The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD)... LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, it mitigates the risk of lateral escalation that results when customers have the same administrative local account and password combination on many computers.
The Microsoft Local Administrator Password Solution (LAPS) is a free tool for securing the Windows computers in your Active Directory environment.
By performing scheduled resets on the Local Administrator accounts on your domain-joined computers, LAPS helps to mitigate the threat of "Pass-the-Hash" type attacks against your network. It generates new passwords completely randomly, bypassing the need for shared or formulaic passwords, and stores them securely in Active Directory for the use of your Service Desk teams.
LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin password and expiry information. Then a small client DLL is deployed to your managed Windows computers and sits unused until a Group Policy refresh operation occurs. At that point it performs its work:
Not really. Think of the term "client" in its loosest sense, it is just a small 146kb file on each computer which does literally nothing until a Group Policy refresh asks it to carry out its work. So most of the time it isn't using any resources at all (apart from a tiny bit of disk space).
Windows accounts are stored hashed (one-way encrypted) and are, in principal, accessible to anyone with access to that computer. A pass-the-hash attack uses this hash in place of the actual password to access resources on other computers on your network with the same account/password.
LAPS mitigates the threat of pass-the-hash attacks by ensuring each computer has a different password (and therefore different hash) for their Local Administrator account.
Microsoft released LAPS completely free. You can download it along with its technical documentation from here: https://www.microsoft.com/en-us/download/details.aspx?id=46899
LAPS is packaged with a PowerShell module and a basic Windows client UI for retrieving and manually expiring passwords.
For more information on Microsoft LAPS, please see the links below.
Why aren't you using Microsoft LAPS yet?
Improve your user experience with LAPS by partnering it with OVERLAPS, which provides an alternative to the basic tools provided by LAPS to make retrieving and expiring passwords much easier and more accessible.
Your Service Desk teams will still need access to the passwords generated by LAPS, and with OVERLAPS they can do that and more from anywhere and from any device with network access.
OVERLAPS works alongside Microsoft LAPS to provide quick, intelligent access to the managed device passwords through a fully responsive browser-based interface.
OVERLAPS is a self-hosted Microsoft LAPS alternative UI (user interface), a way of retrieving and expiring LAPS managed passwords through any modern browser on any network attached device. More than this, it removes the hassle of managing and maintaining Active Directory permissions for LAPS attributes by allowing you to specify which users or groups have access per-OU.
There aren't any. We don't specify a time limit, user limit or device limit. Once you've purchased OVERLAPS once it is yours forever, no matter how your service grows. We'll only ever require payment again if there is a major update version released, in which case we'll make a significantly reduced upgrade price available to existing customers.
OVERLAPS is priced at $173.15 (USD) per licence. Bulk discounts are available for customers who require multiple installs.
Click here to go to the store page and follow the on-screen instructions.
Self-hosted and featuring full SSL/TLS encryption, Kerberos authentication and Multi Factor Authentication capabilities, OVERLAPS has your network security at the forefront of its design.
Easier to manage than Active Directory permissions, OVERLAPS allows you granular control over who can access passwords down to the Organisational Unit.
OVERLAPS leaves the password management to LAPS. It doesn't store, transmit or share any confidential information with third parties. It only allows access to existing data by the users that you authorise.
Whether its a full certificate chain or self-signed certificate for intranet usage, OVERLAPS wants to make sure your communications are secure so supports full SSL/TLS (HTTPS) encryption.
OVERLAPS now makes use of Google Authenticator to provide Multi-Factor Authentication. When this option is enabled on a user's profile, they will now have to provide an additional One-Time Password code from the Authenticator app on their smartphone before they will be able to login to OVERLAPS.
Active Directory permissions are notoriously difficult to interpret and manage, so OVERLAPS simplifies this by implementing a easy-to-manage user/group management system and per-OU permissions to make controlling who has access to the LAPS managed passwords much easier.
OVERLAPS simply acts as the intermediary between your users and the LAPS managed passwords in Active Directory. In order to guarantee your service security, it will never record or store any of the passwords.
It requires absolutely no connection to the internet as it doesn't transmit or receive anything either to/from our servers or to those of third parties. This allows you to setup the OVERLAPS computer/server in any security configuration you want, be that completely locked down behind your firewall, or in a DMZ.
With the new Self Service features, you can now empower your users more than ever before by granting them the ability to retrieve the Local Administrator password for a select device or devices on their own.
Help to reduce the amount of minor jobs your Service Desk need to carry out by appointing local "Power Users" who can take over these SLA impacting tasks.
Users with designated "Self Service" computers are able to access their passwords without needing to be granted access to a whole Organizational Unit. They simply login as normal, but instead of browsing or searching for a computer they get presented with a list of these computers only.
With full support for managing Multiple Active Directory domains within the same forest, OVERLAPS scales from small offices to major international enterprises effortlessly.
If you're an independent IT Support or Service Desk company, we can offer you generous discounts for you to supply OVERLAPS to your clients.
Make it easier to gain access to managed Administrator passwords. Users can navigate your existing domain and simply click computers to view their current L.A.P.S. managed administrator password.
Reduce the overheads of deploying tools or teaching PowerShell to your users by unifying access under one simple web interface.
Control exactly who can view managed Administrator passwords at the Organizational Unit level. Add users or groups and select which Organizational Units in your Active Directory domain that they'll have access to.
OVERLAPS supports full granular access control, and makes sure that your systems are kept secure.
OVERLAPS maintains a record of each user request to view a computer password. This makes auditing the use of LAPS controlled passwords a cinch, and helps to improve the overall security of your network.
Only those users to specifically select can view this audit trail, so that responsibility can easily be delegated to an internal security or monitoring team without compromising log security.
Not monthly, not annually, that's the only price you'll ever pay!
If you would like to be notified about news, have a question, or a suggestion, we'd love to hear from you. Just fill out the form to the right and we'll get back to you as soon as humanly possible.
43 Durham Avenue
|0900 - 1700 GMT, Monday - Friday|