On April 11th, 2023 Microsoft added support for LAPS (Local Administrator Password Solution) natively to Windows Server. This is a major milestone because LAPS was historically an additional add-on item to a Windows system and the additional security it provides is critical for any Windows network.
What is it?
LAPS is a tool used to cycle local administrator account credentials on Windows systems. Historically all Windows systems come with a built-in Administrator account local to the machine for configuration and changes. It used to be common practice to set these accounts with some common password that the IT department could use in case of emergencies to work on the machines, but this very quickly became a security concern for a number of reasons:
- Common passwords are a major vulnerability. If one user or malicious party gains access to that password, they’d essentially have an all access pass to every single system in your network, potentially including critical servers with sensitive data.
- If an attacker knows that an account exists on every system (e.g. the default Administrator account that comes with all Windows installations) they can leverage that knowledge to save time and focus attacks on potentially compromising or using that account for access.
- Traditionally local accounts are difficult to manage. Unlike Domain based accounts there is no central management, so without some kind of remote command execution on company systems (another potential security hole) it would be difficult to change or update these passwords across the board without logging into every machine and modifying the values.
Why do we need local admin accounts?
It is not unusual in an Active Directory Domain Services or Azure AD network to need a local administrator account to fix issues. Most problems that arise can be resolved with domain accounts, but sometimes local machines drop their trust with a domain unexpectedly or potentially a policy could be implemented with unexpected consequences that lock domain accounts out of a system. In these scenarios it is necessary to have some sort of local administrator account to fix the issues.
An additional note: It is also not unusual for organizations to need some level of administrative access to a machine to allow a user to perform actions like software installations, updates, or changes. While most of these scenarios can be managed effectively using proper policy architecture, small to medium sized businesses may not have the resources to perform those proper configurations. In these scenarios having a temporary admin account to use for updates or installs may be desirable, but there are multiple factors to consider when evaluating that.
How does LAPS help?
LAPS does a few things which dramatically improve security for these necessary accounts:
- LAPS policies can be used to deploy a custom defined Local Administrator account (think localadmin rather than Administrator). This allows the organization to disable the built-in Administrator accounts without losing access to a local admin. NO ONE SHOULD EVER USE THE BUILT-IN ADMINISTRATOR ACCOUNTS!
- LAPS policies can be used to cycle the passwords for this custom defined account on a regular basis. The password cycles automatically and then updates the value back to AD DS or Azure AD depending on your primary identity provider. This is great because even if someone uses the account and accidentally stores the password, your risk is still minimized because the password changes on it’s own at a regular interval.
- LAPS policies allow each system to have a unique password for each local admin account. This means that even if an attacker were able to get a password for the local admin account on one machine, your risk is still minimized because each machines local account has a unique password value.
Why wouldn’t we be using this already?
LAPS was previously an add-on package for Windows Server and Desktops. Microsoft has made LAPS available for several years, but until this year an administrator had to go out and deploy the package for all systems. This added overhead and raised the “cost of entry” to a point that many organizations have overlooked it.
Additionally, cybersecurity was a historically overlooked topic in small to medium sized business networks. This means that many administrators traditionally overlooked these accounts preferring security through obfuscation versus something more effective like LAPS.
Ultimately, there is no longer an excuse to not be using LAPS. This system is an extremely exciting addition to what has historically been a major gap in enterprise security and it’s important that all network administrators start implementing these services across the board.