OVERLAPS for Microsoft LAPS

OVERLAPS is an inexpensive, self-hosted, and easy to set-up web-based user interface for Microsoft's Local Administrator Password Solution (LAPS).

Purchase now for only £49.99 Download the Trial

The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD)... LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, it mitigates the risk of lateral escalation that results when customers have the same administrative local account and password combination on many computers.

What is Microsoft® LAPS?

The Microsoft Local Administrator Password Solution (LAPS) is a free tool for securing the Windows computers in your Active Directory environment.

By performing scheduled resets on the Local Administrator accounts on your domain-joined computers, LAPS helps to mitigate the threat of "Pass-the-Hash" type attacks against your network. It generates new passwords completely randomly, bypassing the need for shared or formulaic passwords, and stores them securely in Active Directory for the use of your Service Desk teams.

How does LAPS work?

LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin password and expiry information. Then a small client DLL is deployed to your managed Windows computers and sits unused until a Group Policy refresh operation occurs. At that point it performs its work:

  1. LAPS retrieves the current expiry date and time for the Local Administrator password on the current computer from Active Directory.
  2. If the expiry is not blank and is still in the future, nothing happens.
  3. Otherwise a new password is required, so LAPS generates one completely randomly according to your specifications (set in Group Policy).
  4. LAPS now attempts to record the new password in Active Directory, along with when the password will next expire.
  5. If that was successful, it will only then actually change the password of the Local Administrator account.

Another client service on my devices?

Not really. Think of the term "client" in its loosest sense, it is just a small 146kb file on each computer which does literally nothing until a Group Policy refresh asks it to carry out its work. So most of the time it isn't using any resources at all (apart from a tiny bit of disk space).

What is a Pass-the-Hash attack?

Windows accounts are stored hashed (one-way encrypted) and are, in principal, accessible to anyone with access to that computer. A pass-the-hash attack uses this hash in place of the actual password to access resources on other computers on your network with the same account/password.

LAPS mitigates the threat of pass-the-hash attacks by ensuring each computer has a different password (and therefore different hash) for their Local Administrator account.

What does LAPS cost?

Microsoft released LAPS completely free. You can download it along with its technical documentation from here: https://www.microsoft.com/en-us/download/details.aspx?id=46899

What management tools come with LAPS?

LAPS is packaged with a PowerShell module and a basic Windows client UI for retrieving and manually expiring passwords.

Further Reading

For more information on Microsoft LAPS, please see the links below.

Why aren't you using Microsoft LAPS yet?

Dispelling Common Myths about Microsoft LAPS

LAPS Alternative User Interface

Improve your user experience with LAPS by partnering it with OVERLAPS, which provides and alternative to the basic tools provided by LAPS to make retrieving and expiring passwords much easier and more accessible.

Your Service Desk teams will still need access to the passwords generated by LAPS, and with OVERLAPS they can do that and more from anywhere and from any device that they have network access from.

OVERLAPS works alongside Microsoft LAPS to provide quick, intelligent access to the managed device passwords through a fully responsive browser-based interface.

What is OVERLAPS?

OVERLAPS is a self-hosted Microsoft LAPS alternative UI (user interface), a way of retrieving and expiring LAPS managed passwords through any modern browser on any network attached device. More than this, it removes the hassle of managing and maintaining Active Directory permissions for LAPS attributes by allowing you to specify which users or groups have access per-OU.

How does OVERLAPS work?

  1. You install it on a computer or server which will act as the web server for OVERLAPS.
  2. Configure your Active Directory permissions to allow that computer the appropriate access to the LAPS password and expiry attributes.
  3. Setup SSL/TLS encryption to make sure everything is secure.
  4. Add users and/or groups, and specify what Organizational Units or containers that they are allows to access.
  5. Users can now login to OVERLAPS and access the LAPS managed passwords as needed.

What are the limits/restrictions on OVERLAPS?

There aren't any. We don't specify a time limit, user limit or device limit. Once you've purchased OVERLAPS once it is yours forever, no matter how your service grows. We'll only ever require payment again if there is a major update version released, in which case we'll make a significantly reduced upgrade price available to existing customers.

What are the differences between OVERLAPS and OVERLAPS Pro?

When we introduced some additional powerful functionality to OVERLAPS we released it as a "pro" version simply to distinguish it apart from the "classic" version. The update was released free for all existing customers, and the "classic" version is no longer available for purchase or download.

How much does OVERLAPS cost?

OVERLAPS is currently on sale for the reduced price of £49.99. This is sort of an introductory price, and may increase to a more permanent price without warning.

Where can I purchase OVERLAPS?

Click here to go to the store page and follow the on-screen instructions.

Security First Approach

Self-hosted and featuring full SSL/TLS encryption and Kerberos authentication capabilities, OVERLAPS has your network security at the forefront of its design.

Easier to manage than Active Directory permissions, OVERLAPS allows you granular control over who can access passwords down to the Organisational Unit.

OVERLAPS leaves the password management to LAPS. It doesn't store, transmit or share any confidential information with third parties. It only allows access to existing data by the users that you authorise.

End-to-end Encryption over SSL/TLS

Whether its a full certificate chain or self-signed certificate for intranet usage, OVERLAPS wants to make sure your communications are secure so supports full SSL/TLS (HTTPS) encryption.

Simpler Permissions

Active Directory permissions are notoriously difficult to interpret and manage, so OVERLAPS simplifies this by implementing a easy-to-manage user/group management system and per-OU permissions to make controlling who has access to the LAPS managed passwords much easier.

Internal Security

OVERLAPS simply acts as the intermediary between your users and the LAPS managed passwords in Active Directory. In order to guarantee your service security, it will never record or store any of the passwords.

It requires absolutely no connection to the internet as it doesn't transmit or receive anything either to/from our servers or to those of third parties. This allows you to setup the OVERLAPS computer/server in any security configuration you want, be that completely locked down behind your firewall, or in a DMZ.

Easier to Use

Make it easier to gain access to managed Administrator passwords. Users can navigate your existing domain and simply click computers to view their current L.A.P.S. managed administrator password.

Reduce the overheads of deploying tools or teaching PowerShell to your users by unifying access under one simple web interface.

Control Access

Control exactly who can view managed Administrator passwords at the Organizational Unit level. Add users or groups and select which Organizational Units in your Active Directory domain that they'll have access to.

OVERLAPS supports full granular access control, and makes sure that your systems are kept secure.

Monitor Usage

OVERLAPS maintains a record of each user request to view a computer password. This makes auditing the use of LAPS controlled passwords a cinch, and helps to improve the overall security of your network.

Only those users to specifically select can view this audit trail, so that responsibility can easily be delegated to an internal security or monitoring team without compromising log security.

Only £49.99

Not monthly, not annually, that's the only price you'll ever pay!

Go to Secure Checkout

Contact Us

If you would like to be notified about news, have a question, or a suggestion, we'd love to hear from you. Just fill out the form to the right and we'll get back to you as soon as humanly possible.

Registered Office Address:

43 Durham Avenue
Plymouth
United Kingdom
PL4 8SP

support+web@int64software.com
@Int64Software

Int64 Software Ltd agrees to only store your contact details for as long as they remain relevant with regards to your query. By using this form we promise not to add you to any mailing lists, or to pass your details on to any third party companies. For more information, please see our Privacy Policy.

Sending...