{"id":316,"date":"2018-12-03T13:36:08","date_gmt":"2018-12-03T13:36:08","guid":{"rendered":"https:\/\/int64software.com\/blog\/?p=316"},"modified":"2019-03-08T10:44:03","modified_gmt":"2019-03-08T10:44:03","slug":"why-arent-you-using-microsofts-local-administrator-password-solution-laps-yet","status":"publish","type":"post","link":"https:\/\/int64software.com\/blog\/2018\/12\/03\/why-arent-you-using-microsofts-local-administrator-password-solution-laps-yet\/","title":{"rendered":"Why aren’t you using Microsoft’s Local Administrator Password Solution (LAPS) yet?"},"content":{"rendered":"\n

We sysadmins have many concerns over security. Whether you manage 100 or 10,000 devices, effectively securing your devices will lead you down the same routes of discussion. You\u2019ve deployed a respected antivirus solution, locked down Group Policy, and monitor for the slightest indication that you may be under attack. However, breaches still occur. Today we’re going to look at one of the frequent targets of these attacks: the Windows Local Administrator account. <\/p>\n\n\n\n

Standard Operating Procedure is to disable the account, but they find ways to re-enable it<\/a>, so you need to make sure it has a secure, non-recurring and frequently updated password. So what options do you have?<\/p>\n\n\n\n

Options for Securing the Local Administrator Account
<\/h3>\n\n\n\n

The first option is one you should never adopt: setting the admin password to the same thing on all devices. This turns every device into a possible attack vector, and opens your network up to lateral attacks. The attacker can now gain admin rights to every Windows device.
<\/p>\n\n\n\n

The second option to avoid is one I\u2019ve seen (and been forced to implement) in multiple places: the formulaic approach. By taking some value unique to each device and combining or encoding it with date values and nonce data to produce a different, but predictable password for each device. What\u2019s wrong with this approach? <\/p>\n\n\n\n

  1. Your formula must be simple enough to calculate by hand, because your Service Desk team are going to need to use it in the field.<\/li>
  2. People who know the formula may leave your company, and take the knowledge with them.<\/li>
  3. If just one password on one device is brute-forced, it would an easy process to reverse engineer its formula.<\/li><\/ol>\n\n\n\n

    One way or another someone undesirable could learn the formula, and that\u2019s a bad thing, because now they have Administrator access to all of your devices.<\/p>\n\n\n\n

    The third, and final option provides a solid solution to all of the problems with the previous options: Microsoft LAPS (Local Administrator Password Solution) [download version 6.2 here<\/a>].<\/p>\n\n\n\n

    The Microsoft LAPS Solution
    <\/h3>\n\n\n\n

    Microsoft LAPS deploys a tiny DLL to each device which is launched each time a Group Policy refresh occurs (so not a client as such, and it won\u2019t impact on your device performance). When it detects that a password refresh is due (based on the last time the password was set and how often you specify it should occur in Group Policy), it generates a cryptographically secure random password of a defined length and complexity, applies this to the Local Administrator account and records the password in a secure field in your Active Directory schema.<\/p>\n\n\n\n

    You then control, through AD permissions, who can read this password value for each and every Windows device (hint: it is not recommended to use this on domain controllers of course!). This takes the onus of updating passwords regularly off of you and your Service Desk staff, guarantees a secure and completely unique password for each device.<\/p>\n\n\n\n

    Microsoft LAPS Pros and Cons<\/h2>\n\n\n\n
    \n
    \n

    Pros<\/h3>\n\n\n\n