“Systems that are not on the domain miss scheduled password changes”<\/em><\/p><\/blockquote>\n\n\n\n
If a system isn’t “on the domain” (which I take to meaning devices off-network, in the field, or taken travelling) then it won’t be updated by LAPS, this is true. But it also won’t be contactable by Group Policy, SCCM, WSUS, Remote Desktop, PowerShell, Overcee<\/a>, or any other management tools. Devices used off-site are a long discussed problem for sysadmins, and subject to a more in-depth discussion that can be had here. <\/p>\n\n\n\n
However, at least if you use LAPS you know that the device’s password was securely randomised before going off-site, and it will catch up with a fresh password at the earliest opportunity when reconnected.<\/p>\n\n\n\n
2. Cyber-Attack Vulnerability<\/h3>\n\n\n\n
“Systems that don’t receive regular Administrator password changes are at risk from pass-the-hash attacks.”<\/em><\/p><\/blockquote>\n\n\n\n
This is just plain wrong. <\/p>\n\n\n\n
If someone has physical access to a computer then they can, in principal, access the password hashes stored in the SAM database, this is nothing new. While it isn’t possible to fully prevent this from happening, it can be mitigated with a good security policy (full disk encryption, etc.). <\/p>\n\n\n\n
However, the hash of the Local Administrator account on a Microsoft LAPS managed device is not going to help anyone in performing a pass-the-hash attack<\/strong> because this is one of the vulnerabilities LAPS is designed to mitigate<\/a>.<\/p>\n\n\n\n
A pass-the-hash attack is when someone uses a user account and its hashed password to move laterally through a network by passing this hash as proof of authentication instead of a password. As each device has its own unique Local Administrator password, this is not possible in a LAPS managed environment<\/strong>.<\/p>\n\n\n\n
3. A Target for Hackers<\/h3>\n\n\n\n
“LAPS stores passwords in clear text, making it an easy target for hackers.”<\/em><\/p><\/blockquote>\n\n\n\n
Does LAPS store passwords in clear text? Yes. Is this a target for hackers? Almost certainly. Does it mean it’s vulnerable? Not so much. An important step of the proper deployment of Microsoft LAPS<\/a> includes locking down the permissions on the LAPS attributes in Active Directory so that only those users deemed trustworthy can view it.<\/p>\n\n\n\n
Claiming this is a target for attackers is like saying that your Domain Administrator accounts are a target for hackers: of course they are! But does that fact make them more vulnerable? No.<\/p>\n\n\n\n
4. Risk to Active Directory<\/h3>\n\n\n\n
“Updating the AD Schema when installing LAPS could crash Active Directory.”<\/em><\/p><\/blockquote>\n\n\n\n
If this happens then you have bigger problems with your Active Directory infrastructure! To quote a slightly dated, but still relevant article:<\/p>\n\n\n\n
When needed to meet your needs, extending the \u2026 Active Directory Schema is encouraged as long as you follow normal planning and test criteria.<\/p> Extending the Active Directory Schema – Microsoft Docs<\/a> <\/cite><\/blockquote>\n\n\n\n
5. Time Requirements and Complexity<\/h3>\n\n\n\n
“It’s really hard to install LAPS and it takes a lot of time.”<\/em> <\/p><\/blockquote>\n\n\n\n
While developing OverLAPS<\/a>, our web front-end for retrieving LAPS managed passwords, we had cause to install LAPS over 50 times on different domain configurations for testing purposes. By the end we had this process down to just a few minutes from starting the install to finishing deploying the group policy changes.<\/p>\n\n\n\n
Microsoft kindly provide a collection of very simple to use LAPS PowerShell commands and Group Policy ADMX templates. These make its installation and configuration quick and painless.<\/p>\n\n\n\n
If you’d like to know more about the process, check out my article “Installing and Configuring Microsoft LAPS – A Complete Guide<\/a>“.<\/p>\n\n\n\n
6. LAPS Management<\/h2>\n\n\n\n
“The LAPS Management Tools are too simple\/hard to use”<\/em><\/p><\/blockquote>\n\n\n\n
Microsoft released LAPS with a PowerShell module for managing it through scripts, and a basic Windows GUI for retrieving and expiring passwords.<\/p>\n\n\n\n
If you don’t have much experience with PowerShell, then the scripts may be confusing at first. On the other hand, the GUI is fairly limited in its functionality.<\/p>\n\n\n\n
Fortunately, you don’t need to stick with just those tools though. Consider a third party UI such as my own OVERLAPS<\/a>. This provides a web-based user interface with all the power of the default tools, but the added advantages that it is: easy and quick to use, and can be accessed from any device capable of browsing a website.<\/p>\n\n\n\n
![\"Browsing](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2019\/02\/anim-browse-and-view-pwd.gif\")
<\/a>