It's pretty straight forward, if you get the access rights right.
Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as help-desk administrators, are authorized to read passwords.
Compromised identical local account credentials could allow elevation of privilege if an attacker uses them to elevate from a local user/administrator to a domain/enterprise administrator. Local administrator credentials are needed for occasions when logon is required without domain access. In large environments, password management can become complex, leading to poor security practices, and such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack.
LAPS simplifies password management while helping customers implement recommended defenses against cyber-attacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.
This part came from PeteNetLive, and worked like a charm:
Download LAPS from here
Install Laps on a DC with all the options. (if you apply the defaults it will only install the GPO Extensions), which is what you would want on the 'controlled machines'.
Install the LAPS software to the target machines, in fact it's just a copy of some files.
msiexec /i \\Server\Share\laps.x64.msi /quiet
or
msiexec /i c:\laps.x64.msi /quiet
Extend Active Directory Schema:
On the management machine run the following two PowerShell commands, to add the two new attributes to Active Directory.
Update-AdmPwdADSchema
Check/Set Permissions to Read Local Admin Passwords
grant the rights to the computers themselves to be able to update the password in Active Directory. (If you have nested OU's, simply apply on the top level OU). Change the value in red to suit your own OU/OU's.
Set-AdmPwdComputerSelfPermissions -OrgUnit 'Domain Computers'
Find-AdmPwdExtendedRights -Identity 'Domain Computers'
To grant read password permissions to a particular group, use the following syntax, below I have an AD group called HelpDesk setup and I'm adding them into the AD ACL to be able to read local administrator passwords for the Domain Computers OU.
Set-AdmPwdReadPasswordPermissions -Orgunit 'Domain Computers' -AllowedPrinciples PeteNetLive\HelpDesk
Deploy the GPO Extensions to 'Controlled' Machines
On the management machine, create a new GPO object, and link it to the OU containing the computers/servers you want to apply the password settings to.
Edit the GPO.
Navigate to:
Computer Configuration > Policies > Administrative Templates > LAPS
The policy that turns LAPS on is the last one 'Enable local admin password management' > Enable it.
Note: the other two policies are;
Name of the administrator account to manage: Use if you you have manually created another common admin account on all your machines NOT if you have renamed the local administrator account.
Do not allow password expiration time longer than required by policy: Set to Enabled.
View the Local Admin Passwords for Controlled Machines.
1. You can do this from PowerShell with the following command;
Get-AdmPwdPassword -ComputerName hostname
C:\Program Files\LAPS\AdmPwdUI.exe
Source 1
Source 2
No comments:
Post a Comment