What is LAPS - Local Administrator Password Solution?
Local administrators logging on to computers in the network don't have to do so without the domain credentials. This can make password management quite tricky and can greatly increase the risk of a Pass-the-Hash credential replay attack. Microsoft aims to tackle this problem with the help of Local Administrator Password Solution (LAPS)
LAPS, in its flesh, is a password manager that rotates the passwords of privileged accounts, like that of the local administrator by forcing all local Administrator accounts to have unique passwords. This means an attacker with one compromised credential cannot laterally move to other accounts and take over.
Since its announcement, Microsoft LAPS has mitigated the risk of lateral escalation attacks and has simplified password management while helping customers implement recommended defenses against cyberattacks.
Since LAPS stores the passwords for each computer’s local administrator account securely and are restricted to authorized users using ACLs. So, domain administrators can now grant read access to users passwords to helpdesk administrators, thereby making password management more secure and easy.
Shortcomings of Microsoft Local Administrator Password Solution
The major pitfall of LAPS is the need to update the AD schema. Organizations, generally, are skeptical about messing with their schema, unless and until it is necessary. Besides this, the following are the main drawbacks of LAPS:
- Supports only local administrator account on domain-joined machines. No support for local service accounts.
- Works only on Windows machine. No support for UNIX, Linux, or MacOS accounts.
- No provision for workflow management and reporting.
- Requires an agent extension to be installed on all managed systems.
Organizations can use LAPS if the threat of lateral movement and pass-the-hash attacks are very high. LAPS serves to be a good starting point for administrators looking for a way to rotate passwords on the local Administrator accounts.