What is Microsoft LAPS?

The Microsoft “Local Administrator Password Solution” (LAPS for short) was released on May 1, 2015. Microsoft LAPS provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. These passwords are centrally stored in Active Directory and restricted to authorized users (such as helpdesk administrators) using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.

If the local administrator account on a single computer is compromised, it can be used to gain administrative access to all computers on the domain, exposing an effective attack vector. In large environments, the complexity of managing passwords can lead to poor security practices and increase the risk of a Pass-the-Hash (PtH) credential replay attack.

LAPS simplifies password management while helping customers implement recommended defenses against cyber attacks. The solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.

References:

The problem between Microsoft LAPS and Remote IT Support Solutions

Remote IT Management and IT Remote Access Software require privileged access on remote computers to perform their tasks. This can become an issue within an environment under Microsoft LAPS policy since the local administrator’s password of remote systems is not predefined.

To gain elevated access to a remote computer, the Microsoft LAPS UI tool must be used to query the temporary password for that system. Once the password is known, it must be configured within the IT Remote Support tool to continue. This must be done each time, as passwords are unique per computer and expire on a regular basis, making remote support very tedious.

The issue gets worst when global IT management tasks need to be performed, i.e., deploying software or patches to large groups of machines. The principal of global IT process automation is to configure once and execute multiple times. However, since no centralized authority can be used to gain elevated access on multiple endpoints, a global action cannot be performed unless the solution is Microsoft LAPS aware.

Goverlan Reach (v9.01.20 and later) introduces full support of Microsoft LAPS environments. Once LAPS support is enabled, Goverlan Reach transparently queries LAPS passwords in Active Directory when elevated access is required. Goverlan Reach also keeps track of password expiration dates and updates them accordingly. Goverlan Reach with LAPS support can also be used to perform global IT process automation on LAPS endpoints.

Using Goverlan Reach, preserve the convenience of an IT remote management and support solution while keeping your security compliance tight with MS-LAPS.

Goverlan Reach – LAPS Configuration

Enabling Microsoft LAPS Support

Before you can use Microsoft LAPS in Goverlan Reach, you must enable it. You can do this in Goverlan Settings:

Click on the Application button on the top right corner of the application and select General Settings
Select the Alternate Credentials category
Check the Enable Microsoft LAPS Support option and click on OK or Apply

Enable Microsoft LAPS in Goverlan Reach Settings

Once you have enabled Microsoft LAPS support in Goverlan Reach, you will be able to configure LAPS authentication for all machines that belong to an Active Directory domain, or use LAPS passwords on a per-machine basis. You will also be able to inject a LAPS password within a remote-control session to login to the system.

Configuring Microsoft LAPS Authentication at the AD Domain Level

This Set-and-Forget method allows you to specify Microsoft LAPS enablement for an entire Active Directory domain. Once you have done so, Goverlan Reach automatically uses the LAPS system to query and apply the local administrator’s password to authenticate against all remote machines that belong to that domain.

Domain-wide LAPS authentication is required if you plan on using the Goverlan Reach IT Global Automation features. For instance, if you need to deploy software on your LAPS enabled machines.

To configure domain-wide LAPS authentication:

Click on the Application button on the top left corner and select Credentials Manager
Click on the Add button, and select the Active Directory target type.
Specify the domain FQDN in the Target Name field (or click on the search button to manually select it), then click on Next

Microsoft LAPS Domain — Select the AD Domain with LAPS enabled endpoints.

The following options allow you to configure the authentication type to connect to Active Directory itself (Domain Account Management) and to connect to the machines that belong to that domain.Below are different LAPS configurations that are available:

Use the Goverlan operator’s account to query Active Directory and perform account management. Use Microsoft LAPS to authenticate against computers that belong to the domain	Use the specified account to query Active Directory and perform account management. Use Microsoft LAPS to authenticate against computers that belong to the domain
Reach Operator account for AD management. Microsoft LAPS for Local Machine management.	Use a specified account for AD Management and use Microsoft LAPS for machine management.

If appropriate, modify the local administrator’s account name to use with LAPS, then click on OK.
NOTE: It is not possible to configure more than one local administrator’s account name per domain. Different local admin account names or multi-lingual machines are not supported.

Credential Manager with Microsoft LAPS — Microsoft LAPS configured credential in Goverlan Reach Credential Manager

Once configured, Goverlan automatically queries the LAPS password of a domain machine in AD and uses it with the specified local administrator’s account to authenticate on the remote systems.

What if my LAPS Policy is not configured Domain-Wide?

The Microsoft LAPS policy may be assigned to specific OUs versus the domain level. In such cases, a LAPS authentication may fail for systems that are not under the LAPS policy.

Goverlan does not allow the configuration of LAPS based credentials on a per-OU basis, however, if a LAPS password cannot be queried for a computer object, or if the LAPS password is empty, Goverlan automatically falls back to standard authentication methods (either configured in the Credentials Manager or the operator’s credentials).

Consequently, the process of authenticating to a non-LAPS system within a LAPS enabled Active Directory domain will be transparent, except for a warning message in the Goverlan Console window:

Microsoft LAPS warnings in Goverlan Reach Console

If Goverlan keeps on prompting credentials for non-LAPS computers instead of falling back on standard authentication, make sure that the ms-Mcs-AdmPwd AD attribute for these computers is empty. If not, Goverlan will attempt to use that password and will fail.

Configuring Microsoft LAPS Authentication on a Per-System basis

You can also use Microsoft LAPS passwords on a per-system basis. When Goverlan prompts for the credentials of a domain joined computer, the password field will include a [use LAPS] button that queries the LAPS password in AD and populates the password field.

Use Microsoft LAPS Button — Use Microsoft LAPS button to query password.

This method populates the password field with the local administrator’s password value as defined in Active Directory. You must provide the correct value for the local administrator’s user ID in the user name field.

If you do not see the [use LAPS] button, make sure that:

Microsoft LAPS is enabled in your settings
The machine name for which credentials are prompted have a format from which domain information can be queried. For instance, an FQDN or UNC format (i.e.: DOMAIN\MachineName). If the machine name is a NetBIOS name or an IP address, Goverlan will not be able to determine the Active Directory domain for that machine and will not display the LAPS option.

Once LAPS based credentials are configured for a computer, they are remembered by Goverlan (unless you unchecked Save Credentials). Saved computer Microsoft LAPS credentials can be viewed in the Credential Manager:

Per Machine Microsoft LAPS credential entry — An Microsoft LAPS entry can be configured on a per machine basis.

What happens when a LAPS password expires?

Goverlan automatically manages LAPS password expiration events. When a computer LAPS password is saved in the credential manager, the current value of the password is reused as needed until its expiration date, at which time Active Directory is automatically queried for the updated value of the password.

If you manually reset the LAPS password or password expiration time stamp of your systems, the saved credentials in Goverlan may be out-of-sync. This will not be a problem, Goverlan will prompt you to update the credentials of any system for which it failed to authenticate. Simply update the password using LAPS.

LAPS support during a Remote-Control Session

During a remote-control session to a MS-LAPS enabled computer, you may need to login to the remote system using the local administrator’s account. Since Windows doesn’t allow clipboard operation in its password field, Goverlan allows you to inject the LAPS password as if you typed it physically.

To do so, set the cursor focus to the password field of the local administrator’s login on the remote machine, then click on the (Inject LAPS Password) control located at the top right corner of the viewing area:

Inject Microsoft LAPS password — Inject an Microsoft LAPS password into a remote control session.

NOTE: This option is only available if you open a remote-control session using credentials that are MS-LAPS based.

Goverlan Reach Introduces Microsoft LAPS Support