The Microsoft Local Administrator Password Solution (LAPS) is a free tool for securing the Windows computers in your Active Directory environment.
By performing scheduled resets on the Local Administrator accounts on your domain-joined computers, LAPS helps to mitigate the threat of "Pass-the-Hash" type attacks against your network. It generates new passwords completely randomly, bypassing the need for shared or formulaic passwords, and stores them securely in Active Directory for the use of your Service Desk teams.
LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin password and expiry information. Then a small client DLL is deployed to your managed Windows computers and sits unused until a Group Policy refresh operation occurs. At that point it performs its work:
- LAPS retrieves the current expiry date and time for the Local Administrator password on the current computer from Active Directory.
- If the expiry is not blank and is still in the future, nothing happens.
- Otherwise a new password is required, so LAPS generates one completely randomly according to your specifications (set in Group Policy).
- LAPS now attempts to record the new password in Active Directory, along with when the password will next expire.
- If that was successful, it will only then actually change the password of the Local Administrator account.
Windows accounts are stored hashed (one-way encrypted) and are, in principal, accessible to anyone with access to that computer. A pass-the-hash attack uses this hash in place of the actual password to access resources on other computers on your network with the same account/password.
LAPS mitigates the threat of pass-the-hash attacks by ensuring each computer has a different password (and therefore different hash) for their Local Administrator account.
For more information on Microsoft LAPS, please see the links below.
OVERLAPS is a self-hosted Microsoft LAPS alternative UI (user interface), a way of retrieving and expiring LAPS managed passwords through any modern browser on any network attached device. More than this, it removes the hassle of managing and maintaining Active Directory permissions for LAPS attributes by allowing you to specify which users or groups have access per-OU.
Network Environment Requirements
A non-Cloud (not Azure) Active Directory domain is required, with Microsoft’s Local Administrator Password Solution (LAPS) installed and already configured.
Operating System: Windows 8.1 Pro or higher, Windows Server 2012 R2 or higher.
By default OVERLAPS runs as the system account on the server (NT AUTHORITY\SYSTEM), and permission must be given to this account to read and write the LAPS properties (see Active Directory Permissions for OVERLAPS). Alternatively, if you are planning to use a Service Account to allow OVERLAPS to access Active Directory (see Active Directory), then that account must have the relevant LAPS permissions.