19 July, 2015

LAPS - Local Administrator Password Management

Microsoft new initiative "Local Administrator Password Management" or also known as "LAPS" clearly shows how serious they are about the "Security" domain that they have launched a new tool to enhance the security on the client machines (They could have incorporated this in the next version of their Operating System but it seems that they didn't wanted to waste any time waiting for the release of the newer version)

With LAPS, there are few points to be noted:-

- Administrator Account (And keep this in mind, I did not said "The Administrator Account" which the the default administrator account) will get a "RANDOM" Password

- The Password on all the machines will be DIFFERENT

- These Passwords will be STORED in Active Directory under the Machine Account

Lets see how this so called LAPS works !!!!

For the lab purpose, I have a domain "ADShotGyan", Domain Controller (DC1 - Windows 2012 R2) and Client Machine (Win7 - Windows 7)


You can download LAPS from the following location:

https://www.microsoft.com/en-us/download/details.aspx?id=46899

Currently, I am on a Windows 2012 R2 Domain Controller


The "Welcome" Page


"I Agree"... As if you had any other option...


There are two main components of LAPS:

- AdmPwd GPO Extension

- Management Tools
   - Fat Client UI
   - PowerShell Module
   - GPO Editor Template

The GPO Extensions are the CSE`s (Client Side Extensions) for LAPS and need to be installed on all the client machines which you as an administrators wants to manage

Rest of the management tools are optional on client machines but you will need them on the domain controller from where you want to manage LAPS


Click on Install....



At this point, If I look at the properties of any computer object, I wont be able to see any new attributes populated.


We need to install the same tool on the client machines as well on which we want to configure the local administrators password


An important thing to note is that we DON'T have to install all the components. We just need to install the "GPO Extensions"


Install...


Once the installation is completed, browse through the "Programs and Features" on the client machine and you will find the "Local Administrator Password Solution"


This will install the required dll (AdmPwd.dll) on the following location:
C:\Program Files\LAPS\CSE


Do Register this dll (AdmPwd.dll)


Lets come back on to the server


We first need to import the following module using PowerShell

Import-Module AdmPwd.PS


Then, Update the Schema....

Update-AdmPwdADSchema

The Schema Update will Add the following Attributes:

- ms-Mcs-AdmPwdExpireationTime
- ms-Mcs-AdmPwd


And you should be then able to view these attributes on any machine account



Permissions

Now lets see which all permissions do we have on these machines w.r.t LAPS

Understand this... With LAPS, Administrator Account on every machine will have a random password and this password will be stored in the machine account in active directory. So the machine need to have rights on the attributes where the password will be stored

Lets have a look on these permissions on a machine account

We need to look for the permission for the SELF account on the machine account




hmm... That`s strange.. So the SELF account do not have any rights on the attributes which will store the password... Which simply means that this wont work..

Read ms-Mcs-AdmPwd
Write ms-Mcs-AdmPwd
Read ms-Mcs-AdmPwdExpirationTime
Write ms-Mcs-AdmPwdExpirationTime 



So now lets give those permissions

Set-AdmPwdComputerSelfPermission -OrgUnit <OU where the Client Machines are Stored>

Example:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=LAPS Lab,DC=ADShotGyan,DC=com"


Delegated...


Now lets have a look on the permissions again



Now SELF has rights on the attributes

Write ms-Mcs-AdmPwd
Read ms-Mcs-AdmPwdExpirationTime
Write ms-Mcs-AdmPwdExpirationTime 

Note that it still does not have rights on the attribute "Read ms-Mcs-AdmPwd"


The above permission which we gave was for the machine account. But what if an administrator wants to READ the administrator password stored on the machine account. Even though the password which will be generated will be a random password but then the domain administrator should be able to read the password else how would they be able to use that password on the machine for which the password has been generated

Currently, we have two administrator accounts in ADSHOTGYAN.COM domain

- Sumit Sethi
- Administrator
 
And they both don't have any rights/permissions on this computer account



So lets give them the permissions

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=LAPS Lab,DC=ADShotGyan,DC=com" -AllowedPricipals "ADShotGyan\Sumit Sethi","ADShotGyan\Administrator"


Delegated...


Now "Sumit Sethi" has been added in this computer account ACLs



And "Sumit Sethi" has Full Control


Similarly, We have created another account named "Reset" who will have the delegated permission on the computer account to reset the password of the administrator account


Notice the difference in the two commands...

We gave "Sumit Sethi" and "Administrator" accounts "READ" Permissions and "Reset" account "RESET" Permission

Set-AdmPwdResetPasswordPermission -OrgUnit "OU=LAPS Lab,DC=ADShotGyan,DC=com" -AllowedPricipals "ADShotGyan\Reset"


Delegated ....


Read & Reset....


Lets verify the permissions "Reset" account has now got on this computer account



Note that the "Reset" account has not got Full Control...




Now lets explore the Group Policies associated with LAPS


Location:

Computer Configuration -> Administrative Templates -> LAPS

Settings:

- Password Settings
- Name of administrator account to manage
- Do not allow password expiration time longer than required by policy
- Enable local admin password management


Password Settings

It defines the password complexity settings


Name of administrator account to manage

If you are a good admin, then you will always rename your default built in admin account or you keep your built in administrator account disabled and will create a secondary administrator account with some other name as the default admin account "administrator" can be easily hack-able

So, if you have a second administrator account on client machines then you can specify that account name here in the group policy setting


Do not allow password expiration time longer than required by policy



Enable local admin password management

When enabled, local administrator password is managed


Now we have rebooted a client machine and a password got generated which is stored in the attribute on the client machine account


On the client machine, lets enable the default administrator account





Note: We reset the default administrator account on the client machine but the password on the client machine account in active directory remained unchanged. So the password which is stored in active directory is only the password which has been generated by LAPS and not the one which you as an administrator will reset on the account on the client machine manually


On the domain controller, lets open the LAPS Management UI



Enter the Client Machine Name


And it will display the Password and the Expiration Time


Click on Set and it will Reset the Password. Note that the expiration date has now changed


To confirm, the new password has now been populated in active directory in that machine account


Lets do some testing with the custom "Admin" account present on the client machine


Lets configure the policy "Name of administrator account to manage" and add "Admin" account name in that setting



Note that the password is still the old one which was associated with the default "Administrator" account


Even if we disable the administrator account, the same password cannot be used



We have to generate a new password which would then be assigned to the new custom administrator account "Admin"

Also an important point to note here is that if we have the built in administrator account and a custom account with no setting for the custom account defined then the generated password will be assigned to the default administrator account. Howe ever, if we have a custom admin account and the same account is mentioned in the group policy setting as well, then that account will get the generated password even if the default administrator account is enabled on the client machine



Earlier we had created a "Reset" account which had the permission to reset the password

Now we have created another account "NoReset" which doesn't have the reset permission


Lets logon to the client machine as the "NoReset" account and try to reset the password


"Failed to Request Password Reset"


Lets logon to the client machine as the "Reset" account and try to reset the password

"Password Reset Request was Successful"


But did you notice something in the above window. Even though the Reset account was able to reset the password, however the account was unable to read the password. the password attribute in the Management UI was empty. This is because the Reset account only had the Reset permission and not the Read permission

Now lets give Read permission to the Reset Account

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=LAPS Lab,DC=ADShotGyan,DC=com" -AllowedPricipals "ADShotGyan\Reset"



Now the Reset Account is able to Reset and Read Password