Microsoft LAPS - Local Administrator Password Solution | An Introduction

Microsoft LAPS - Local Administrator Password Solution | An Introduction

What is LAPS - Local Administrator Password Solution?

Local administrators logging on to computers in the network don't have to do so without the domain credentials. This can make password management quite tricky and can greatly increase the risk of a Pass-the-Hash credential replay attack. Microsoft aims to tackle this problem with the help of Local Administrator Password Solution (LAPS)
 
LAPS, in its flesh, is a password manager that rotates the passwords of privileged accounts, like that of the local administrator by forcing all local Administrator accounts to have unique passwords. This means an attacker with one compromised credential cannot laterally move to other accounts and take over.  
 
Since its announcement, Microsoft LAPS has mitigated the risk of lateral escalation attacks and has simplified password management while helping customers implement recommended defenses against cyberattacks.
 
Since LAPS stores the passwords for each computer’s local administrator account securely and are restricted to authorized users using ACLs. So, domain administrators can now grant read access to users passwords to helpdesk administrators, thereby making password management more secure and easy. 

Shortcomings of Microsoft Local Administrator Password Solution 

The major pitfall of LAPS is the need to update the AD schema. Organizations, generally, are skeptical about messing with their schema, unless and until it is necessary. Besides this, the following are the main drawbacks of LAPS: 
  1. Supports only local administrator account on domain-joined machines. No support for local service accounts.
  2. Works only on Windows machine. No support for UNIX, Linux, or MacOS accounts.
  3. No provision for  workflow management and reporting.
  4. Requires an agent extension to be installed on all managed systems. 
Organizations can use LAPS if the threat of lateral movement and pass-the-hash attacks are very high. LAPS serves to be a good starting point for administrators looking for a way to rotate passwords on the local Administrator accounts. 
    • Related Articles

    • LAPS - Manage Local Administrator Passwords on Domain Computers

      What is Local Administrator Password Solution (LAPS)? The Local Administrator Password Solution, generally abbreviated as LAPS, is a tool developed by Microsoft to manage local administrator passwords on Windows computers. Since the local ...
    • How to block remote network access for local user accounts in Windows

      Introduction Local user accounts accessing other computers in the Active Directory (AD) network remotely may cause huge problems due to the security risk associated with the access privilege. The most commonly cited example is that if multiple user ...
    • How to Remove Users from Local Administrator Group

      Removing Users From Local Administrators Group using GPO End users who are members of a Windows local administrators group will have excessive amount of privileges such as the ability to install and run programs, reset passwords, disable users, ...
    • How to show the list of local administrators using Powershell

      As a system administrator, understanding and managing local administrators on Windows machines is a fundamental task for maintaining security and access control within your organization. PowerShell, with its versatility and robust capabilities, ...
    • 19. PowerShell - Introduction to Splatting

      Introduction to splatting Splatting is a way of defining the parameters of a command before calling it. This is an important and often underrated technique that the PowerShell team added in PowerShell 2. Splatting is often used to solve three ...