Minimizing the Impact: Local Administrator Password Solution

Local administrator accounts are useful for IT administrators and support staff, especially when domain accounts are not working or available. In our experience these ‘local admin’ accounts often use an identical password on every computer across the enterprise.  

Unfortunately, it’s just as common for threat actors to take advantage of these accounts and is often their easy button to move laterally in environments. In fact, threat actors are able to leverage the account regardless of password complexity by obtaining NTLM hashes, enabling a ‘Pass the Hash’ attack. Once this is complete, the attacker is able to move laterally to any system that has an account with a matching hash (as opposed to the password characters) -- no password cracking required. Local admin Pash the Hash has been used by a variety of different threat groups (FIN10, Turla, APT32) for years; some as early as 2004. Local admin Pass the Hash is so trivial to perform that take anyone off the street can learn the method in less than five minutes. The technique is built into the most common attack tools and toolkits, including Mimikatz, Cobalt Strike, and Empire. And even without Pass the Hash, local admin accounts can be vulnerable to memory dumps for offline cracking attacks.

Enter Microsoft’s Local Administrator Password Solution (“LAPS”). LAPS is a free utility that has been around since 2015 that mitigates Pass the Hash and other attacks by setting unique, random local admin passwords on every domain computer. Enabling LAPS is quick and simple for most environments, and access to the resulting passwords can be restricted to a specific trusted user subset for access control. While LAPS doesn’t entirely prevent Pass the Hash and cracking attacks, it greatly reduces the blast radius.  

How does it work?

• Generates a secure random password for default local administrator account (500) and stores it in Active Directory (AD).
• The password is protected during transport via Kerberos encryption.
• Sets a unique randomly generated password per machine.
• Automatically change the local password after a set number of days.

How to Implement LAPS at a high level:  

1. Install LAPS onto management machine (e.g., a domain controller)

2. Extend Schema and prepare Active Directory (“AD”)

3. Deploying LAPS client to machines you would want to manage

4. Configure Group Policy to enable and set the relevant policies

The above pieces are core to any implementation. Depending on your environment there is a bit of strategy to implement LAPS in a more secure fashion.  

Common Questions:

Can we control password complexity, randomization, and resets?

     Yes, this is a great strength of LAPS. You can configure the policy to align with your organization and be as strict as you want.

Can I audit who accesses the passwords in AD?

     Yes, you can however you would need to enabled auditing (Set-AdmPwdAuditing).

Can I specify the password the LAPS uses on the client?

     No, this will be randomized.  

Download LAPS here: https://www.microsoft.com/en-us/download/details.aspx?id=46899

‍