Installing and Configuring Microsoft LAPS: A Complete Guide – Part 2

Introduction

In our last article we showed how carry out a fresh install and configuration Microsoft’s Local Administrator Password Solution (LAPS) in your Active Directory environment. If you haven’t read that already, start by following this link.

LAPS is an incredibly useful free tool provided by Microsoft to automatically manage the Local Administrator account password for your domain joined Windows computers, and is a security tool that any organisation with an Active Directory domain should have.

However, the client user interface it provides leave a lot to be desired as it only works on Windows computers and is very simple in design. So today we’re going to take that one step further by installing and configuring OverLAPS.

OverLAPS is a third party add-on for LAPS which provides a web interface, so you can now access LAPS managed passwords from any device, including mobile phones, while on the move.

OverLAPS for Microsoft LAPS Managed Environments

System Requirements

We’re going to be installing OverLAPS on a Windows Server 2016 box with nothing else on it, but it can be installed on any Windows device after Server 2012 R2 or Windows 10.

OverLAPS a really light-weight application, so we’ve just setup a single core, 512Mb RAM virtual machine in Hyper-V for this demonstration, and it really doesn’t need more than that.

In the real world, we’d probably recommend installing it on an existing host so you’re not paying for another Window licence. The only gotcha to watch out for is if another internet service is already using ports 80 or 443, but we’ll cover that later.

When it comes to actually using OverLAPS, the web interface requires any modern web browser with JavaScript enabled.

Installation and Initial Configuration

Running the Bundle Installer

OverLAPS Bundle Installer

Double click the OverLAPS bundle installer to start the installation process.

End User Licence Agreement

The End User Licence Agreement will display, which you should read even though nobody ever does. There aren’t any surprises in there though, so once you’re happy check the “I agree…” button and click Install.

Once the installation process has completed, you’ll be shown a success message.

Installation Completed Successfully

If everything went to plan, you should now see the OverLAPS service installed and running. You can check this by running the Services system tool (Start -> Run -> services.msc).

The OverLAPS web service running

Configuring the Server Port

If you notice the service isn’t running, check the log file in “C:\ProgramData\Int64 Software Ltd\OverLAPS” for problems. The most common cause for failure is because another process is already serving HTTP content on port 80.

If this happens, or if you want to change the port for another reason, you can do so by editing the OverLAPS configuration file at:

C:\ProgramData\Int64 Software Ltd\OverLAPS\config.xml

Default Configuration File

By default, the OverLAPS is configured to use port 80 for unencrypted (HTTP) traffic and port 443 for encrypted (HTTPS) traffic. Note that HTTPS is not enabled by default as you first need to install a certificate, but more on that later.

The ports can be changed to any valid port number (1–65535), but remember to check a list of known ports (such as this handy one on Wikipedia, or this list of default ports used by Windows) to make sure you don’t conflict with anything.

Any changes to the configuration file require the OverLAPS service to be restarted. You can do this by right clicking the service and selecting Restart (or just Start if the service is already stopped).

Configuring Kerberos for Added Login Security

By default, the OverLAPS web server will use the NT LAN Manager (NTLM) to handle Integrated Authentication requests (as opposed to the form login method). While this is fine for most cases, NTLM has been shown to be vulnerable to certain Man-In-The-Middle attacks, so it is recommended that you configure it to use Kerberos instead.

In order to do this, some additional configuration of your domain is required. Specifically you need to define a Service Principal Name (SPN) for the server you’ve installed OverLAPS on. You can do this with the setspn.exe command line tool.

Setspn.exe –a HTTP(S)/<servername> <machineaccount>$

Where “<servername>” is the name of the server OverLAPS is installed on how a user would connect to it, and “<machineaccount>$” is the system account name of that device.

So, for example, if our server was called “overlaps” (accessed as “http://overlaps”), and we wanted to configure both HTTP and HTTPS to support Kerberos, we’d use the command lines:

Setspn.exe –a HTTP/OVERLAPS OVERLAPS$

Setspn.exe –a HTTPS/OVERLAPS OVERLAPS$

If, however, the server is accessed as “http://overlaps.contoso.com”, then we’d use:

Setspn.exe –a HTTP/OVERLAPS.CONTOSO.COM OVERLAPS$

For more information on configuring Service Principal Names, please refer to Microsoft’s documentation on the subject.

Encrypted Web Traffic with HTTPS

To further increase security to OverLAPS, we recommend that you install an SSL certificate so that your client <-> server traffic is encrypted.

You’ll need to purchase or generate a certificate for this purpose, which is beyond the scope of this guide (but there are plenty around explaining how). But once you have your certificate file (.pfx or .p12), install it to the Personal folder of the Current Computer certificate store).

Installing your HTTPS Certificate

1. Run mmc.exe

2. Go to File -> Add/Remove Snap-in

3. Select “Certificates” and click Add

Adding the Certificates Snap-in

4. Select “Computer account” when prompted

Select “Computer account”

5. Select “Local computer: (the computer this console is running on)”

6. Click Finish

7. Click OK to close the snap-in dialog

8. Navigate to Certificates -> Personal

9. Right click and select All Tasks -> Import

10. When prompted for a file to import, click Browse

11. Next to filename, where it says “X.509 Certificate (*.cer, *.crt)”, change this to “Personal Information Exchange (*.pfx, *.p12)

Personal Information Exchange

12. Select your certificate’s private key file

13. When prompted, enter the certificate’s password and check the box to “Mark this key as exportable”

14. Follow the rest of the dialog to complete the import.

15. Once imported, right click the certificate and click “Open”

16. Navigate to the Details tab, and scroll down to “Thumbprint”, copy this value for use in the next step.

Link your Certificate to OverLAPS

To link your certificate to OverLAPS you need to use the “netsh” command from the command prompt.

The command to add the certificate is:

Netsh http add sslcert hostnameport=<servername>:443 certhash=<thumbprint of your certificate> appid={7c492133–379e-4918–82c3–1d8d2f9bee3a}

Where “<servername>” is the fully qualified name of your OverLAPS server as a client would access it (e.g. overlaps.contoso.com), and “<thumbprint of your certificate>” is the value you copied at step 16 of the last section.

Be careful to make sure you copy the “appid” exactly as this identifies the OverLAPS executable is what you want to attach the certificate to.

You should receive the message “SSL Certificate successfully added”. If, however, you receive the message “A specified logon session does not exist”, then the certificate is probably not installed in the correct store, check again that it is in the Personal folder of the Current Computer store (I’ve made this mistake more times that I care to count!)

Once that is complete, you can now enable HTTP in the OverLAPS configuration file.

Enable HTTPS in OverLAPS

Remembering to restart the OverLAPS service to register the change.

After testing that this has worked, it is recommended that you then disable unencrypted HTTP traffic, which can also be done through the configuration file.

Adding the First Administrators

Before you can login for the first time, you must first add yourself as an Administrator user. OverLAPS includes a command line tool for adding the initial administrators called “lapsuser.exe”, all subsequent users and groups can be added from within OverLAPS itself.

OverLAPS User Manager Utility

To add yourself, use the command line:

lapsuser.exe /adduser [myusername] /admin

If everything works then you should receive a success message.

User Added Successfully

Users are stored in a configuration file, so adding users from the command line requires the OverLAPS service be restarted for the change to register. Adding or modifying users within OverLAPS does not require this step.

Additional Configuration Options

The Configuration File

As mentioned previously, OverLAPS stored all of its configuration options in an XML file at:

C:\ProgramData\Int64 Software Ltd\OverLAPS\config.xml

You must have Administrator rights on the server to modify this file and any changes require the OverLAPS service to be restarted.

Specific Settings

HTTPEnabled/HTTPSEnabled

If “true”, enables the respective type of traffic (unencrypted HTTP or encrypted HTTPS).

HTTPPort/HTTPSPort

The port that will be opened for HTTP or HTTPS traffic respectively (default 80 and 443).

ThreadLimit

The maximum number of concurrent requests that the web host can handle. If you have a large user base and start noticing the website becoming sluggish, then you may wish to increase this value.

EnforceWIA

If set to “true”, the user login page will be disabled and OverLAPS will only accept Windows Integrated Authentication logins.

HistoryFileMaxAgeDays

The maximum number of days that historical logs are kept.

HistoryPath

The path where historical records are stored. Provided in case the system drive has limited disk space.

PageSubTitle

Allows you to apply simple branding to OverLAPS. For example, if this value was set to “@MyCompany”, the title on the OverLAPS web page would read “OverLAPS@MyCompany”.

UpdateFrequencyInSeconds

Specifies how frequently the Active Directory organizational unit structure cache is refreshed. Defaults to 21600 seconds (6 hours). If your AD structure changes frequently then you may want to reduce this.

Managing Users

User Management within OverLAPS

Users are managed through the “Users” page available to administrators.

Add a New User or Group

To add a user, click the “Add a New User” button on the sidebar to ensure the current user is cleared. Then enter the user or group name and configure the other options before clicking “Save Changes”. If everything worked correctly, then the user will be added.

Note that changes made to existing users will require them to log out and log back in to take effect.

User Options

View History

If checked, the user will be able to view the audit data regarding users viewing the passwords of computers.

Administrator

If checked, the user will be able to add, remove and modify other users. Administrators also have unrestricted access to all Active Directory containers and computers (with regards to view and resetting administrator passwords).

Allowed Organizational Units

Use the tree navigation to select the Organizational Units that the user will be able to view and reset the computer Local Administrator passwords for.

Note that a complete path must be checked, so if a container is not checked, then its child containers will be unavailable to the user regardless of their checked state. Think of it as requiring that the user should be able to navigate through the tree one level at a time until their reach their desired computer.

User Interface

Navigating an Active Directory domain

From the “Home” section, users can navigate the containers available to them and click on computers to show and reset the current LAPS managed Local Administrator password.

Viewing the LAPS Password of a Client

Since releasing the “Professional Edition” of OverLAPS as a free upgrade, computers now also show their LAPS status as one of three states:

  1. Normal
A Normal Client

Computers with no additional decoration have a non-expired, LAPS managed Local Administrator password which can be viewed by clicking it.

2. Un-Set

A Computer Without a LAPS Managed Password

Computers which appear crossed out do not have a Microsoft LAPS managed Local Administrator password set. This usually indicates that they are either new, or are not receiving the LAPS client.

3. Expired

An Expired Client

Red computers have an expired LAPS managed Local Administrator password, which should renew automatically. If this does not happen, the device may have once had its password set by LAPS, but is no longer running it.

History

Navigating to the History section allows users to view historical data from users viewing computer Local Administrator passwords.

History View

Clicking the “Selected Date” button allows you to change to a different date.

Conclusion

Congratulations! You now have an incredible simple yet powerful interface to the wonderful security benefits offered by Microsoft LAPS.

Like the article? Share with your friends: