https://technet.microsoft.com/en-us/library/security/3062591.aspx
When I talk to customers about local administrator account most of the time I get the same answer.
- We user the same passwort on every client machine that we roll out.
- Our standard local admin password is integrated into our VM deployment. Therefore every new server has got the same local admin password.
- Our standard local admin password on the clients is well know. Every user knows it in case of "emergency".
I bet there are alot of other insecure practices to handle local admin passwords.
In the "good old days" we used Group Policy Preferences to manage local accounts and local admin passwords. We were able to set the password of the local admin via GPP.
Last year Microsoft removed this functionality from GPP because the password was stored insecurely and allowed for priviledge elevation.
We need to find a more secure and manageable solution for local administrator passwords and that is where Microsoft LAPS comes into the game.
Microsoft LAPS is a solution to automatically change the password of the local administrator account (well known SID -500) on all machines joined to our Active Directory domain to a unique and random value which is regularly changed automatically.
Using LAPS you can make sure that all computers in the AD environment have different and complex local admin passwords. LAPS requires a AD schema extension and adds a new attribute (ms-Mcs-AdmPWD) to the computer class which stores the current admin password. Permissions to read this attribute must be explicitly granted to your users, your helpdesk or your admins. The entire process only relies on Active Directory functionality.
The following steps will show you how to install LAPS. For the demo I used a build of Windows Server vNext (2016) and Windows 10.
The lab (yes, this time with a "b") consists of thow machines.
- DCvNext (Windows Server vNext Domain Controller and LAPS Management Server)
- W10 (Windows 10 Client joined to the AD Domain corp.insidecloud.de working as the LAPS client)
The LAPS client machine can be any Windows OS (from 2003/Vista...no we don't want to use 2003 anymore!). The client MSI package is available in a 32 and 64 bit version. Both packages can be downloaded from Technet (see link at the top of this article).
Now let's start with the installation.
Software Installation
We're logged in to our Domain Controller and double click the "LAPS.x64.msi" file.
Click the "I accept the terms in the license Agreement" (I once met a guy who told me that he knows a guy who knows a guy who has heard of a guy who claims to have ever read the Software License Terms. :-))
Select every available componenten on the custom setup page.
Click "Next" and click "Install" to install the components.
Finaly close the installed with the "Finish" button.
That's it. Fairly simple. Now let's move on to the client installation.
In order for a client machine (could be Windows Client oder Windows Server OS) to have its password changed automatically it is required to install the client component of LAPS on the machine.
The installation can either be done using the MSI package from above or by extracting a DLL from it and register the DLL manuall. I prefer to register the DLL on my Windows 10 client. Just keep in mind that if you do not install the MSI package and just register the DLL you'll not see the component in the control panel "Programs and Featuers" on the client. On the other hand integrating the DLL silently into your OS deployment.
You can extract the MSI package using the command.
"msiexec /a
After extracting the file you'll find severall folders containing the GPO templates and the powershell module as well as a folder CSE which contains the required DLL.
We now copy the DLL to "C:\Windows\System32" and register it using "regsvr32.exe AdmPwd.dll". (Please excuse the German in the screenshot I used a German Windows 10 image)
Active Directory preparation
Now that we have installed the management and client componentn wie need to prepare Active Directory to store the password against a computer object. There will be two attributes added to the Active Directory computer class.
- ms-MCS-AdmPwd - the attribute that holds the password
- mc-MCS-AdmPwdExpirationTime - this attribute stores the time after which the computers password should be changed
We again log on to the Domain Controller where we previously installed the management software. Make sure to be logged on as a member of the "Schema Admins" group and open an elevated Windows PowerShell prompt.
Using the command "Get-Command -Module AdmPwd.ps" we can check the available Cmdlets from the Powershell module. (If you use a Windows Server 2008 R2 you might need to import the module first)
Now we can run "Update-AdmPwdADSchema" Cmdlet to update the schema.
We need to grant the computers the ability to update their password attribute using the Cmdlet "Set-AdmPwdComputerSelfPermission".
Next we ne to grant rights to users to allow them to retrieve a computers password.
We could also use the "Identity" parameter to grant the permissions to a single computer object.
Group Policy configuration
Client and mangement component is installed and permissions are set. All that's left is to turn on the password synchronization.
We open GPMC on our Domain Controller and create a new policy "LAPS Clients" that we can link to our "Clients OU" in AD.
These settings are really straightforward, you can configure them how you like. I used the following settings:
- Enable local admin password management: Enabled
- Password Settings: Enabled
- Complexity: Large letters, small letters, numbers, specials
- Length: 14 characters
- Age: 30 days
- Name of administrator account to manage: Not Configured (this will use the default SID -500 account)
- Do not allow password expiration time longer than required by policy: Enabled
How to use LAPS
Now that we have everything installed and configured we can start using LAPS for our daily work and read the passwords from the attribute.
There are different ways to get the password.
You can use "Active Directory Users and Computers" snap-in and the integrated attribute editor to view the password.
Instead of using this simple way you can use the LAPS UI that we installed on the management machine to read the password.
The automated way would be to use Powershell and the Get-ADComputer Cmdlet.
That's it. Next step: Integrate LAPS into your clients and client operations procedures. LAPS could be integrated into your ticket system and allow users to request the admin password and have it automatically resetted to a different value afterwards. Make sure that users didn't create an additional admin account. You could do so using GPP to keep the local admins group clean.
Ideas, ideas, ideas...
Have fun and have a nice week.
Chris
