Wanna get rid of the Problems LAPS brings with it?

[Florian]

Hi Choombas

This post is propably a bit longer if you want to skip the bla bla context -> jump beneath the line 😉

i had the idea for this post after i followed the following post which mentioned laps and "some" of their problem:

Any Legacy AD Security Admins? - Defensive Security - UpdatedSecurity

But first what is LAPS?

Laps (or Local Administrator Password Solution) is a "tool" Microsoft offer to improve the local administrator situation in Active Directory Environments.

Normaly there are 2 possible ways to manage Clients:

1. you have one local administrator with a specified password which is in a Image or GPO Script or where ever and you deploy this on every client in your org
2. you already use laps and have different password which changes every few days and the password can be gotten from the Active Directory.

Some more infos and docs are linked here

Windows LAPS overview | Microsoft Learn

Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center

But what is then the Problem?

First, you can only retrive the Password directly from the AD User and Computer or you have to use the LAPS GUI which is installed somewhere (management server oder admin notebook or whatever.) 

Second, you can't track the password history of the LAPS Password
---> This one is important in the case you also want to stop lateral movement between servers!

Third, Access Management on the passwords through LAPS is so terrible.

Fourth, it's hard to get the acceptance within the operations tea.

-----------------------------------------------------------------------------------

And now, how you can get rid of the problems?

the solution is called OVERLAPS. (nor from me and i am not sponsored 😛)

A powerful web interface for Microsoft LAPS | OVERLAPS (int64software.com)

Docs:

Documentation | OVERLAPS (int64software.com)

Is it free?

No!, BUT the price is so cheap that EVERY company can afford it. 

it's ~160 €/$ (One Time)

What is OVERLAPS?

Overlaps is a software which can be installed on a server to extense the functionality. 

Overlaps is a software which scan your AD and gather all the LAPS Passwords and saves it in a internal database.

You can configure the access to the passwords within the tool. Overlaps provide a webservice where you can view the passwords, you can configure how much old password should kept in the history.

So you can access the passwords over the web browser. it has a MFA component withing, supports integrated windows authentication, etc. 

Access can configured on OU Level. This supports even tiering model within the tool.

there is also a Bitlocker feature, that you can watch the current bitlocker password if needed.

you can set the access granularly. you can set the password in the webinterface as expired -> laps will reset the password on next check

how does it works?

Step 1 - Deploy a domain joined server 

Step 2 - Install Software

Step 3 - configure software -> you add the permissions for a service account or the Overlaps computer account 
Step 3b - configure History etc.

Step 4 - add groups to overlaps and set permissions in overlaps

(Step 5 - Publish Overlaps if needed)

 

Credits to Matt. @matt_is_ready

he is the creator of the tool. he provides supports pretty fast! 

[Nathan McNulty]

Ryan Newington (@RyanLNewington) has a similar solution, and V2 coming soon will support Azure AD native, macOS, and Linux as well 🙂

https://github.com/lithnet/access-manager

https://docs.lithnet.io/ams/v/2.0/whats-new

I hooked it into Azure AD to provide Conditional Access, and it also supports putting Azure App Proxy in front of it. I really wish more people used LAPS.

Edited November 16, 2022 by Nathan McNulty

[Accidental CISO]

Good info, thanks Florian and Nathan!

Question: are the problems that this solves related directly to shortcomings of LAPS, or are they related to lack of other tools in the environment resulting in a need to regularly access local admin passwords for individual machines?

-AC

[Florian]

I would say, it's somehow the lack of mobility

E.g.

Think about a front line supporter who walks through the company. He would need to connect to a Jumphost or his computer rather than connect to a website with his phone ti get the needed Phone. 

And the default laps configuration options are not that user friendly.

Permission on OU have to been set with powershell and checking this current permissions are an even bigger pain point i think (wild guess, not many sys admin know how these permissions are set in their environment)

[b1sh0p]

Just want to thank all involved in this thread, I've been looking to implement LAPS in our environment for some time now. The pushback has been pretty heavy with the people in charge of these decisions. This might help sell them on it.