Florian Posted November 13, 2022 Share Posted November 13, 2022 Hi Choombas This post is propably a bit longer if you want to skip the bla bla context -> jump beneath the line 😉 i had the idea for this post after i followed the following post which mentioned laps and "some" of their problem: Any Legacy AD Security Admins? - Defensive Security - UpdatedSecurity But first what is LAPS? Laps (or Local Administrator Password Solution) is a "tool" Microsoft offer to improve the local administrator situation in Active Directory Environments. Normaly there are 2 possible ways to manage Clients: 1. you have one local administrator with a specified password which is in a Image or GPO Script or where ever and you deploy this on every client in your org 2. you already use laps and have different password which changes every few days and the password can be gotten from the Active Directory. Some more infos and docs are linked here Windows LAPS overview | Microsoft Learn Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center But what is then the Problem? First, you can only retrive the Password directly from the AD User and Computer or you have to use the LAPS GUI which is installed somewhere (management server oder admin notebook or whatever.) Second, you can't track the password history of the LAPS Password ---> This one is important in the case you also want to stop lateral movement between servers! Third, Access Management on the passwords through LAPS is so terrible. Fourth, it's hard to get the acceptance within the operations tea. ----------------------------------------------------------------------------------- And now, how you can get rid of the problems? the solution is called OVERLAPS. (nor from me and i am not sponsored 😛) A powerful web interface for Microsoft LAPS | OVERLAPS (int64software.com) Docs: Documentation | OVERLAPS (int64software.com) Is it free? No!, BUT the price is so cheap that EVERY company can afford it. it's ~160 €/$ (One Time) What is OVERLAPS? Overlaps is a software which can be installed on a server to extense the functionality. Overlaps is a software which scan your AD and gather all the LAPS Passwords and saves it in a internal database. You can configure the access to the passwords within the tool. Overlaps provide a webservice where you can view the passwords, you can configure how much old password should kept in the history. So you can access the passwords over the web browser. it has a MFA component withing, supports integrated windows authentication, etc. Access can configured on OU Level. This supports even tiering model within the tool. there is also a Bitlocker feature, that you can watch the current bitlocker password if needed. you can set the access granularly. you can set the password in the webinterface as expired -> laps will reset the password on next check how does it works? Step 1 - Deploy a domain joined server Step 2 - Install Software Step 3 - configure software -> you add the permissions for a service account or the Overlaps computer account Step 3b - configure History etc. Step 4 - add groups to overlaps and set permissions in overlaps (Step 5 - Publish Overlaps if needed) Credits to Matt. @matt_is_ready he is the creator of the tool. he provides supports pretty fast! 3 Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now