Deploying: Microsoft’s Local Administrator Password Solution (LAPS)

A common and critical vulnerability exploited during penetration tests is that of reused Local Administrator passwords. This issue is a common one it allows an attacker to find a vulnerable machine on a network, pull the administrative hash out of that machine and then log-in to a more interesting machine or ultimately privilege escalate.

A concern I’ve heard raised a few times about LAPS though, is that it does not encrypt passwords in storage. The LAPS solution by Microsoft does offer password protection, although not necassarily encryption the password storage and transmission is hardened.

LAPS passwords that are retrieved from AD using the default tools (both the PowerShell and LAPS UI tool) are encrypted in transit, so that’s not a concern unless you utilise third party tools.

The password is not encrypted in storage within AD however it is stored in a hardened location, protected by the operating system. An attacker would be able to retrieve this password if they had a highly privileged account such as a Domain Administrator account – but with this level of privilege they would be able to retrieve them anyway.

So this ultimately leaves the physical theft of the domain controller, its hard disks or the AD backups. These can be protected through strong physical security and the encryption of backup media. Ultimately the thing to remember is not to let perfect get in the way of better. LAPS is a much better solution that a reused local administrator password, so I highly recommend you consider deploying it across your estate!

Installing LAPS into the domain:

Step 1 – The LAPS installation file is available here. The recommended thing to do is distribute this file via Group Policy so that it’s installed on all clients. Remember to run the msi file on a management machine too and select the “Management Tools” option in the installed

Step 2 – The Active Directory Schema must be updated to allow for LAPs, so as a Scheme Admin or equivalent, on the management machine run the following two commands:

Import-Module AdmPwd.PS

Step 3 – You need to give the computers themselves permissions to update the password in active directory, which can be done by adding the Active Directory OU into the following command:

Set-AdmPwdComputerSelfPermissions -OrgUnit 'Domain Computers'

Step 4 – You’ll need to give read permissions to an OU so that they can extract the passwords when required – this is as simple as:

Set-AdmPwdReadPasswordPermissions -Orgunit 'Domain Computers' -AllowedPrinciples\HelpDesk

Step 5 – Finally all you need to do is create a Group Policy Object to enable LAPS, this is as simple as:

Computer Configuration > Policies > Administrative Templates > LAPS
"Enable Local Admin Password Management": Enabled

Now the issue of reused passwords and the pass-the-hash attack is fixed and you can extract the passwords using the supplied management tool! Alternatively there’s a Powershell version available thanks to kfosaaen!