Using LAPS

In the past, a company-specific standard was usually used for the local administrator passwords. But what do you do if an employee who knows the standard password leaves the company?

Right, it should be changed. In the past group policies (GPO) were used for this, even if the password was in clear text in SysVol. Fortunately, Microsoft put a stop to this. What other solutions are there? In practice, you can use VBS or PowerShell scripts, the good ones have random passwords, the bad ones just a standard.

But isn’t there a well thought-out solution from Microsoft? Yes, there is, Local Administrator Password Solution (LAPS).

What is LAPS?

Microsoft LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints. By ensuring that all local Administrator accounts have unique, complex passwords, LAPS helps mitigate the risk of lateral movement and privilege escalation: An attacker who compromise one local Administrator account can’t move laterally to other endpoints simply by using the same password.

A benefit over other password managers is that LAPS does not require additional computers to manage these passwords; it’s done entirely through Active Directory components. Plus, you can download and use LAPS for free.

Why use LAPS?

LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

What LAPS is used for in Detail

One of the most detrimental misconfigurations on a Windows network is setting the same password for all local administrator accounts. It happens everywhere. Even if you’ve streamlined your endpoint rollouts with imaging software, it’s just easier to make that admin login the same across the organization. The support staff and management software can use it without needing to worry about remembering a password schema. Who else can benefit from this ease of configuration? Malicious actors, worms, viruses, ransomware just to name a few. 

Once a password hash has been stolen, it can be used over and over again on any computer that has that same user/password locally. A common tool for this credential stealing is Mimikatz, a tool that can dump passwords and other authentication methods such as kerberos tickets out of memory and use those to escalate from a normal under-privileged account to an administrator account.

The primary defense against Mimikatz (and other privilege escalation) is limiting administrative privileges to only those users that need it. That’s definitely easier said than done, especially in an enterprise environment that has been around for a long time. It’s common to start at a company where you find a network that was built without design or security in mind. Many times least privilege wasn’t a consideration when a piece of software or business function just needed to work.

Luckily in 2015 Microsoft came up with an integrated solution for this. LAPS enables admins to manage the local account passwords of domain-joined computers. 

LAPS protects these passwords by storing them in an access-control list (ACL) within AD (Active Directory), so only users with access rights can read or request a password reset. 

How to implement LAPS with XEOX

If you are a user of XEOX we provided you a guide to implement LAPS for your business. Or alternatively read this blog article.



Top 11 RMM tools

Top 11 RMM tools Remote Monitoring and Management (RMM) tools are essential for IT professionals and Managed Service Providers (MSPs) to efficiently manage and monitor

Read More »

Top 8 WSUS alternatives

Top 8 WSUS alternatives Windows Server Update Services, commonly referred to as WSUS, serves as an essential element within the Windows Server ecosystem. It empowers

Read More »

Subscribe to our newsletter!

Get all latest news, exclusive deals and updates + free 30 day XEOX trial.