What is LAPS in Active Directory? The term LAPS stands for Local Administrator Password Solution. LAPS acts as a password manager for Active Directory. It ensures that all local administrators have unique and complex passwords and it rotates these passwords on a regular basis. As no local administrator passwords are reused, LAPS has a huge benefit in preventing lateral movement of adversary.
LIFARS provides tactical and strategic advice used by clients to increase their organizational security maturity level.
How LAPS works
To get started with LAPS in Active Directory, the following has to be accomplished:
- AdmPwd GPO Extension running on all target computers
- Active Directory schema extended with two fields: ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime
AdmPwd GPO is a Client Side Extension (CSE) that has to be running on the target computers so that LAPS can function properly. It consists of a single dll file (admpwd.dll) which is responsible for checking whether the local administrator password has expired. If it has expired, then admpwd.dll generates a new password and stores it in Active Directory.
Moreover, to finish LAPS configuration, an Active Directory schema has to be extended with two fields: ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime (the first field contains the password itself and the second field contains its expiration time). Microsoft provided a PowerShell module to accomplish this. This extended schema with the LAPS configuration can then be pushed through Group Policy to all member servers.
The password and timestamp are stored as cleartext in Active Directory, but they are protected by ACL (Access Control List) and they are encrypted by Kerberos when transmitted over the network. However, the ACL protection can be a weak spot. There can be a misconfiguration that allows regular users to view LAPS passwords. Attackers can enumerate these users and misuse their permissions to view LAPS passwords of local administrators.
So how to set these permissions correctly? Microsoft provided a bunch of PowerShell scripts to review which accounts have permissions to view the password attribute. Especially the „All extended rights“ permission is risky as users and groups possessing this permission can see all local administrator passwords in cleartext.
To conclude, implementing LAPS in Active Directory environment can have a huge benefit in mitigating lateral movement or privilege escalation. However, if it is not configured correctly, it does the exact opposite and allows attackers to spread through your environment more easily.