Sunday, August 20, 2017

Tips&Tricks – Protect Domain Joined Machines w/ Random Local Administrator Passwords and LAPS

It’s fairly usual on any kind middle/large sized enterprise, that the IT Department creates a local administrator to manage their domain joined machines. This could happen for example to make sure that even if there’s an issue with a machine that gets out of domain, the IT guy can still try to recover the machine, or for example if there’s any kind of suspicious activity from a virus for example, this can be useful to login on a machine disconnected from the network.

There’s a clear issue with this. Without the proper tools, the local administrator password will probably be the same on all machines, which it’s an obvious security issue.

With this in mind, Microsoft created a tool called “Local Administrator Password Solution” or…LAPS.

This effective and very useful tool provides a centralized storage of passwords in Active Directory (AD).
You don’t need any additional machines and domain admins can determine which users can read the passwords.

So, the main advantages of using LAPS are:

  • Periodically randomizing local administrator passwords
  • Centrally store passwords in AD
  • Control access to this passwords with AD ACL permissions
  • Transmit encrypted passwords from clients to AD (using Kerberos encryption, AES cypher)

Here’s also a diagram of the solution:

After LAPS is configured in your environment you just need a LAPS tool to get the passwords for a machine or use powershell cmd-lets to get them.

You can learn more about Microsoft LAPS on Technet:
Microsoft TechNet - Local Administrator Password Solution

No comments:

Post a Comment