Announcing the Lithnet LAPS Web App
Microsoft's Local Admin Password Solution (LAPS) is a very important tool that protects against the risk of lateral movement of threats between computers when the same local admin password is used on each machine.
It is an agent that is deployed to each computer that randomises and rotates the local administrator password on each machine, and securely stores it in the Active Directory.
While the LAPS mechanism itself is robust and does exactly what it needs to do, the process of accessing the LAPS passwords, and auditing that access is not so straight forward.
Support staff out in the field may not have easy access to the tools required to get those passwords. You either need to use PowerShell, LAPS client, or another directory tool such as AD Users and Computers.
Auditing access to LAPS passwords is a bit of a nightmare. It requires configuring audit policies on domain controllers for directory object access, which is a very board audit category and can be very noisy. You need to find your LAPS events in this dataset, filter them, and send them off somewhere manageable.
To help address some of these 'client-side' issues, I'm releasing the Lithnet LAPS web app, a mobile-friendly, web-based interface to gaining access to LAPS passwords.
The LAPS web app provides a simple web-based and mobile-friendly interface for accessing local admin passwords. There's no need for admins to install custom software, or have access to AD administrative tools to access LAPS passwords. Simply provide the computer name, and if you have access, the password is shown.
Application administrators have the option of forcing an expiry time once a password has been accessed. This ensures the password is rotated after use.
It is an agent that is deployed to each computer that randomises and rotates the local administrator password on each machine, and securely stores it in the Active Directory.
While the LAPS mechanism itself is robust and does exactly what it needs to do, the process of accessing the LAPS passwords, and auditing that access is not so straight forward.
Support staff out in the field may not have easy access to the tools required to get those passwords. You either need to use PowerShell, LAPS client, or another directory tool such as AD Users and Computers.
Auditing access to LAPS passwords is a bit of a nightmare. It requires configuring audit policies on domain controllers for directory object access, which is a very board audit category and can be very noisy. You need to find your LAPS events in this dataset, filter them, and send them off somewhere manageable.
To help address some of these 'client-side' issues, I'm releasing the Lithnet LAPS web app, a mobile-friendly, web-based interface to gaining access to LAPS passwords.
Web-based access to LAPS passwords
The LAPS web app provides a simple web-based and mobile-friendly interface for accessing local admin passwords. There's no need for admins to install custom software, or have access to AD administrative tools to access LAPS passwords. Simply provide the computer name, and if you have access, the password is shown.
Application administrators have the option of forcing an expiry time once a password has been accessed. This ensures the password is rotated after use.
Audit success and failure logs
All success and failure events are logged to the event log and a file. These can be easily shipped off to a SIEM for record keeping or further analysis and reporting. Audit events can also be sent via email, and are configurable based on the LAPS target computer.Fine grained authorisation
The web app supports authorising access to target passwords at a computer, group, or OU level. Permission can be granted to individual users and groups in the directory.
Rate limiting
The web app uses a dedicated service account to read LAPS passwords, and does not require individual users to have LAPS password access in the directory. This reduces the risk of a compromised LAPS reader account being able to enumerate all the LAPS credentials they have access to. The web app imposes configurable rate-limits on the number of times per minute, hour and day each user and/or IP address can read a LAPS password.Modern authentication options - protect your LAPS access with multi-factor authentication!
The web app supports traditional integrated windows authentication, as well as WS-Federation and OpenID Connect. This means you can leverage external authentication providers such as ADFS, Azure AD, and Okta. These providers give you the ability to enhance the security of your application by enabling multi-factor authentication. There are step-by-step guides for setting up ADFS, Azure AD and Okta, to get you up and running in no time.
Comments