Automating the Management of Local Admin Passwords with Microsoft LAPS

Chris Williams Security, SMB, SME

Effectively managing local admin passwords across hosts is a common challenge for IT Departments. This drives the reuse of passwords across hosts and makes local admin passwords a highly valued target for attackers to use in attacks like Pass-the-Hash (PtH). This can lead to privilege escalation and access to higher valued assets in the domain.

The good news is that Microsoft offers a free, easy to deploy solution that simplifies the management of local admin passwords across domain joined computers.

LAPS is built on Active Directory infrastructure so there’s no need for third-party applications. The agent is a Group Policy Client Side Extension (CSE) that gets installed on managed hosts via MSI using Group Policy.

LAPS simplifies the management of local admin passwords by automating the process of randomly generating passwords for each host. The passwords are then centrally stored in Active Directory in the hosts corresponding AD object. Domain Admins are able grant read access to authorized users.

InfoSec is an iterative process with no silver bullets. Don’t neglect the small, meaningful wins.

Microsoft LAPS –> https://www.microsoft.com/en-us/download/details.aspx?id=46899

Chris Williams on LinkedinChris Williams on Twitter
Chris Williams
Chris Williams
Managing Partner at Perpetually Geek, LLC