What is Microsoft LAPS?
The Microsoft "Local Administrator Password Solution" (LAPS for short) was released on May 1, 2015. Microsoft LAPS provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. These passwords are centrally stored in Active Directory and restricted to authorized users (such as helpdesk administrators) using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
If the local administrator account on a single computer is compromised, it can be used to gain administrative access to all computers on the domain, exposing an effective attack vector. In large environments, the complexity of managing passwords can lead to poor security practices and increase the risk of a Pass-the-Hash (PtH) credential replay attack.
LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. The solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.
Problems between MS LAPS and IT Remote Support Solutions
IT Remote Management and IT Remote Support solutions require privileged access on remote computers to perform their tasks. This can become an issue in an environment under MS LAPS policy since the local administrator’s password of remote systems is not predefined.
To gain elevated access to a remote computer, the MS LAPS UI tool must be used to query the temporary password for that system. Once the password is known, it must be configured within the IT Remote Support tool to continue. This must be done each time as passwords are unique per computer and expire on a regular basis, making remote support very tedious.
The issue worsens when global IT management tasks need to be performed, i.e., deploying software or patch to large groups of machines. The principal of global IT process automation is to configure once and execute multiple times. However, since no centralized authority can be used to gain elevated access on multiple endpoints, a global action cannot be performed unless the solution is MS LAPS aware.
Goverlan Reach fully supports Microsoft LAPS
Goverlan Reach fully supports MS LAPS environments allowing you the convenience of a powerful IT remote management solution, while preserving security compliance with MS-LAPS.
Once LAPS support is enabled in Goverlan Reach, LAPS related queries are transparently executed by Goverlan when elevated system access is required. The helpdesk engineer or system administrator no longer needs to manually query a computer password using the Microsoft Logon UI tool, resulting in a fluid and more productive remote management flow.
Using Goverlan Reach in a LAPS enabled environment, you will be able to: