LAPS is an agent-based control designed to prevent Pass-the-hash attacks and other similar internal pivoting attacks. It does this by automatically assigning a unique password to the local administrator account. The password policy is configured via the Group Policy MMC snap-in. The LAPS agent is installed via a scheduled task that calls a powershell script. Read access to the passwords are delegated via Active Directory ACLs, much like NTFS permissions on a file share. Passwords are accessed via one of three ways:
- From the LAPS UI (installed on PAWs)
- From AD (object properties > Attribute Editor > find the LAPS password in the list)
- PowerShell
NOTE: Currently, there is no native way to access the LAPS password from a phone or other mobile device. Normally, you could enable RDP on a workstation or jump-box with one of the three above tools, but this would break our clean-source principal so I do not recommend it or go over how to do this in this guide.
The LAPS Software can be downloaded here.
I'm not going to re-write what has already been written. The point of this guide is to adapt your LAPS deployment to meet the security requirements for PAW deployment. You can download a very thorough guide here. The guide is also available in the file list above, just in case it ever gets taken off line.
When you get to the section titled, "How to configure Active directory for LAPS", you will deviate from the instruction and follow these instruction instead:
Create the following AD groups under DOMAIN.COM/Company/Groups/SecurityGroups/LAPS-RBAC:
- AD-Company-Computers-AllLocations-Servers-Tier1--LAPSPassword
- AD-Company-Computers-AllLocations-WKS--LAPSPassword
NOTE: The Tier 0 server's LAPS passwords will not need to be delegated to a specific group, since your Tier 0 Admin users are already a member of Domain Admins, which has full access to the LAPS password attribute.
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Tier1,OU=Servers,OU=Location1,OU=Computers,OU=Company,DC=DOMAIN,DC=COM" -AllowedPrincipals AD-Company-Computers-AllLocations-Servers-Tier1--LAPSPassword
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Workstations,OU=Location 1,OU=Computers,OU=Company,DC=DOMAIN,DC=COM" -AllowedPrincipals AD-UpWell-Computers-AllLocations-Workstations--LAPSPasswordRepeat as needed for your various locations throughout AD.
NOTE: If you mess up and need to undo the permission, you can right click the OU > Properties > Security Tab > Advanced button. There will be two ACLs you need to remove.
Follow the instruction in the section titled, "04 - Deploy Software to PAW" regarding LAPS. The script above will also be found in that section.