Installing and Configuring Microsoft LAPS: A Complete Guide – Part 2

Introduction

In our last article we showed how carry out a fresh install and configuration Microsoft’s Local Administrator Password Solution (LAPS) in your Active Directory environment. If you haven’t read that already, start by following this link.

LAPS is an incredibly useful free tool provided by Microsoft to automatically manage the Local Administrator account password for your domain joined Windows computers, and is a security tool that any organisation with an Active Directory domain should have.

However, the client user interface it provides leave a lot to be desired as it only works on Windows computers and is very simple in design. So today we’re going to take that one step further by installing and configuring OVERLAPS.

OVERLAPS is a third party add-on for LAPS which provides a web interface, so you can now access LAPS managed passwords from any device, including mobile phones, while on the move.

Browsing for a computer and viewing its password in OVERLAPS for Microsoft LAPS.
Browsing for a computer and viewing its password in OVERLAPS for Microsoft LAPS.

This Guide

This guide will take you through the setup and configuration of OVERLAPS. However, we recommend downloading the PDF available here for the very latest information.

System Requirements

We’re going to be installing OVERLAPS on a Windows Server 2016 box with nothing else on it, but it can be installed on any Windows device after Server 2012 R2 or Windows 10.

OVERLAPS a really light-weight application, so we’ve just setup a single core, 512Mb RAM virtual machine in Hyper-V for this demonstration, and it really doesn’t need more than that.

In the real world, we’d probably recommend installing it on an existing host so you’re not paying for another Window licence. The only gotcha to watch out for is if another internet service is already using ports 80 or 443, but we’ll cover that later.

When it comes to actually using OVERLAPS, the web interface requires any modern web browser with JavaScript enabled.

Installation and Initial Configuration

Running the Bundle Installer

The OVERLAPS Pro 1.2 Installation Bundle
OVERLAPS Pro 1.2 Installer

Double click the OVERLAPS bundle installer to start the installation process (version may vary).

OVERLAPS Pro 1.2 EULA
OVERLAPS Pro 1.2 EULA

The End User Licence Agreement will display, which you should read even though nobody ever does. There aren’t any surprises in there though, so once you’re happy check the “I agree…” button and click Install.

Once the installation process has completed, you’ll be shown a success message.

OVERLAPS Pro 1.2 Installation Completed
OVERLAPS Pro 1.2 Installation Completed

If everything went to plan, you should now see the OVERLAPS service installed and running. You can check this by running the Services system tool (Start -> Run -> services.msc).

The OVERLAPS web service running

Configuring the Server Port

If you notice the service isn’t running, check the log file in “C:\ProgramData\Int64 Software Ltd\OVERLAPS” for problems. The most common cause for failure is because another process is already serving HTTP content on port 80.

If this happens, or if you want to change the port for another reason, you can do so by editing the OVERLAPS configuration file at:

C:\ProgramData\Int64 Software Ltd\OVERLAPS\config.xml

Default Configuration File

By default, the OVERLAPS is configured to use port 80 for unencrypted (HTTP) traffic and port 443 for encrypted (HTTPS) traffic. Note that HTTPS is not enabled by default as you first need to install a certificate, but more on that later.

The ports can be changed to any valid port number (1–65535), but remember to check a list of known ports (such as this handy one on Wikipedia, or this list of default ports used by Windows) to make sure you don’t conflict with anything.

Any changes to the configuration file require the OVERLAPS service to be restarted. You can do this by right clicking the service and selecting Restart (or just Start if the service is already stopped).

Configuring Kerberos for Added Login Security

By default, the OVERLAPS web server will use the NT LAN Manager (NTLM) to handle Integrated Authentication requests (as opposed to the form login method). While this is fine for most cases, NTLM has been shown to be vulnerable to certain Man-In-The-Middle attacks, so it is recommended that you configure it to use Kerberos instead.

In order to do this, some additional configuration of your domain is required. Specifically you need to define a Service Principal Name (SPN) for the server you’ve installed OVERLAPS on. You can do this with the setspn.exe command line tool.

Setspn.exe –a HTTP(S)/<servername> <machineaccount>$

Where “<servername>” is the name of the server OVERLAPS is installed on how a user would connect to it, and “<machineaccount>$” is the system account name of that device.

So, for example, if our server was called “overlaps” (accessed as “http://overlaps”), and we wanted to configure both HTTP and HTTPS to support Kerberos, we’d use the command lines:

Setspn.exe –a HTTP/OVERLAPS OVERLAPS$

Setspn.exe –a HTTPS/OVERLAPS OVERLAPS$

If, however, the server is accessed as “http://overlaps.contoso.com”, then we’d use:

Setspn.exe –a HTTP/OVERLAPS.CONTOSO.COM OVERLAPS$

For more information on configuring Service Principal Names, please refer to Microsoft’s documentation on the subject.

Encrypted Web Traffic with HTTPS

To further increase security to OVERLAPS, we recommend that you install an SSL certificate so that your client <-> server traffic is encrypted.

You’ll need to purchase or generate a certificate for this purpose, which is beyond the scope of this guide (but there are plenty around explaining how). But once you have your certificate file (.pfx or .p12), install it to the Personal folder of the Current Computer certificate store).

Installing your HTTPS Certificate

1. Run mmc.exe

2. Go to File -> Add/Remove Snap-in

3. Select “Certificates” and click Add

Adding the Certificates Snap-in

4. Select “Computer account” when prompted

Select “Computer account”

5. Select “Local computer: (the computer this console is running on)”

6. Click Finish

7. Click OK to close the snap-in dialog

8. Navigate to Certificates -> Personal

9. Right click and select All Tasks -> Import

10. When prompted for a file to import, click Browse

11. Next to filename, where it says “X.509 Certificate (*.cer, *.crt)”, change this to “Personal Information Exchange (*.pfx, *.p12)

Personal Information Exchange

12. Select your certificate’s private key file

13. When prompted, enter the certificate’s password and check the box to “Mark this key as exportable”

14. Follow the rest of the dialog to complete the import.

15. Once imported, right click the certificate and click “Open”

16. Navigate to the Details tab, and scroll down to “Thumbprint”, copy this value for use in the next step.

Link your Certificate to OVERLAPS

To link your certificate to OVERLAPS you need to use the “netsh” command from the command prompt.

The command to add the certificate is:

Netsh http add sslcert hostnameport=<servername>:443 certhash=<thumbprint of your certificate> appid={7c492133–379e-4918–82c3–1d8d2f9bee3a}

Where “<servername>” is the fully qualified name of your OVERLAPS server as a client would access it (e.g. overlaps.contoso.com), and “<thumbprint of your certificate>” is the value you copied at step 16 of the last section.

Be careful to make sure you copy the “appid” exactly as this identifies the OVERLAPS executable is what you want to attach the certificate to.

You should receive the message “SSL Certificate successfully added”. If, however, you receive the message “A specified logon session does not exist”, then the certificate is probably not installed in the correct store, check again that it is in the Personal folder of the Current Computer store (I’ve made this mistake more times that I care to count!)

Once that is complete, you can now enable HTTP in the OVERLAPS configuration file.

Enable HTTPS in OVERLAPS

Remembering to restart the OVERLAPS service to register the change.

After testing that this has worked, it is recommended that you then disable unencrypted HTTP traffic, which can also be done through the configuration file.

Adding the First Administrators

Before you can login for the first time, you must first add yourself as an Administrator user. OVERLAPS includes a command line tool for adding the initial administrators called “lapsuser.exe”, all subsequent users and groups can be added from within OVERLAPS itself.

OVERLAPS User Manager Utility

To add yourself, use the command line:

lapsuser.exe /adduser [myusername] /admin

If everything works then you should receive a success message.

User Added Successfully

Users are stored in a configuration file, so adding users from the command line requires the OVERLAPS service be restarted for the change to register. Adding or modifying users within OVERLAPS does not require this step.

Active Directory

Multiple Domain Forest Support

From version 1.3.4 OVERLAPS now supports multiple domain environments with a properly configured trust relationship.

Navigation
By default, when populating Organizational Units, OVERLAPS will look to the root domain of the forest and from there discover any accessible child domains. However this can be modified from the configuration file by changing the “MultipleDomainPreference” value to the following:

“RootFirst” (Default)
Seeks the root domain in the current Forest and then attempts to include child domains.

“MemberFirst”
Selects the domain that the OVERLAPS server is a member of first, and then attempts to include any other domains in the current Forest (including the root if it is not the same).

“SingleDomainOnly”
Limits OVERLAPS to the domain that its server is in only. No attempt will be made to attempt to read any other domains in the Forest.

Authentication
In this latter mode, user authentication is also limited to the current domain. Otherwise in a multi-domain environment, users will be prompted for their domain prior to logging in (or have to supply it in the form “domain\username” in the case of Windows Integrated Authentication).

Universal Groups are supported for user login, as are per-domain groups. When adding a user or group in a multi-domain environment, you will be prompted for the domain that the user belongs to.

Note that currently, the “lapsuser.exe” program only supports local domain users.

Permissions

In order to view and (in the case of OVERLAPS Pro) modify the Microsoft LAPS managed Local Administrator passwords, OVERLAPS requires the following Active Directory Organizational Unit permissions to the containers in which the managed computers reside:

  • Read ms-McsAdmPwd
  • Read ms-Mcs-AdmPwdExpirationTime
  • Write ms-Mcs-AdmPwdExpirationTime

Configuring just these permissions correctly can lead to unexpected behaviour, so it is recommended to make use of the PowerShell scripts that come with Microsoft LAPS to set them.

As OVERLAPS runs as Local System on the host server, you will need the server’s computer account name to proceed. This should be the name of the server followed by a dollar sign ($), so if the server is called “myoverlaps” for example, the computer account name would be “myoverlaps$”.

  1. Launch PowerShell using an account which has the necessary Active Directory modification permissions.
  2. Load the LAPS module by typing:
    Import-Module AdmPwd.PS
  3. Grant read permission to the Local Administrator password property with the command:
    Set-AdmPwdReadPasswordPermission -OrgUnit -AllowedPrincipals
  4. If using OVERLAPS Pro, also grant write permission to that you can reset the password expiry time, forcing a reset when LAPS next runs on the client:
    Set-AdmPwdResetPasswordPermission -OrgUnit -AllowedPrincipals
  5. Restart the OVERLAPS service to make sure it picks up the new permissions.

If everything went to plan, OVERLAPS will now be able to view and, in Professional, trigger a reset of the Local Administrator passwords.

Multi-Domain Permissions
In multi-domain environments, these permissions may need to be manually applied to each domain.

Additional Configuration Options

The Configuration File

As mentioned previously, OVERLAPS stored all of its configuration options in an XML file at:

C:\ProgramData\Int64 Software Ltd\OVERLAPS\config.xml

You must have Administrator rights on the server to modify this file and any changes require the OVERLAPS service to be restarted.

Specific Settings

HTTPEnabled/HTTPSEnabled

If “true”, enables the respective type of traffic (unencrypted HTTP or encrypted HTTPS).

HTTPPort/HTTPSPort

The port that will be opened for HTTP or HTTPS traffic respectively (default 80 and 443).

ThreadLimit

The maximum number of concurrent requests that the web host can handle. If you have a large user base and start noticing the website becoming sluggish, then you may wish to increase this value.

MaxInputStreamSizeBytes and MaxInputVarsPerRequest

These values control the limitations on data posted to the server during a web request. They are designed to limit the thread of a denial of service attack or flooding the server. The only time these values may need to be modified is if you operate a particularly large number of Organizational Units in your domain.

EnforceWIA

If set to “true”, the user login page will be disabled and OVERLAPS will only accept Windows Integrated Authentication logins.

HistoryFileMaxAgeDays

The maximum number of days that historical logs are kept.

HistoryPath

The path where historical records are stored. Provided in case the system drive has limited disk space.

PageSubTitle

Allows you to apply simple branding to OVERLAPS. For example, if this value was set to “@MyCompany”, the title on the OVERLAPS web page would read “OVERLAPS@MyCompany”.

UpdateFrequencyInSeconds

Specifies how frequently the Active Directory organizational unit structure cache is refreshed. Defaults to 21600 seconds (6 hours). If your AD structure changes frequently then you may want to reduce this.

User Interface

The OVERLAPS Main Menu
The OVERLAPS Main Menu

The main menu provides access to all of OVERLAPS main areas.

Browser

Browsing Active Directory in OVERLAPS 1.2
Browsing Active Directory in OVERLAPS 1.2

The Active Directory Browser window allows you to quickly navigate your Active Directory structure for a particular Organizational Unit. Click a container to select it, then click again to open to that page.

Computer List

An Active Directory container with Computers
An Active Directory container with Computers

When a valid container with computers is selected, you will see the computers in a list. From here you can click on a computer to display its LAPS managed Local Administrator password.

Viewing a single computer's password in OVERLAPS.
Viewing a single computer’s password in OVERLAPS

From this window you can click the “Copy to Clipboard” button to have the password copied to your system clipboard.

You can also click “Expire Password” to trigger a password reset on the computer. Note that this will happen when the computer next performs a Group Policy update.

Batch Password Retrieval

Clicking the “Display Passwords for Selected Computers” button will retrieve the current password information for all of the selected computers. When retrieved, passwords are blurred for security reasons and can be displayed by hovering over the password or toggled between blurred and displayed by clicking.

Batch Password Retrieval in OVERLAPS
Batch Password Retrieval in OVERLAPS

Computer Status Alerts

Each computer may show an alert icon on the right side of its entry. This indicates that the state of that computer’s LAPS managed password:

This symbol indicates that the LAPS password has expired and is due to be refreshed by the system. If this remains in this state for a long time, it may indicate that the computer is not processing its LAPS policy correctly.

This alert indicates that the computer does not have any LAPS password data in Active Directory. If your LAPS installation is new, or the computer has only recently been added then this may be normal.

History

Navigating to the History section allows you to view historical data from users viewing computer local administrator passwords.

Viewing Event History in OVERLAPS
Viewing Event History in OVERLAPS

Entries will either be listed as “READ” (a computer’s password has been viewed), or “RESET” (a computer’s password has been expired).

Clicking the “History for yy-mm-dd” button allows you to change to an alternate day.

Search

Initiating a Computer Search
Initiating a Computer Search

Clicking the Search menu item will present you with a dialog to find computers by their hostname. Search results are grouped by Active Directory container, and functions just like a normal computer list.

Clicking your search term at the top of the results allows you to refine your search or to include the computer’s description in the search.

Refining a Computer Search
Refining a Computer Search

Configuration

Users and Groups

Managing Users and Groups in OVERLAPS
Managing Users and Groups in OVERLAPS

Users are managed through the Config section’s Users and Groups page available to administrators.

Add a New User or Group

To add a user, click the “New User/Group”, a window will appear allowing you to enter the user or group’s account (user) name.

Add a New User or Group to OVERLAPS
Add a New User or Group to OVERLAPS

Here you may also select whether the user should be granted Administrator privileges and whether they should be able to view the event history or not.

Edit a User

Select one or more users or groups by checking their entry in the user list, the click the Edit User button to see the options available.

Active Directory Permissions

Managing user Active Directory permissions
Managing user Active Directory permissions

Use this window to select which Active Directory containers the users will have access to browse, search, and view and reset Local Administrator passwords in.

To allow access to a container, simple expand the tree to that container and check its box. Checking a sub-container will automatically check all of its preceding (parent) containers and all of its child containers.

To check the list of users you are currently editing, expand the “Selected Users” box by clicking on it.

List of Users/Groups currently selected for edit
List of Users/Groups currently selected for edit

Clicking a user will deselect them, and any changes made when clicking “Save Changes” will not apply to them. Clicking the user again will re-select them.

Rate Limits

OVERLAPS User Rate Limits
OVERLAPS User Rate Limits

You can set a configurable limit on users and groups which controls how many: a) Password Requests, and b) Password Resets, those users can perform in a given time period.

This can be useful to prevent over-exposure of your Local Administrator passwords, and to prevent a user from mass-exporting them.

Password Request limits and Password Reset limits can be controlled independently. To set a limit:

  1. Click the checkbox to Enable the limit you want to impose,
  2. Specify a maximum number of requests (Maximum Requests/Resets) that can be performed in a specific time frame,
  3. Specify the time span and period that this will be monitored over,
  4. If the user(s) attempt more than the maximum requests in the given time period, they will be blocked.

For example, for a normal user you may want them to stay under 25 requests per day, so you would set it to – Maximum: 25, Every: 1, Period: Day.

A warning note on group memberships
In order to handle multi-group membership in an efficient and minimally complex way, there is an important point to remember. Where a user is a member of multiple groups, each with its own rate limit, OVERLAPS will select the lowest value all of the rate limit time periods AND the minimum number of requests.

This means if you have a group with a limit of 5 requests every day, and another with a limit of 25 requests every 10 minutes, a member of both groups will end up with the limit 5 requests every 10 minutes.

This is done to be in-line with least privilege best practices. If the need arises to override the rate limit a user is experiencing because of their group memberships, the correct way would be to add the user explicitly to OVERLAPS as explicit users always take priority over group memberships.

User Access Level

Editing a User's Access Level
Editing a User’s Access Level

This window allows you to change the overall access that the user(s) have to the OVERLAPS website.

Administrators have full access to every Active Directory container, and the ability to modify users and site settings. This should be limited to only a few trusted users.

People with “View Historical Password Access” permission have the ability to view a history of when Local Administrator passwords were read and reset.

Setting an option to “No Change” means that no changes to each users’ current access will be made. Setting it to “Remove” disables the selected access for all selected users, and “Enable” will grant the selected access.

Remove a User

Removing a User/Group from OVERLAPS
Removing a User/Group from OVERLAPS

Selecting one or more users and clicking the “Remove” button will prompt you to confirm that you want to remove the user completely from OVERLAPS.

Settings

The settings section provide access to basic OVERLAPS configuration options.

Security

Checking the “Enforce Windows Integrated Authentication” box removes the option for logging in via the form. Instead, users are logged in using NTLM or Kerberos instead, meaning that user passwords are not transmitted to the website.

Logging and History allow you to specify what level of information is saved to the log file, and how long history (computer password read/reset events) is kept for before being purged.

The Active Directory option allows you to specify how frequently Active Directory is scanned for structural (OU, not computer object) changes.

Host

The Host options are more core to OVERLAPS function and require a service restart to take effect.

You can use these settings to configure web access to OVERLAPS (HTTP/HTTPS), and to tweak its performance.

Conclusion

Congratulations! You now have an incredible simple yet powerful interface to the wonderful security benefits offered by Microsoft LAPS.

Like the article? Share with your friends: