Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

Deploy and Configure Microsoft LAPS Step by step guide and useful tips

2 Table of Contents Challenges today... 3 What is LAPS... 4 Emphasis and Tips... 5 How LAPS Work... 6 Components... 6 Prepare, Deploy and Configure LAPS... 8 Requirements... 8 Active Directory... 8 Windows OS Support (Client and Managed PC)... 8 Management tools... 8 Membership... 8 Deploy... 9 Install on Managed Server and Client... 9 Configure LAPS settings in Active Directory... 10 Update Active Directory Schema... 10 Configure Group Policy to enable and set the relevant policies... 13 Check Active Directory Schema and Extended Rights... 15

3 Challenges today Today credential theft is a major problem in the security landscape, matching local administrator passwords in an environment often contribute to that problem and are a popular target for attackers. Far more than zero days or malware, credentials are what allow attackers to be successful in your network. Hackers, incident responders, and penetration testers know that valid credential reuse is one of the most common real-world vulnerabilities in today s networks. Valid credential reuse dominates as the top vulnerability. Since Pass-the-Hash is such an integral part of hackers campaign, internal penetration testing and realworld incidents, we are taking a first look at how this security advisory addresses the underlying issues with Pass-the-Hash and how it affects hackers of all sorts, both good and evil. LAPS take a different approach. LAPS do not eliminate the ability to Pass the Hash, rather it reduces the impact of Pass-the-Hash by making each local administrator password unique. This effectively helps limit the attack after a single machine is compromised. Once an attacker gains access to a client workstation, they can no longer access every other workstation in the environment through the shared local admin account. LAPS are designed to run in a least privilege model. No need to put a service account into the domain admins to manage passwords, the password resets are done in the context of the computer/system. There s no additional server to install and the passwords are stored in Active Directory. This has led to some interesting discussion on the Internet, with some saying, that makes AD a clear target. Active Directory has always been a clear target for attackers and has always held golden keys that would allow an attacker to take complete control of an infrastructure. Domain Admin level compromise, the Golden Ticket post exploitation technique, etc. LAPS, just like many other security controls, should be part of a holistic solution. Just taking care of local administrator passwords is a great step and a massive reduction in overall attack surface, but without the other mitigating controls in an environment it s true that attackers will still be able to gain a foothold and compromise your entire network. Randomizing local passwords is just a step in a security strategy, but it s a necessary step which is now easy and free with LAPS.

4 What is LAPS The Local Administrator Password Solution provides a centralized storage of secrets passwords in Active Directory without additional computers. Each domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords. For occasions when login is required without domain credentials, password management can become complex. LAPS simplify password management while helping customers implement recommended defenses against cyberattacks. It mitigates the risk of lateral escalation that results when customers have the same administrative local account and password combination on many computers. A lot of organizations will use the same local administrator password across all machines, which is a bad idea for many reasons. At a basic level, if this password is learnt, it allows anyone to install software as an administrator at a higher level it facilitates things such as pass the hash, MimiKatz and general reconnaissance against your machines (usually with the goal of elevating to Domain Admin). If you currently deploy your Local Administrator Account via Group Policy Preferences, this makes things even easier for an attacker to obtain the shared local administrator password. The cpassword value is easily searchable against SYSVOL and Microsoft provide the 32 byte AES key which can be used to decrypt the cpassword. So, what can we do? Local Administrator Password Solution! As you know this is Microsoft solution to managing Local Administrator account passwords across an organization. LAPS solution features include: Sets a unique randomly generated password PER machine Automatically change the Local Administrator Password Stores Local Administrator Passwords as an attribute in Active Directory Password is protected in AD Granular security model can be easily implemented Password is protected during the transport via Kerberos encryption Why use LAPS instead of other password managers or vaults? Other password managers typically require either, additional hardware, trusting a third party, or ad hoc practices LAPS provide a streamlined approach to: Periodically randomizing local administrator passwords Ensures password update to AD succeeds before modifying locally Centrally store secrets in existing infrastructure in Active Directory Control access via AD ACL permissions Transmit encrypted passwords from client to AD

5 Emphasis and Tips During the implementation It s important to pay attention to some points Delegation model and a workflow for using the passwords. If your ou structure isn t laid out based on policy boundaries, or if you don t already have well defined RBAC this can will be a challenge. Your workflow for accessing the passwords will dictate a lot of how you design the access. Do you plan to use the passwords sometimes? you want to block attackers? LAPS only randomize one local account password. By default, it randomizes the built-in admin account (the one with 500 SID account) and discovers it by well-known SID. A different local account can be specified via GPO, but remember that it can discovered by name. Embrace the 500 SID account the 500 SID account is always there, always an admin and always something you can re- and LAPS will always find it and manage it. Local accounts are tricky to manage, and you need to manage with Local Account principle. The strategy is to have one local administrator account the built-in one! Make LAPS part of your larger Credential Theft Mitigation strategy Implement the best practice steps in the Pass the Hash documentation, use Restricted Groups to be authoritative on who is an admin, deny Local Accounts access over the network and manage machines in secure way. Monitor local accounts creation These are indicators of compromise and the successful logon of the local administrator account is a far more accurate metric of danger than auditing access to the password in many organizations. Monitor for Lateral Movement Stopping Lateral Account Movement from stolen credentials and preventing the attacker wandering unfettered around your network is the thing that would have made the Incident Responses I ve been to this year less of an Incident. Reset Password and Technician side Since ms-mcs-adminpwd only stores one password, some customers have expressed concerns for what this means for a system restored from backup. The supported scenario there would be to reset the password with a supported tool such as DART. LAPS and Password Expiration By enable the password expiration with higher value and with LAPS there will be a conflict because LAPS will thing that you mean to other values. Auditing To audit LAPS you need to work with Windows Event Forwarding which means that need access and tracked via AD Attribute logging and event 4662. So, the meaning is a lot of events.

6 Access LAPS and Settings Access to the password is allowed via control access right on the attribute. Control access is an extended right in Active Directory, which means if admin granted for extended permissions he will view all password therefore LAPS includes the Find-AdmPwdExtendedrights cmdlet to track who has those permissions. LAPS and Plain Text LAPS stored in a Plain Text therefore the LAPS settings must to be with stronger ACLs and restrict access to irrelevant admins. How LAPS Work The LAPS process 1. Machine with LAPS queries Group Policy and receives the LAPS policy settings defined above 2. Machine queries ms-mcs-admpwdexpirationtime, if not set, or expired it will generate a new password and set this locally and securely write this value to the mc-mcs-admpwd attribute in Active Directory 3. Password is now set locally, stored in Active Directory and is ready for use 4. The LAPS CSE will query this value on each Group Policy update, when the ms-mcs- AdmPwdExpirationTime is met, or the attribute is not set it will re-generate a new password 5. If machine cannot contact Active Directory, no changes are made Components Agent - Group Policy Client-Side Extension that installed via MSI o Event logging o Random password generation - written from client computer to AD computer object PowerShell module o Solution configuration Active Directory Centralized Control o Audit in security log of Domain Controller o Computer object and confidential attribute Solution automatically manages the with X500 account password on domain joined computers, so the password must to be: Unique on each managed computer Randomly generated Stored in existing AD infrastructure Solution is built upon AD infrastructure, so there is no need to install and support other technologies.

7 Solution itself is a Group Policy Client-Side Extension that is installed on managed machines and performs all management tasks Management tools delivered with the solution allow for easy configuration and administration. Core of the solution is GPO Client-Side Extension that performs the following tasks during GPO update: Checks whether the password of local Administrator account has expired or not Generates the new password when old password expired or is required to be changed Changes the password of Administrator account Reports the password to password Active Directory, storing it in confidential attribute with computer account in Active Directory Password then can be read from AD by users who can do so Password can be forced to be changed by eligible users

8 Prepare, Deploy and Configure LAPS The first step is to check the if the environment is compatible with LAPS, the requirement is on Active Directory level and Client level. Requirements Active Directory Forest Level based on Windows Server 2003 and higher Domain Level based on Windows Server 2003 and higher FSMO configured on Windows Server 2003 SP1 and higher Managed DC based on Windows 2003 SP1 and higher RODC installed in the environment and must have the value of the attribute ms-mcs-admpwd *Itanium-based machines are not supported Windows OS Support (Client and Managed PC) Windows Server 2016 Windows Server 2012 R2 (Datacenter, Standard, Essentials, Foundation) Windows 8.1 (Enterprise, Pro) Windows Server 2012 (Datacenter, Standard, Essentials, Foundation) Windows 8 (Enterprise, Pro) Windows Server 2008 R2 Service Pack 1 Windows 7 Service Pack 1 Windows Server 2008 Service Pack 2 Windows Vista Service Pack 2 Microsoft Windows Server 2003 Service Pack 2 *Itanium NOT supported Management tools.net Framework 4.0 PowerShell 2.0 or above Membership The Admin member that run the schema update must be part of Schema Admins

9 Deploy Now that we prepared and have all requirements we can continue to next step and to prepare the Active Directory, configure policies, deploy client and configure all other settings. LAPS deployment can be divided into few steps: 1. Installs LAPS on management machine 2. Configure LAPS settings in Active Directory 3. Deploying LAPS client to those machines you wish to manage 4. Configure Group Policy to enable and set the relevant policies 5. Configure post settings 6. Perform simulation attack on client pc Install on Managed Server and Client First, we need to download and install the LAPS that includes the PowerShell module, Group policy template on management pc or server, download both 64 bit and 32 bit versions from Microsoft official site Local Administrator Password Solution (LAPS)

10 Configure LAPS settings in Active Directory Update Active Directory Schema LAPS PowerShell commands Now that we ve the relevant PowerShell command we can update the schema on Active Directory from the AdmPwd module Now let s check that we ve the relevant PowerShell command with: Get-Command *admpwd* And Get-Command *admpwd* GM

11 Now that we know what commands are available to use, we should update the schema so our computer account objects have the required attributes. Import AdmPwd Module with the following command: Import-Module admpwd.ps Update Active Directory Schema Update Active Directory Schema with the following command: Update-AdmPwdADSchema -Verbose The AD Schema extended includes few changes: Admin account to manage will member of Schema Admins Active Directory group extended by two new attributes o ms-mcs-admpwd that stores the password in clear text o ms-mcs-admpwdexpirationtime that stores the time to reset the password Grant Permission to Objects Grant computers the ability to update their password attribute using the Set- AdmPwdComputerSelfPermission command below Set-AdmPwdComputerSelfPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local Note: AdmPwdComputerSelfPermission delegate rights allow the computer object to write to the ms- MCS-AdmPwd and ms-mcs-admpwdexpirationtime attributes.

12 Removing the extended rights You must restrict the ability to view the password and remove All extended rights from users and groups that are not allowed to read the value of attribute ms-mcs-admpwd Grant Permissions to Specific Admin group To grant permissions for users to allow them to retrieve a computers password right the command below: Set-AdmPwdReadPasswordPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local - AllowedPrincipals "Domain Admins" Set-AdmPwdResetPasswordPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local - AllowedPrincipals "Domain Admins"

13 Configure Group Policy to enable and set the relevant policies Once we prepare and set all configuration in Active Directory, objects and permission we need to prepare LAPS policy with specific settings on Group Policy. Password Settings This is where you ll choose your password policy. The default is complex passwords, 14 chars and a password age of 30 days. Password Settings The default is complex passwords; 14 chars and a password age of 30 days and machines will automatically change their password when this is met.

14 Enable local admin password management Enables management of password for local administrator account Do not allow password expiration time longer than required by policy Planned password expiration longer than password age dictated by Password Settings policy is NOT allowed. When such expiration is detected, password is changed immediately, and password expiration is set according to policy.

15 Check Active Directory Schema and Extended Rights Quick report to see all of the accounts and groups with this permission Get-ADOrganizationalUnit -Filter * Find-AdmPwdExtendedRights -PipelineVariable OU ForEach{$_.ExtendedRightHolders ForEach{[pscustomobject]@{OU=$Ou.ObjectDN Object = $_ } } } Another way to look at the settings before it configured is to run the following command: Get-AdmPwdPassword -ComputerName ESLAB-CL01 fl From ADUC we can check the Computer object attribute