Microsoft LAPS Tool Tackles Common Local Admin Password Problem

Experts are concerned that Microsoft’s new Local Administrator Password Solution only partially addresses the problem of identical passwords on computers in a domain.

Microsoft’s release last week of the Local Administrator Password Solution (LAPS) takes some steps to address an old question of what to do with local admin passwords, but doesn’t provide a complete answer, experts said.

Windows admins have long used a common local account with the same password on computers in the same domain. This provides attackers with a single point of failure to target; one password affords access to every machine. What the LAPS tool does is set a random password for the common local admin account on machines in the same domain, Microsoft said.

“Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords,” Microsoft said in an advisory published on Friday.

The availability of LAPS is a big deal for enterprises, for example, that built homegrown solutions that presented some implementation and/or support challenges that frustrated enterprises. Companies that set common passwords do so in the name of efficiency and ease of manageability, which in this case works against any security in place by creating a domain filled with PCs with the same admin password.

“What to do with all those local admin passwords has always been source of frustration for IT ops teams,” said Andrew Storms, vice president of security services for New Context. “What’s ironic for companies that manage many Windows computers is those that have spent the time and resources to create an automated build system where all the end user computers are identical are also the ones at the most risk.”

An attacker who managed to steal the common password could pull off dangerous attacks in the context of the domain administrators, including Pass-the-Hash credential replay attacks. In these attacks, if a hacker can gain access to the local admin password hash, he can use that rather than a plaintext password to gain access to services. This can allow an attacker to elevate privileges and, in this case, access any computer on a domain.

“LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks,” Microsoft said. “In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.”

While the LAPS solution is considered past due from Microsoft, it will help enterprises automate their management of local admin passwords.

“The typical methods today of storing all those passwords in a spreadsheet or setting them all to the same single password is simply unmanageable from both an operational and security standpoint,” Storms said.

Microsoft said LAPS now stores the random password for each machine’s local administrator account in Active Directory. The passwords are kept in a “confidential attribute” in the PC’s Active Directory object.

“The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators,” Microsoft said. “The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.”

By storing passwords in AD, has Microsoft merely created a different appealing target?

“While the solution looks promising, it also appears to simply move the problem and not necessarily solve it completely,” Storms said. “Microsoft is now storing the passwords in Active Directory. This means that if the attacker gets into Active Directory, then they have access to the entire kit and caboodle.”

Suggested articles

Discussion

  • Anon on

    If a person gets to Active Directory, they already have the entire kit and caboodle - and they already had a compromised domain admin level account to do it. By moving the passwords to AD, Microsoft is making the assumption that you should already be protecting the "Keys to the Kindgdom" as outlined in their Pass the Hash whitepaper and best practices for securing AD and knowing that a compromised domain admin level account means total compromise (and potentially a Golden Ticket.) This is a good part of the solution and I think they are advertising it as such.
  • Tim on

    I disagree with the premise that this change simply moves the problem into AD, and makes AD a more appealing target. AD has always been an appealing target, and has always held privileged credentials - LAPS doesn't make AD any better or worse. What it does do, though, is close a credential sore that has plagued IT for years. Bravo, Microsoft!
  • Jason on

    The solution deserves further credit for improving the security against former internal employees. By automating the process to change those passwords periodically and each computer being unique, this will improve security from former employees knowing that shared common password.
  • Aaron Margosis (Microsoft) on

    "Anon" has it exactly correct. To read the password, you're either a domain admin or someone that the domain admins explicitly granted access.
  • Anonymous on

    Agree with Anon. If they get to AD, the attacker has better things to work with than the local password for computers .. Domain Admins, Enterprise Admins, Golden Ticket, Delegation rights to all servers and data ...
  • JohnBison on

    Solves the security issue, but sucks for desktop support who needs to access AD for the password before working on a users computer. Imagine going desk to desk to check updates or other routine tasks--you would have to make a list in advance or call back to someone for the password in AD. No doubt it will be long and complex, and will be painful to type in...I guess still easier to make your folks domain admins during such maintenance...
    • Anon on

      @JohnBison You're doing it wrong. Desktop support users should be logging on with AD accounts that have been delegated as local administrators to those workstations via GPO.
    • Chris on

      What's your point? You can add domain users to local admins group?
  • Jeremie on

    This is simply closing one gap in a huge problem. All it takes is one domain admin that forgets to log off a box and their valid hash is captured. Windows authentication is child's play with the canned products out there today for bypassing security. It is a solid move by MS however on a long standing vulnerability.
  • Paul on

    Praetorian did a technical review of Microsoft's Local Administrator Password Solution (LAPS) and found that it does not eliminate the ability to Pass-the-Hash, rather it reduces the impact of PtH by making each local administrator password (and therefore hash) unique. With that said, it does effectively helps limit the “blast radius” after a single machine is compromised. Once an attacker gains access to a client workstation, they can no longer access every other workstation in the environment through the shared local admin account. http://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps
  • Sammy B. on

    I do have one concern with this whole "solution". In my scenario, I'm going to assume that everything is configured correctly. The problem I see is that is still data sensitive data at rest. Let’s say I have an attacker inside my network and in the recon stage. I can wait until I get a user with appropriate creds to log on to the box and now I have local admin creds to every box in the domain (or probably at minimum, desktops). With those creds, I can now move laterally through a network with the local creds to every box until I find my domain admin. More than likely, this will not be logged by the DC in any way or reviewed. Second, this also doesn't address non-standard accounts. If memory serves me right, you cannot delete non-standard local accounts off a desktop unless you know the name off the account (via GPP). As an attacker, once I get the one legit local admin, I can then create a new account on the system that no one knows about and have that as my persistence to the box. Rinse and repeat once I get creds to move through the network. Now, in theory, this can be detected by a bunch of security systems in the market, but those systems are not cheap. Depending on who you work for, IT most of the time does not get a very big budget to deploy things like Splunk, and Solar Winds, and Nessus, and security product X. IMHO, I think that the solution should have a combination of LAPS and other GPO settings. I believe that in a domain, users very rarely need access to the local account. Period. When troubleshooting a machine, GPOs should already set via the restricted groups settings which domain accounts have admin rights to the box. A binary or script can target all the local accounts on a box, and scramble the passwords. It can also delete non-standard accounts and/or report on them. The only time you need the local admin access is in one of two situation: 1) Remote or travelling users or 2) cannot connect to the box. For situation 1 you can either use the LAPS solution for those boxes or have the binary/script exclude a standard account that they know the password. For situation 2, use a recovery disc to get into the machine. Microsoft bought ERD commander and I don't know why they are not pushing this (maybe because it is a part of MDOP and you have to buy the whole thing. Program has been renamed to LockSmith). Outside of that, what good admin does not have a Linux live USB or some kind of cracking tool to access the local admin password? I am not saying you advertise the end user to do this but why not use a solution that is outside the Microsoft domain (no pun intended). *soapbox done, looking forward to see what people have to say*

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.