Adding a new door to LAPS

As most of you are probably aware, Microsoft has a free software kit called LAPS. LAPS is an acronym for “Local Administrator Password Solution”.

LAPS randomises the password of the local administrator account on a windows 7+ device, according to rules set up with group policy.

Hopefully you already have LAPS implemented in your organization, because it adds a great layer of security to your Windows endpoints.

If you use something completely different to handle this scenario, well then, uhm… yeah, this might be of very little interest to you. Unless you are interested in saving a few bucks by reading on?

So what is this about a new door? And what hardware store do I go to?

An old solution with limitations

Historically there is the issue of who can view the passwords that the LAPS agent sends to your Active Directory. And separating access – making sure that access is only available while it’s required, and to the right person. A tedious task (to say the least).

This would usually lead to less elegant solutions, like installing the GUI on a DC and using a domain admin account to access the password. The more security concerned companies, would perhaps spend the time dividing access with DCALCS.exe on Organisation Unit’s – and deal with the whole hassle of having to revise and follow up on access.

Either you do too little, or you have to do too much… It’s not very elegant either way!

A modern approach

A solution that I have recently come to appreciate, is the “LAPS Web App” solution from lithnet. It’s an elegant and lightweight solution to some of the woes of LAPS administration. AND IT’S FREE!

In short, you don’t have to go to the hardware store to get this door. The LAPS Web App is free, and will give you web-based access to reveal passwords set by LAPS in your AD based on your query (no wildcards allowed).

It runs off a simple Internet Information Server that you can host in your own datacenter, in Azure IaaS, or on Azure App Services. The most important thing is that it needs line of sight to a Domain Controller with a Global Catalog replica.

Now, you might say that this is just a web version of the GUI that follows the LAPS installer…

Nope, it’s better! Because it can do many things, like multiple authentication providers and expiration of the passwords. Oh! and lets not forget that it’s web based, which makes deployment much less of a hassle.

Authentication Providers in LAPS Web App:

Let’s just take a short look at the list of auth providers that the LAPS Web App supports!

• Windows Integrated
• Basic (euws!)
• AD FS
• Azure AD
• Okta
• Or another OpenID compatible provider!

Service account as a proxy

The way this all works is that you run the IIS Application Pool, as a trusted service account, which acts as a security proxy between the user and the Active Directory.

This service account would preferably be a Managed Service Account, which Ned Pyle wrote about aloooong time ago, so you should be familiar with this! (If not, go read now!)

This account would ideally, be the ONLY account with access to read the ms-Mcs-AdmPwd attributes of the Computer Object in Active Directory, and read/set the ms-Mcs-AdmPwdExpirationTime attribute, to control expiration of the password after it has been viewed.

Access granting

In the LAPS Web App web.config, you can define security groups or users in your domain, that should have access to the device passwords. The service account will then proxy the request, and afterwards set the expiration to a desired value. For example, you can set the expiration to one hour, so the password changes relatively soon after being used, which is a slight improvement to the security of the service.

With all the authentication providers at our disposal, you no longer have to mess around with DCACLS in the domain. As an added bonus, you also have access to Multi Factor-Authentication and Conditional Access (Yay!)

Initially, anyone can potentially access the LAPS Web App, but the query will be denied if you are not authenticated as a user with permission to the computer object you have queried.
The access is granted through the <Readers> attribute in the web.config.

Auditing

Another added bonus of using the LAPS Web App, is that you get advanced auditing capabilities.

You can setup email notifications for success/failures, and capture all events in the event log of the server running the LAPS Web App. This will allow easy integration into your SIEM or other similar tools.

Installation of LAPS Web App

The installation is well documented on GitHub, so I won’t plagiarize Lithnet’s excellent work. Instead, I give you the link to the install Wiki, and bid you a safe journey into webifying your LAPS implementation!

https://github.com/lithnet/laps-web/wiki/Installing-the-app

READ THE PREREQUISITES (TWICE!) This will give you less of a headache when things don’t work, especially if you are not familiar with the installation of an MVC style Web App.

Thanks for reading

Any feedback/follows/likes are much appreciated, and keeps me motivated – @michael_mardahl on Twitter.