Don’t Cut Corners while Running LAPS

Microsoft LAPS was released in 2015 with the main purpose of making it more difficult for hackers to spread across IT networks using the tried and tested technique of exploiting administrator accounts. It aims to combat:

  1. Vertical privilege escalation: Escalating from a lower level account to a higher one, e.g., a normal user account to system administrator, and
  2. Horizontal privilege escalation: Propagating laterally across a network after gaining entry to other accounts of the same level, e.g., infiltrating an administrator account and then compromising other admin accounts from here.

Does LAPS do an adequate job, or does it cut a few corners along the way?

Warming Up: What is LAPS?

The way MS LAPS works is by utilizing Active Directory (AD) to manage administrator account passwords across all endpoints running the Microsoft operating system. The main component of this management is the forced rotation of unique and complex passwords for each administrator account via the ‘Password Settings’ Group Policy Object (GPO).

Passwords are applied to local administrator accounts and stored in AD, with policies controlling which users are eligible (usually help desk techs or system admins) to retrieve these passwords when access to an account is needed.

Running the Race; Missing Out on the Win

LAPS has some good tidbits that make it out to be a strong contender in the world of cybersecurity solutions, such as the fact that it doesn’t require additional application servers or computers – password management is handled entirely through Active Directory.

Upon download, Microsoft provides a comprehensive Operations Guide to get users up and running, and the free solution does fulfil its purpose of administrator password security and manageability – to an extent.

However, LAPS has its pitfalls. It cannot be used on any operating system other than Windows – sorry Linux and MacOS users!

When not configured correctly, the software can create more problems than it solves. This is because administrator passwords are stored in plain text along with the AD computer record. TechGenix appropriately describes this as, "the digital equivalent of writing the password on a sticky note and placing it on the monitor". If users with extended permissions are not removed and the appropriate groups not created, unintended users may have access to read the password property.

Although it integrates seamlessly with AD, it does require the deployment of a Client-Side Extension (CSE) on every endpoint.

The Microsoft product essentially only tackles administrator password management, leaving some very large security holes to be filled before comprehensive cyber security (and peace of mind) can be achieved.

With those pros and cons in mind, it can be concluded that LAPS does the job – if all you need is the absolute basics. If you’re a small organization, only using the Windows OS, simply after basic password management capabilities, and don’t have any compliance officers sniffing around, LAPS may be for you.

However, if you don’t meet the above criteria, the better option is a more comprehensive security solution.

Setting Up for Success: Why Privileged Access Management is the Better Solution

A Privileged Access Management (PAM) solution that controls, monitors and manages privileged access, offers the security of LAPS and a whole lot more. Admin By Request is one such PAM solution that revokes administrator rights, allowing users to simply request access for elevated privileges which company IT admins can then approve or deny.

The solution protects the computer by intercepting software installs and providing a full audit trail of installed software and other activity undertaken while user’s have temporary administrator rights on their machine.

Putting it leaps and bounds ahead of LAPS, Admin By Request comes with its own built-in help desk feature: Support Assist, which allows an IT admin to remotely provide elevated privileges to users who can’t self-service, with every step of the process logged in the software’s user portal.

Hackers attempting privilege escalation won’t get far with user-privileges revoked and elevation of privileges requiring approval, and any attempts at privilege escalation will be quickly discovered thanks to the auditing and reporting capabilities of the PAM software – password management just won’t cut it.

So do yourself a favor: don’t cut corners running LAPS and you’ll have a chance of staying in the race for the long run.

What’s Hot on Infosecurity Magazine?