Last week, I mentioned the need to rotate local administrator passwords and for each of them to be unique. I realize that’s a whole lot of work to do manually, so don’t. I’m not saying don’t manage them — I’m saying don’t do it manually. This week, we’re going to take a look at local administrator accounts and how we can manage them in a simple, automated way. Let’s take a look at Microsoft Local Administrator Password Solution (MS LAPS).
Security is hard. We’ve all heard it, but that’s no excuse not to try! You may feel like you’re never going to make it to shore and that you’re simply treading water for eternity, trying not to drown. I’ve been there many times, and I found automation and tools to be my life preserver, helping me float instead of tread water. Automation and tools freed up some of my time, allowing me to make progress on other fronts and eventually make it to shore.
Managing local administrator accounts
Before we dive into MS LAPS, let’s discuss the dangers of local administrator passwords. Keep in mind that by default, the local administrator accounts do not lock out after any number of failed login attempts. This leaves them susceptible to brute force password attacks, and — believe me — they are prime targets! Think about all the servers you have publicly accessible services running on, such as web pages, webmail, Citrix, and who knows what else. Local administrator account passwords need to be unique, and they need to be on some sort of rotation.
Reader meet MS LAPS, MS LAPS meet reader
MS LAPS takes care of this by providing management of local account passwords for domain-joined computers. MS LAPS allows for the computers themselves to generate their password and store it in Active Directory. This means if your password policy says passwords must be rotated every three months, this will be taken care of in an automated fashion by the computers themselves. No additional work on your part. Now, doesn’t that sound nice?
“Hold on,” you may be thinking, “this MS LAPS you speak of must be a beast to set up and get working, and I just don’t have time for that.”
Well, MS LAPS can be deployed in 15 minutes or less of actual work. There are three steps to deploying MS LAPS:
- Create a GPO to deploy the LAPS agent .msi package.
- Extend the Active Directory schema to support LAPS.
- Create a GPO with the LAPS settings.
It’s that easy. Yes, you’ll need to wait for computers to update their GPOs and install the LAPS agent before they update their local administrator passwords, but that’s simply waiting time — not time you’re actually working on it. Once LAPS is deployed, you can retrieve the local administrator passwords via PowerShell or a nice little GUI app that Microsoft provides in the LAPS agent installer package. I’ve created a video showing you how to deploy MS LAPS from start to finish and how to retrieve the passwords, watch how to set up MS LAPS here.
Work smarter, not harder
In the last few articles, we’ve talked about using vulnerability scanning to see what vulnerabilities are in your infrastructure, which will lead directly to patching most of the time, and then we dove into the importance of data backups, as well as passwords and policies such as using MFA and proactively identifying compromised passwords to help secure your infrastructure.
One of my main goals of this year-long roadmap project is to make your life easier by showing you some tips and tricks to automate where possible so that you can float instead of continuously treading water. I hope you found this to be useful and would love to hear about your questions and successes, so please comment below and let us know what’s going on in your world!