OVERLAPS is an inexpensive, self-hosted, and easy to set-up web-based user interface for the Windows Local Administrator Password Solution (LAPS).
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.
What is Microsoft® LAPS?
The Microsoft Local Administrator Password Solution (LAPS) is a free tool for securing the Windows computers in your Active Directory environment.
By performing scheduled resets on the Local Administrator accounts on your domain-joined computers, LAPS helps to mitigate the threat of "Pass-the-Hash" type attacks against your network. It generates new passwords completely randomly, bypassing the need for shared or formulaic passwords, and stores them securely in Active Directory for the use of your Service Desk teams.
How does LAPS work?
LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin password and expiry information. Then a small client DLL is deployed to your managed Windows computers and sits unused until a Group Policy refresh operation occurs. At that point it performs its work:
- LAPS retrieves the current expiry date and time for the Local Administrator password on the current computer from Active Directory.
- If the expiry is not blank and is still in the future, nothing happens.
- Otherwise a new password is required, so LAPS generates one completely randomly according to your specifications (set in Group Policy).
- LAPS now attempts to record the new password in Active Directory, along with when the password will next expire.
- If that was successful, it will only then actually change the password of the Local Administrator account.
Another client service on my devices?
Not really. Think of the term "client" in its loosest sense, it is just a small 146kb file on each computer which does literally nothing until a Group Policy refresh asks it to carry out its work. So most of the time it isn't using any resources at all (apart from a tiny bit of disk space).
What is a Pass-the-Hash attack?
Windows accounts are stored hashed (one-way encrypted) and are, in principal, accessible to anyone with access to that computer. A pass-the-hash attack uses this hash in place of the actual password to access resources on other computers on your network with the same account/password.
LAPS mitigates the threat of pass-the-hash attacks by ensuring each computer has a different password (and therefore different hash) for their Local Administrator account.
What does LAPS cost?
Microsoft released LAPS completely free. You can download it along with its technical documentation from here: https://www.microsoft.com/en-us/download/details.aspx?id=46899
What management tools come with LAPS?
LAPS is packaged with a PowerShell module and a basic Windows client UI for retrieving and manually expiring passwords.
Further Reading
For more information on Microsoft LAPS, please see the links below.
LAPS Alternative User Interface
Improve your user experience with LAPS by partnering it with OVERLAPS, which provides an alternative to the basic tools provided by LAPS to make retrieving and expiring passwords much easier and more accessible.
Your Service Desk teams will still need access to the passwords generated by LAPS, and with OVERLAPS they can do that and more from anywhere and from any device with network access.
OVERLAPS works alongside Microsoft LAPS to provide quick, intelligent access to the managed device passwords through a fully responsive browser-based interface.
What is OVERLAPS?
OVERLAPS is a self-hosted Microsoft LAPS alternative UI (user interface), a way of retrieving and expiring LAPS managed passwords through any modern browser on any network attached device. More than this, it removes the hassle of managing and maintaining Active Directory permissions for LAPS attributes by allowing you to specify which users or groups have access per-OU.
How does OVERLAPS work?
- You install it on a computer or server which will act as the web server for OVERLAPS.
- Configure your Active Directory permissions to allow that computer the appropriate access to the LAPS password and expiry attributes.
- Setup SSL/TLS encryption to make sure everything is secure.
- Add users and/or groups, and specify what Organizational Units or containers that they are allows to access.
- Users can now login to OVERLAPS and access the LAPS managed passwords as needed.
What are the limits/restrictions on OVERLAPS?
There aren't any. We don't specify a time limit, user limit or device limit. Once you've purchased OVERLAPS once it is yours forever, no matter how your service grows. We'll only ever require payment again if there is a major update version released, in which case we'll make a significantly reduced upgrade price available to existing customers.
How much does OVERLAPS cost?
OVERLAPS is priced at ₴7 314,02 (UAH) per licence. Bulk discounts are available for customers who require multiple installs.
Where can I purchase OVERLAPS?
Click here to go to the store page and follow the on-screen instructions.
Security First Approach
Self-hosted and featuring full SSL/TLS encryption, Kerberos authentication and Multi Factor Authentication capabilities, OVERLAPS has your network security at the forefront of its design.
Easier to manage than Active Directory permissions, OVERLAPS allows you granular control over who can access passwords down to the Organisational Unit.
OVERLAPS leaves the password management to LAPS. It doesn't store, transmit or share any confidential information with third parties. It only allows access to existing data by the users that you authorise.
End-to-end Encryption over SSL/TLS
Whether its a full certificate chain or self-signed certificate for intranet usage, OVERLAPS wants to make sure your communications are secure so supports full SSL/TLS (HTTPS) encryption.
Multi-Factor Authentication
OVERLAPS now makes use of Google Authenticator to provide Multi-Factor Authentication. When this option is enabled on a user's profile, they will now have to provide an additional One-Time Password code from the Authenticator app on their smartphone before they will be able to login to OVERLAPS.
Simpler Permissions
Active Directory permissions are notoriously difficult to interpret and manage, so OVERLAPS simplifies this by implementing a easy-to-manage user/group management system and per-OU permissions to make controlling who has access to the LAPS managed passwords much easier.
Internal Security
OVERLAPS simply acts as the intermediary between your users and the LAPS managed passwords in Active Directory. In order to guarantee your service security, it will never record or store any of the passwords.
It requires absolutely no connection to the internet as it doesn't transmit or receive anything either to/from our servers or to those of third parties. This allows you to setup the OVERLAPS computer/server in any security configuration you want, be that completely locked down behind your firewall, or in a DMZ.
Delegate Control to Your Users
With the new Self Service features, you can now empower your users more than ever before by granting them the ability to retrieve the Local Administrator password for a select device or devices on their own.
Help to reduce the amount of minor jobs your Service Desk need to carry out by appointing local "Power Users" who can take over these SLA impacting tasks.
Self Service
Users with designated "Self Service" computers are able to access their passwords without needing to be granted access to a whole Organizational Unit. They simply login as normal, but instead of browsing or searching for a computer they get presented with a list of these computers only.
Multiple Domain Support
With full support for managing Multiple Active Directory domains within the same forest, OVERLAPS scales from small offices to major international enterprises effortlessly.
If you're an independent IT Support or Service Desk company, we can offer you generous discounts for you to supply OVERLAPS to your clients.
Easier to Use
Make it easier to gain access to managed Administrator passwords. Users can navigate your existing domain and simply click computers to view their current L.A.P.S. managed administrator password.
Reduce the overheads of deploying tools or teaching PowerShell to your users by unifying access under one simple web interface.
Control Access
Control exactly who can view managed Administrator passwords at the Organizational Unit level. Add users or groups and select which Organizational Units in your Active Directory domain that they'll have access to.
OVERLAPS supports full granular access control, and makes sure that your systems are kept secure.
Monitor Usage
OVERLAPS maintains a record of each user request to view a computer password. This makes auditing the use of LAPS controlled passwords a cinch, and helps to improve the overall security of your network.
Only those users to specifically select can view this audit trail, so that responsibility can easily be delegated to an internal security or monitoring team without compromising log security.
Only ₴7 314,02
Not monthly, not annually, that's the only price you'll ever pay!
Contact Us
If you would like to be notified about news, have a question, or a suggestion, we'd love to hear from you. Just fill out the form to the right and we'll get back to you as soon as humanly possible.
Registered Office Address:
43 Durham Avenue
Plymouth
United Kingdom
PL4 8SP
| support@int64software.com | |
| @Int64Software | |
| 0900 - 1700 GMT, Monday - Friday |