported by Windows LAPS besides Windows 11. The supported platforms have now been definitively announced:
- Windows 11 Pro, EDU and Enterprise
- Windows 10 Pro, EDU and Enterprise
- Windows Server 2022 και Windows Server Core 2022
- Windows Server 2019
The Local Administrator Password Solution (LAPS) developed in 2015 will still be available and supported. Microsoft is now calling the previous solutionOld Microsoft LAPS.
The advantages of Windows LAPS over Legacy Microsoft LAPS
# Seamless integration
Without a doubt, the most important advantage of Windows LAPS is its seamless integration with Windows. This eliminates the need for any additional installation steps and therefore no longer requires the LAPS MSI package to be distributed.
# Encryption with password
One of the drawbacks of the previous version of LAPS was that passwords were stored in plain text in Active Directory. Although it was possible to restrict privileges to the LAPS password features, a vulnerability remained. With Windows LAPS it is now possible to encrypt passwords (AES-256). The only requirement is that the domain functional level is set to 2016.
# More new features
Windows LAPS also offers many new features. Full overview attached:
| Windows LAPS for Azure Active Directory capabilities | Windows LAPS για Windows Server Active Directory |
|---|---|
| Store passwords in Microsoft Azure (on an Azure device object) | New Group Policy object and AD schema attributes |
| Cloud-based management experience – Passwords retrieved via Microsoft Graph – Configure settings via Microsoft Intune – Change password on demand via Microsoft Intune | The account name is stored side by side with the password |
| Automatic password reset during use (customer driven) | Automatic password reset during use (customer driven) |
| Support for password encryption (WS2016 DFL required) | |
| Password history support for encrypted passwords | |
| Support for managing DSRM account passwords on domain controllers | |
| New PowerShell module | |
| New LAPS property page in AD User & Computers snap-in |
Windows LAPS for Windows Server Active Directory – Configuration
These are enough of the introductory remarks. It's time to evaluate Windows LAPS and its new features! 🙂 My test systems are each two Windows Server 2022 machines. 1x domain controller and 1x member server.
Windows LAPS Requirements
First of all, the Cumulative Update from April 11, 2023 (KB5025230) must be installed. This latest update integrates the Windows LAPS solution as a built-in Windows feature.
Be careful with this update if legacy LAPS is already in use:
The April 11, 2023 update has two potential regressions related to interoperability with legacy LAPS scripts. Read the following to understand the scenario parameters as well as the possible solutions.
(Video) Windows LAPS in 9 mins: Hackers DON’T watch this!Issue #1: If you install legacy LAPS CSE on a device updated with the April 11, 2023 security update and a legacy LAPS policy applied, both Windows LAPS and legacy LAPS will enter a broken state where neither feature will not update the password for the managed account. Symptoms include Windows LAPS event log IDs 10031 and 10033, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue.
There are two main solutions to the above issue:
one. Uninstall legacy LAPS CSE (result: Windows LAPS will take over the managed account)
See AlsoManage emergency access to a bare metal machine using `az networkcloud cluster baremetalmachinekeyset` command for Azure Operator NexusTypes of Active Directory Groups – TheITBrossi.Disable legacy LAPS emulation mode(result: legacy LAPS will take over managed account)
Issue #2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce the legacy LAPS policy, which can be annoying (for example, if done against the operating system development workflow).Disable legacy LAPS emulation modeit can also be used to prevent these problems.
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status
Prepare Windows LAPS ADMX templates
After successfully installing the April 2023 CU, the new LAPS ADMX/ADML templates are now available:
- C:\Windows\PolicyDefinitions\LAPS.admx
- C:\Windows\PolicyDefinitions\en-US\LAPS.adml
Now they only need to be copied to the Active Directory Central Store:
| Source | Target |
|---|---|
| C:\Windows\PolicyDefinitions\LAPS.admx | \\%domainname%\SYSVOL\%domainname%\Policies\PolicyDefinitions |
| C:\Windows\PolicyDefinitions\en-US\LAPS.adml | \\%domainname%\SYSVOL\%domainname%\Policies\PolicyDefinitions\en-US |
Update the Windows Server Active Directory schema
As with the previous LAPS version, we first need to extend the Active Directory schema with the following PowerShell cmdlet.
Update-LapsADSchema
Schema update adds a set6new Windows LAPS Active Directory features:
Give the managed device permission to update its password
Now we need to give our devices permission to write to their own (SELF) Windows LAPS password features. These permissions can be set using theSet-LapsADComputerSelfPermissionPowerShell cmdlets. This sets inheritable permissions for the desired organizational unit (OU) in which our devices reside.
Set-LapsADComputerSelfPermission -Identity "Your Active Directory Device OU"
The identity can be specified by the distinguished name as well as the simple OU name. If the specified OU name is not unique, the distinguished name must be used.
Windows LAPS License Grant
By default, only domain administrators and NT AUTHORITY\SYSTEM have read and write permissions to all ms-LAPS attributes. This can be checked throughFind-LapsADExtendedRightsPowerShell cmdlet.
To assign permissions for administrator groups, the following two PowerShell cmdlets can be used.
| PowerShell cmdlet | Description | Empty |
|---|---|---|
| Set-LapsADReadPasswordPermission | Grant read permission to the Windows LAPS password. | msLAPS-EncryptedPassword (read) msLAPS-EncryptedPasswordHistory (read) msLAPS-Password (read) msLAPS-PasswordExpirationTime (read) |
| Set-LapsADResetPasswordPermission | Grant permission to enable Windows LAPS password reset. | msLAPS-PasswordExpirationTime (read and write) |
To enable flexible rights management through global domain role groups, I have created two local domain security groups.
Permissions can then be assigned using the appropriate PowerShell cmdlets:
Set-LapsADReadPasswordPermission -Identity "Your Active Directory Device OU" -AllowedPrincipals "Your Active Directory Group"Set-LapsADResetPasswordPermission -Identity "Your Active Directory Device OU" -AllowedPrincipals "Your Active Directory"
Configure policy settings for Windows LAPS
In the last step, we configure the Windows LAPS group policy and link it to our device's OU: Computer Configuration > Administrative Templates > System > LAPS.
To enable Windows LAPS, you basically just need to configure itpassword backup directorycomposition:
The password is encrypted by default, since the functional level of the domain has already been upgraded to 2016. Since we want to test all the new features, we will of course enable several settings such asEnable password backup for DSRM accounts,Configure the size of the encrypted password historyandPassword settings.
| Composition | Description |
|---|---|
| Enable password backup for DSRM accounts | Use this setting to enable Directory Service Repair (DSRM) account password backup on Windows Server Active Directory domain controllers. |
| Configure the size of the encrypted password history | Use this setting to configure how many previous encrypted passwords are remembered in Active Directory. Supported values are 0-12. |
| Enable password encryption | Use this setting to enable password encryption in Active Directory. Enabling this setting requires that the Active Directory domain is running at domain functional level 2016 or later. |
| Configure authorized password decryptors | Use this setting to configure the name or security identifier (SID) of a user or group that can decrypt the password stored in Active Directory. This setting is ignored if the password is currently stored in Azure. If not specified, only members of the Domain Administrators group in the device domain can decrypt the password. If specified, the specified user or group can decrypt the password stored in Active Directory. |
| Admin account name to manage | Do not specify this setting unless you want to manage an account other than the built-in local administrator account. The local administrator account is automatically identified by its known relative identifier (RID). In case you prefer to use a different account, it is necessary to ensure that it is configured in advance on all clients, as Windows LAPS does not create the local administrator account for you. |
| Configure password backup directory | Use this setting to control to which directory the password is backed up for the managed account. |
| Do not allow the password to expire longer than required | When you enable this setting, scheduled password expirations older than the password age dictated by the Password Settings policy are NOT allowed. When such expiration is detected, the password is changed immediately and the password expiration is set according to the policy. |
| Password settings | Use this setting to specify password settings such as PasswordAgeDays, PasswordLength, and PasswordComplexity. |
| Action after authentication (Auto reset password during use) | Perform predefined actions (Reset password, reset password and log out of managed account, reset password and reboot device) with a certain delay (grace period) after successfully connecting a Windows LAPS managed device. |
After the GPO reaches our devices, we can verify the status in the event logs:
Applications and Services>Registry>Microsoft>Windows>LAPS>Operation.
Windows LAPS for Windows Server Active Directory – Admin Experience
Read Windows LAPS password
In our first attempt we try to read the LAPS password via PowerShell and via dsa.msc with a user who is not a member of our specified delegation groups.
Get-LapsADPassword -Identity "Your Device" Get-LapsADPassword -Identity "Your Device" -AsPlainText
As expected, the Windows LAPS password cannot be read:
Now we add our test user to the read password assignment group and repeat the same test. Having done this, we can read several attributes and also see that the password was stored encrypted. However, we do not yet have permission to read/decrypt the password. By default, this is only possible for domain administrators.
To decrypt the password, we first need to add the agent group we created to the LAPS Group Policy. The following setting must be enabled and configuredConfigure authorized password decryptors. The group can be specified either as a SID or in the format domain\groupname. I was unable to add multiple password decryption groups. Therefore, you need to make sure that the Domain Administrators group is added to the Assign Read Password group, otherwise it will not be possible for domain administrators to decrypt the password.
Okay, time to retake the test.
Windows LAPS password rotation
Changing the password can be done either locally on the device viaReset-LapsPasswordor the Expiration Time can be adjusted viaSet-LapsADPasswordExpirationTime.
Now we try to do this first without the required permissions again.
Local administrator rights are sufficient to run itReset-LapsPasswordPowerShell cmdlet and the user running it do not require special Active Directory permissions related to a particular LAPS feature.
A locally created admin user (non-domain user) can trigger a password change:
We are now trying to adjust the expiration time with our domain test user.
Set-LapsADPasswordExpirationTime -Identity "Your device"
As expected, this doesn't work because we don't yet have write access to the ExpirationTime attribute with our test user. So we add the test user to the ExpirationTime assignment group and repeat the test.
The next time Windows LAPS wakes up to process the current policy, it sees the modified password expiration time and rotates the password. If you don't want to wait, you can run itInvoke-LapsPolicyProcessingcmdlet.
Get Windows LAPS password history
The password history can be read through the sameGet-LapsADPasswordcmldet. Only the -Include historyparameter must be added.
Get-LapsADPassword -Identity "Your Device" -AsPlainText -IncludeHistory
Password backup for DSRM accounts
For this feature to work, Domain Functional Level 2016 is required and encryption must be active. Additionally, this password can only be read and decrypted by Domain Administrators. The arrangements were made insideConfigure authorized password decryptorsare ignored. In this scenario, this setting always defaults to the Domain Admins group of the domain controller's domain.
I just had to link the LAPS Group Policy to the domain controller OU.Set-LapsADComputerSelfPermissionit did not need to be run on the OU domain controller.
RunGet-LapsADPasswordwith domain admin rights:
Get-LapsADPassword -Identity "Your DC" -AsPlainText -IncludeHistory
conclusion
The previous solution,Old Microsoft LAPS, it was already quite simple to set up and control. However, with the incorporation ofWindows LAPSin the operating system and the introduction of new PowerShell modules, implementation and management have become even simpler. Additionally, security has been enhanced through password encryption, password history tracking, automatic password reset during use, and DSRM account management. We can only hope that its implementationWindows LAPS για Azure Active Directoryit goes just as smoothly as the on-premises scenario and that we don't have to wait as long for the public release.
FAQs
What are the security concerns with laps? ›
The first security risk lies with LAPS attribute delegation and permissions on the objects. Attackers can enumerate accounts on the compromised endpoints and misuse their permissions to view the LAPS passwords of local administrators.
What is the laps password in Active Directory? ›The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
How do you secure laps? ›- PowerShell Permission Scripts. ...
- Remove All Extended Permissions. ...
- Locking Password Reset Permissions. ...
- Administrator Training and Awareness. ...
- Integrated Approach to Data Security.
The Windows LAPS on-premises Active Directory scenarios are fully supported as of the above updates. Windows LAPS with Microsoft Entra (Azure AD) and Microsoft Intune support is now in public preview as of April 21st 2023.
What are three 3 security issues that every computer user should be aware of? ›Viruses, worms, Trojans, and spam are ubiquitous, but they are just the tip of the iceberg. Other common information security threats include privilege escalation, spyware, adware, rootkits, botnets, and logic bombs.
What are the top 3 issues faced by security operations? ›- staff shortage.
- skills shortage.
- knowledge shortage.
- # Identify if installed to Program Files. Get-ChildItem 'C:\Program Files\LAPS\CSE\Admpwd.dll' Get-ChildItem 'C:\Program Files (x86)\LAPS\CSE\Admpwd.dll' dir 'C:\Program Files\LAPS\CSE\' ...
- # Import module. Import-Module AdmPwd.PS. ...
- # Gets all computers which have LAPS enabled. Get-LAPSComputers.
Windows LAPS supports a password history feature for Windows Server Active Directory domain-joined clients and domain controllers. Password history is supported only when password encryption is enabled. Password history isn't supported if you store clear-text passwords in Windows Server Active Directory.
How do I know if laps is enabled? ›Since LAPS requires the computer attributes to be present, we can check to see if LAPS is “installed” in Active Directory by checking for the presence of the LAPS attributes in AD. Here we use the Active Directory PowerShell module cmdlet Get-ADObject to check for the LAPS password attribute ms-mcs-admpwd.
How do I use laps in Active Directory? ›- Choosing a policy deployment mechanism.
- Configuring specific policies.
- Updating a password in Azure Active Directory.
- Retrieve a password from Azure Active Directory. ...
- Retrieve the password from Azure AD.
- Rotate the password.
How do I set up laps step by step? ›
- Open the Group Policy Management Console.
- Create a new Group Policy in your Computers OU.
- Right-Click the new Policy and select Edit.
- Navigate to : Computer Configuration > Polices > Administrative Templates > LAPS.
- Download the LAPS software from the link below. ...
- Double-click the file LAPS. ...
- Click “Next” on the setup wizard screen.
- Accept the license agreement and click “Next”.
- Install all features.
What is Microsoft LAPS? Microsoft's "Local Administrator Password Solution" (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Active Directory (AD), protected by ACLs, so only eligible users can read it or request its reset.
What is the Windows laps feature? ›Windows LAPS is a Windows feature that allows you to automatically set and backup local administrator passwords of your domain-joined devices.
Does laps require an agent? ›No, LAPS does not require an agent.
What is the biggest problem in computer security? ›- Ransomware attacks.
- IoT attacks.
- Cloud attacks.
- Phishing attacks.
- Blockchain and cryptocurrency attacks.
- Software vulnerabilities.
- Machine learning and AI attacks.
- BYOD policies.
Confidentiality, integrity and availability together are considered the three most important concepts within information security. Considering these three principles together within the framework of the "triad" can help guide the development of security policies for organizations.
What is the most common factor in computer security issues? ›Social engineering attacks (or phishing)
Most security breaches are due to social engineering — where criminals trick people into giving out confidential information, clicking on malicious links, or providing entry to secure systems.
- Network monitoring and incident detection.
- Incident management.
- Problem management.
- Endpoint administration.
- Security system administration.
Locked-down AD attributes: LAPS stores passwords for each local administrator in the domain environment in the AD attribute called the 'ms-Mcs-AdmPwd. ' LAPS also needs to know when the passwords expire, so it stores the password expiry time in another AD attribute, called the 'ms-Mcs-AdmPwdExpirationTime.
Does laps create an admin account? ›
The "Administrator account name to manage" must exist on the computers in order for Laps to manage it. You will need to create this account on each machine if it doesn't already exist.
What are the security concerns of LTE? ›- Denial of Service (DoS) ...
- Mobile Network Mapping (MNmap) ...
- Bidding Down (service degradation) ...
- Battery Drain. ...
- Mobile Identity Capture. ...
- Malware Delivery. ...
- Intercepting Communication. ...
- DNS Spoofing.
- Fingerprinting.
- Information Gathering (Scanning)
- Interception.
- Downgrade Attacks.
- Cryptographic Attacks.
- Data Spoofing.
- Denial of Service (DoS)
- Remote Code Execution (Protocol CVE)
One of the biggest complaints we've heard against LAPS in the past is that the managed passwords are stored as plain text in Active Directory. Although this is not an issue if you manage your permissions correctly, it is still a concern. To tackle this issue, Windows LAPS now supports encrypting the password in AD.