Florian Posted November 13, 2022 Share Posted November 13, 2022 Hi Choombas This post is propably a bit longer if you want to skip the bla bla context -> jump beneath the line 😉 i had the idea for this post after i followed the following post which mentioned laps and "some" of their problem: Any Legacy AD Security Admins? - Defensive Security - UpdatedSecurity But first what is LAPS? Laps (or Local Administrator Password Solution) is a "tool" Microsoft offer to improve the local administrator situation in Active Directory Environments. Normaly there are 2 possible ways to manage Clients: 1. you have one local administrator with a specified password which is in a Image or GPO Script or where ever and you deploy this on every client in your org 2. you already use laps and have different password which changes every few days and the password can be gotten from the Active Directory. Some more infos and docs are linked here Windows LAPS overview | Microsoft Learn Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center But what is then the Problem? First, you can only retrive the Password directly from the AD User and Computer or you have to use the LAPS GUI which is installed somewhere (management server oder admin notebook or whatever.) Second, you can't track the password history of the LAPS Password ---> This one is important in the case you also want to stop lateral movement between servers! Third, Access Management on the passwords through LAPS is so terrible. Fourth, it's hard to get the acceptance within the operations tea. ----------------------------------------------------------------------------------- And now, how you can get rid of the problems? the solution is called OVERLAPS. (nor from me and i am not sponsored 😛) A powerful web interface for Microsoft LAPS | OVERLAPS (int64software.com) Docs: Documentation | OVERLAPS (int64software.com) Is it free? No!, BUT the price is so cheap that EVERY company can afford it. it's ~160 €/$ (One Time) What is OVERLAPS? Overlaps is a software which can be installed on a server to extense the functionality. Overlaps is a software which scan your AD and gather all the LAPS Passwords and saves it in a internal database. You can configure the access to the passwords within the tool. Overlaps provide a webservice where you can view the passwords, you can configure how much old password should kept in the history. So you can access the passwords over the web browser. it has a MFA component withing, supports integrated windows authentication, etc. Access can configured on OU Level. This supports even tiering model within the tool. there is also a Bitlocker feature, that you can watch the current bitlocker password if needed. you can set the access granularly. you can set the password in the webinterface as expired -> laps will reset the password on next check how does it works? Step 1 - Deploy a domain joined server Step 2 - Install Software Step 3 - configure software -> you add the permissions for a service account or the Overlaps computer account Step 3b - configure History etc. Step 4 - add groups to overlaps and set permissions in overlaps (Step 5 - Publish Overlaps if needed)  Credits to Matt. @matt_is_ready he is the creator of the tool. he provides supports pretty fast! 3 Link to comment Share on other sites More sharing options...
Nathan McNulty Posted November 16, 2022 Share Posted November 16, 2022 (edited) Ryan Newington (@RyanLNewington) has a similar solution, and V2 coming soon will support Azure AD native, macOS, and Linux as well 🙂 https://github.com/lithnet/access-manager https://docs.lithnet.io/ams/v/2.0/whats-new I hooked it into Azure AD to provide Conditional Access, and it also supports putting Azure App Proxy in front of it. I really wish more people used LAPS. Edited November 16, 2022 by Nathan McNulty 3 Link to comment Share on other sites More sharing options...
Accidental CISO Posted November 19, 2022 Share Posted November 19, 2022 Good info, thanks Florian and Nathan! Question: are the problems that this solves related directly to shortcomings of LAPS, or are they related to lack of other tools in the environment resulting in a need to regularly access local admin passwords for individual machines? -AC 1 Link to comment Share on other sites More sharing options...
Florian Posted November 19, 2022 Author Share Posted November 19, 2022 I would say, it's somehow the lack of mobility E.g. Think about a front line supporter who walks through the company. He would need to connect to a Jumphost or his computer rather than connect to a website with his phone ti get the needed Phone. And the default laps configuration options are not that user friendly. Permission on OU have to been set with powershell and checking this current permissions are an even bigger pain point i think (wild guess, not many sys admin know how these permissions are set in their environment) 1 Link to comment Share on other sites More sharing options...
b1sh0p Posted November 20, 2022 Share Posted November 20, 2022 Just want to thank all involved in this thread, I've been looking to implement LAPS in our environment for some time now. The pushback has been pretty heavy with the people in charge of these decisions. This might help sell them on it. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now