14 September 2017

LAPS - Restore machine from backup - Password not in AD

Updated 19-09-2017

LAPS short for Local Administrator Password Solution tool is a great way to secure your local administrator accounts on servers.
But there is one problem with the tool.
Password's that have been changed by LAPS are stored in AD, but only for 30 days. After 30 days it's automatically changed and overwritten. So when you use the LAPS tool or check the AD attribute, the password that you see there is valid at that time, the one from 100 days ago isn't there.

But what if you needed to restore a machine that is 31 days old or 40 days, heck even 100 days.

There is no way to find the password for the local admin account, because every 30 days it gets changed and overwritten in AD by LAPS.

Now this is where this script comes in.
The idea is really simple and there's a draw back with it at the same time.

The script exports all the passwords from all servers from a specific OU, every week or month, you decide, and writes a password protected zip file on a file share or sends it to an email address of your choice.

I can hear you think, that's a nice little security issue you just created there.
I know, I only provide the tool, it's up to you whether you want to use it or not.
I've seen someone say somewhere that you could use ADExplorer to export the AD to keep the passwords from longer than 30 days ago stored somewhere.
If you think that's a good idea you can go ahead and use that.

To give you an idea, the output looks like this:







Now on your fileshare there is a zip file protected by a password that you store some where (in Keepass for instance). In case of an emergency you unzip the file and browse the html file for the servername and the associated administrator password.
Advantage is that this is a little more secure than just dumping all the passwords in a mailbox.

On the otherhand if you bury this deep in a mailbox and create a scheduled task that runs every 30 days, you have every password ever changed by LAPS right in your mailbox.

And if your worried about your security, it's local admin accounts not domain admin accounts.
So you're pretty safe.

Update:
Wanted to have the passwords written in a password protected zip file on a file share:
Here's the script or download from here
Requires the ActiveDirectory and LAPS admpwd.ps1 modules to be installed.

PS: Remove the spaces before and after "< style > and </ style >"
##############################################################################                        
## Get-PWDOverviewMonthly                        
## Purpose: Sends report on the passwords set by LAPS                        
## Author: Edwin van Brenk                        
## Date: 19 september 2017                        
## Version: 1.1                        
##############################################################################                        
#Load Modules            
Import-module activedirectory            
Import-Module AdmPwd*            
            
# Password for the ZIP file            
#            
# ATTENTION-ATTENTION-ATTENTION-ATTENTION-ATTENTION-ATTENTION-ATTENTION-ATTENTION-ATTENTION-ATTENTION-ATTENTION-ATTENTION            
#            
# Use the section below to generate an encrypted password file for the zip file            
# Needs to be run only at initial script setup            
# Uncomment before use, comment after use            
#            
# Type your password            
#$password = Read-Host "Password" -AsSecureString            
            
# Write to file            
#$encrypted = ConvertFrom-SecureString -SecureString $password | Set-Content "C:\Scripts\Get-LAPSOverviewMonthly\Password.txt"            
            
# Get password            
$secured = ConvertTo-SecureString -String $(Get-Content C:\Scripts\Get-LAPSOverviewMonthly\Password.txt)            
            
# Do password stuff            
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "userid", $secured            
            
# Zip function            
function Write-ZipUsing7Zip([string]$FilesToZip, [string]$ZipOutputFilePath, [string]$Password, [ValidateSet('7z','zip','gzip','bzip2','tar','iso','udf')][string]$CompressionType = 'zip', [switch]$HideWindow)            
{            
 # Look for the 7zip executable.            
 $pathTo32Bit7Zip = "C:\Program Files (x86)\7-Zip\7z.exe"            
 $pathTo64Bit7Zip = "C:\Program Files\7-Zip\7z.exe"            
 $THIS_SCRIPTS_DIRECTORY = Split-Path $script:MyInvocation.MyCommand.Path            
 $pathToStandAloneExe = Join-Path $THIS_SCRIPTS_DIRECTORY "7za.exe"            
 if (Test-Path $pathTo64Bit7Zip) { $pathTo7ZipExe = $pathTo64Bit7Zip }             
 elseif (Test-Path $pathTo32Bit7Zip) { $pathTo7ZipExe = $pathTo32Bit7Zip }            
 elseif (Test-Path $pathToStandAloneExe) { $pathTo7ZipExe = $pathToStandAloneExe }            
 else { throw "Could not find the 7-zip executable." }            
             
 # Delete the destination zip file if it already exists (i.e. overwrite it).            
 if (Test-Path $ZipOutputFilePath) { Remove-Item $ZipOutputFilePath -Force }            
             
 $windowStyle = "Normal"            
 if ($HideWindow) { $windowStyle = "Hidden" }            
             
 # Create the arguments to use to zip up the files.            
 # Command-line argument syntax can be found at: http://www.dotnetperls.com/7-zip-examples            
 $arguments = "a -t$CompressionType ""$ZipOutputFilePath"" ""$FilesToZip"" -mx9"            
 if (!([string]::IsNullOrEmpty($Password))) { $arguments += " -p$Password" }            
             
 # Zip up the files.            
 $p = Start-Process $pathTo7ZipExe -ArgumentList $arguments -Wait -PassThru -WindowStyle $windowStyle            
            
 # If the files were not zipped successfully.            
 if (!(($p.HasExited -eq $true) -and ($p.ExitCode -eq 0)))             
 {            
  throw "There was a problem creating the zip file '$ZipFilePath'."            
 }            
}            
            
# Various Settings            
$Date = Get-Date -Format dd-MM-yyyy             
$reportPath = "\\domain.lan\Fileshare\"            
            
# Build table for html files, remove the spaces before and after "< style > and </ style >"                    
$style = "< style >BODY{font-family: Arial; font-size: 10pt;}"                        
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"                        
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"                        
$style = $style + "TD{border: 1px solid black; padding: 5px; }"                        
$style = $style + "</ style >"                        
# End HTML Output file style   
# Get all computers in OU, convert output to HTML table $pwd=Get-ADComputer -Filter * -SearchBase "ou=servers,ou=systems,dc=domain,dc=lan" | Get-AdmPwdPassword -ComputerName {$_.Name} | ConvertTo-HTML -Head $style | out-file $reportPath\Report.html # Zip HTML file Write-ZipUsing7Zip -FilesToZip "$reportPath\Report.html" -ZipOutputFilePath "$reportPath\Report-$Date.zip" -Password $cred.GetNetworkCredential().Password -HideWindow # Delete temporary html file Remove-Item $reportPath\Report.html

Here's the script or download from here
Requires the ActiveDirectory and LAPS admpwd.ps1 modules to be installed.
PS: Remove the spaces before and after "< style > and </ style >"
##############################################################################                        
## Get-PWDOverviewMonthly                        
## Purpose: Sends report on the passwords set by LAPS                        
## Author: Edwin van Brenk                        
## Date: 14 september 2017                        
## Version: 1.0                        
##############################################################################                        
#Load Modules            
Import-module activedirectory            
Import-Module AdmPwd*            
            
$Date = Get-Date -Format dd-MM-yyyy             
            
#SMTP options for sending the report email                        
$smtpServer = "smtp.domain.lan"                        
$smtpFrom = "LAPS@domain.lan"                        
$smtpTo = "edwin@domain.lan"                        
$Subject = "LAPS monthly overview $Date"            
            
# Build table for html files, remove the spaces before and after "< style > and </ style >"                    
$style = "< style >BODY{font-family: Arial; font-size: 10pt;}"                        
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"                        
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"                        
$style = $style + "TD{border: 1px solid black; padding: 5px; }"                        
$style = $style + "</ style >"                        
# End HTML Output file style              
            
# Get all computers in OU, convert output to HTML table            
$pwd=Get-ADComputer -Filter * -SearchBase "ou=servers,ou=systems,dc=domain,dc=lan" | Get-AdmPwdPassword -ComputerName {$_.Name} | ConvertTo-HTML -Head $style            
            
# Send email            
Send-MailMessage -To $smtpTo -From $smtpFrom -SmtpServer $smtpServer -Subject $Subject -Body ($pwd | out-string) -BodyAsHtml            


No comments:

Post a Comment