Deploying Microsoft LAPS – Part 2

We recently covered preparing Active Directory and deploying the LAPS CSE/Client to the machines you wish to manage in part 1 of deploying Microsoft LAPS. Part 2 covers “Turning on” LAPS via Group Policy, the LAPS process and how it works once deployed.

Group Policy

On your LAPS management machine head to C:\Windows\PolicyDefinitions, there you will find AdmPwd.admx and AdmPwd.adml (under en-US). Copy these files into your Group Policy Central Store, if you do not have a Central Store (and do not which to create one) you can launch Group Policy Management Console directly from your management machine, or copy the ADMX/ADML to a Domain Controller where you will be editing the policy.

LAPS2-1

Create a new GPO and navigate to Computer configuration -> Policies -> Administrative Templates -> LAPS

LAPS2-2

Password Settings
This is where you’ll choose your password policy. The default is complex passwords, 14 chars and a password age of 30 days (machines will automatically change their password when this is met).

LAPSGPO-1


Name of administrator account to manage
In part 1 we deployed a custom local administrator account of LocalAdmin, this is the account I wish to manage. Leave this to not configured to manage the default Administrator account (-500).

LAPSGPO-2

Enable local admin password management
Enable this setting to turn LAPS on.

LAPSGPO-3

Do not allow password expiration time longer than required by policy
When you enable this setting, planned password expiration longer than password age dictated by “Password Settings” policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.

LAPSGPO-4

Link the GPO to the OU with the computer objects you wish to manage with LAPS (and that you have deployed the LAPS client to).

The LAPS process

  1. Machine with LAPS CSE queries Group Policy and receives the LAPS policy settings defined above
  2. Machine queries ms-Mcs-AdmPwdExpirationTime, if not set, or expired it will generate a new password and set this locally and securely write this value to the mc-Mcs-AdmPwd attribute in Active Directory
  3. Password is now set locally, stored in Active Directory and is ready for use
  4. The LAPS CSE will query this value on each Group Policy update, when the ms-Mcs-AdmPwdExpirationTime is met, or the attribute is not set it will re-generate a new password
  5. If machine cannot contact Active Directory, no changes are made

Using LAPS

If you’ve followed all of the steps so far, the solution will now be fully deployed. There are various ways you can view the password set by LAPS. The most obvious choice, and probably what most people will default to using is the LAPS UI which is installed as part of the LAPS management tools.

1. LAPS UI – Simply run the UI, type the computer name and click search.

LAPS2-3

Note the Reset button. This allows you to manually manage when the password is re-generated for a given machine. If you want to expire the password immediately, click reset with the current date and time set. The next time the computer performs a gpupdate, it will check the ms-Mcs-AdmPwdExpirationTime attribute which will force it to re-generate a password (as it will have expired). You can also set it to a specific date and time if required.

2. Powershell – Get-AdmPwdPassword cmdlet

1
Import-Module AdmPwd.PS
1
Get-AdmPwdPassword Client01

LAPS2-4

3. Active Directory Users and Computer (DSA.MSC) – Make sure you have advanced features ticked from the view tab.

LAPS2-5

Note the expiry time is in NT system time, to convert to a readable format, use w32tm /ntte %ms-Mcs-AdmPwdExpirationTime%.

LAPS2-6

If you’re looking at a Local Administrator Password solution, currently using GPPs to deploy Local Administrator accounts or simply want to increase the security of your machines LAPS is absolutely something you should look to implement. I hope you’ve found these posts helpful, and good luck!

Advertisements

Deploying Microsoft LAPS – Part 1

What is LAPS?

A lot of organisations will use the same local administrator password across all machines, which is a bad idea for a number of reasons. At a basic level, if this password is learnt, it allows anyone to install software as an administrator – at a higher level it facilitates things such as pass the hash, mimikatz and general reconnaissance against your machines (usually with the goal of elevating to Domain Admin).

If you currently deploy your Local Administrator Account via Group Policy Preferences, this makes things even easier for an attacker to obtain the shared local administrator password. The CPASSWORD value is easily searchable against SYSVOL and Microsoft provide the 32-byte AES key which can be used to decrypt the CPASSWORD. Alan has a great post here why you should stop using Group Policy Preferences for deploying Local Administrators.

So what can we do?

LAPS – Local Administrator Password Solution! This is Microsoft’s solution to managing Local Administrator account passwords across an organisation. LAPS solution features include:

• Sets a unique randomly generated password PER machine
• Automatically change the Local Administrator Password every x days
• Stores Local Administrator Passwords as an attribute of the Computer Object in Active Directory
• Password is protected in AD by AD ACL, so granular security model can be easily implemented
• Password is protected during the transport via Kerberos encryption

Deployment Steps

  1. Installs LAPS onto management machine
  2. Extend Schema and prepare Active Directory
  3. Deploying LAPS client to those machines you wish to manage
  4. Configure Group Policy to enable and set the relevant policies

This post will cover steps 1, 2 and 3.

Management Machine

First off, we’re going to install the management portion of LAPS. Download LAPS here and next, next through the installation. On the custom setting page choose all of the management tools. The AdmPwd GPO Extension is required if the machine you’re installing the management portion on will also be managed by LAPS.

LAPS-1

Follow ‘Preparing Active Directory’ on the management machine.

Preparing Active Directory

1. Extending the Active Directory Schema

The Active Directory Schema needs to be extended to add two attributes to the computer class. These are ms-MCS-AdmPwd which stores the password in clear text, and ms-Mcs-AdmPwdExpirationTime which stores the password expiration time. You will need to be a member of the Schema Admins security group.

1
Import-module AdmPwd
1
Update-AdmPwdADSchema

LAPS-2

2. Adding Machine Rights

You need to delegate to right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.

1
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=SA Computers,DC=thesysadmins,DC=co,DC=uk”

This sets the following permissions against all computer objects within the OU specified, including all child objects.

LAPS-4

This is what the Set-AdmPwdComputerSelfPermission cmdlet does behind the scenes on the computer objects ACL:

LAPS-Self1

LAPS-Self2

3. Check ExtendedRights permissions on OU

To get information on the groups and users able to read the password (ms-MCS-AdmPwd) for a specific Organizational Unit (OU), run the following.

1
Find-AdmPwdExtendedRights -identity:"OU=SA Computers,DC=thesysadmins,DC=co,DC=uk" | Format-Table ExtendedRightHolders

LAPS-5

4. Remove ExtendedRights permission on OU

If you need to remove the permission to view the password (ms-MCS-AdmPwd) for a group or user, carry out the following.

  1. Open ADSIEdit
  2. Right Click on the OU that contains the computer accounts that you are installing this solution on and select Properties
  3. Click the Security tab
  4. Click Advanced
  5. Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit
  6. Uncheck All extended rights

LAPS-10-2

5. Delegate a Security group the rights to view and reset LAPS

Here I’m delegating the Security Group ‘LAPS’ the right to view the LAPS Password and to have the ability to reset the password (more on that in part 2). I’ve re-run the ExtendedRights cmdlet, and you can now see that the LAPS group has been added.

1
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=SA Computers,DC=thesysadmins,DC=co,DC=uk " -AllowedPrincipals "LAPS"
1
Set-AdmPwdResetPasswordPermission -OrgUnit " OU=SA Computers,DC=thesysadmins,DC=co,DC=uk " -AllowedPrincipals "LAPS"

LAPS-6

This is what the Set-AdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission cmdlets are doing behind the scenes on the computer objects ACL:

LAPS-6.1

LAPS-6.2

Active Directory is now prepared!

Deploying LAPS

Deploying LAPS is very straight forward, and can be deployed via Group Policy, SCCM, Login Script, manual install etc… By default no management tools are installed, only the CSE required to manage the computer. Deploy the LAPS client to all machines that you wish to manage.

Examples:

Deploying LAPS to x64 machines

1
msiexec /q /i \\server\share\LAPS.x64.msi

Deploying LAPS to x86 machines

1
msiexec /q /i \\server\share\LAPS.x86.msi

Optional Deploying LAPS to x64 machines and create a custom admin account “LocalAdmin” during setup

1
msiexec /q /i \\server\share\LAPS.x86.msi CUSTOMADMINNAME=LocalAdmin

Group Policy

LAPS-7

If you want to deploy a new custom Local Administrator Accounts via Group Policy, due to the limitation of software installation you will need to use Orca or InstEd to generate a MST to pass the CUSTOMADMINNAME value. Edit the Property Table, and replace __null__ with the name of the Local Administrator you’d like to create.

LAPS-8

SCCM

LAPS-9

To confirm the installation has succeeded, confirm that C:\Program Files\LAPS\CSE\AdmPwd.dll is present.

The bulk of the deployment has now been completed. In part 2 we will cover Group Policy which will essentially turn LAPS on, how to view passwords and some general discussion on the solution.

How to mount ISO in Windows Server 2012 and Windows Server 2012 R2

On Windows Server 2012 or Windows Server 2012 R2 Preview, it supports to mount ISO without any third-party software.

1, On Windows Server 2012 or Windows Server 2012 R2 Preview, log in as Administrator.
2. Launch “Windows Explorer“, navigate to C drive.
3. Right-click the ISO file.
4. Click “Mount“.
Remark: We can also perform “Mount-DiskImage -ImagePath <Image location>” to mount  a ISO and VHD file.

To dismount the disk image, we can perform “Dismount-DiskImage -ImagePath <Image location>” to dismount it.