deploy and configure microsoft laps...deploy now that we prepared and have all requirements we can...
Post on 11-Apr-2020
7 Views
Preview:
TRANSCRIPT
Deploy and Configure
Microsoft LAPS
Step by step guide and useful tips
2
Table of Contents Challenges today ........................................................................................................................................... 3
What is LAPS ................................................................................................................................................. 4
Emphasis and Tips ......................................................................................................................................... 5
How LAPS Work ............................................................................................................................................ 6
Components .............................................................................................................................................. 6
Prepare, Deploy and Configure LAPS ............................................................................................................ 8
Requirements ............................................................................................................................................ 8
Active Directory .................................................................................................................................... 8
Windows OS Support (Client and Managed PC) ................................................................................... 8
Management tools ................................................................................................................................ 8
Membership .......................................................................................................................................... 8
Deploy ........................................................................................................................................................... 9
Install on Managed Server and Client ........................................................................................................... 9
Configure LAPS settings in Active Directory ............................................................................................... 10
Update Active Directory Schema ........................................................................................................ 10
Configure Group Policy to enable and set the relevant policies......................................................... 13
Check Active Directory Schema and Extended Rights ........................................................................ 15
3
Challenges today Today credential theft is a major problem in the security landscape, matching local administrator
passwords in an environment often contribute to that problem and are a popular target for attackers.
Far more than zero days or malware, credentials are what allow attackers to be successful in your
network.
Hackers, incident responders, and penetration testers know that valid credential reuse is one of the
most common real-world vulnerabilities in today’s networks. Valid credential reuse dominates as the
top vulnerability.
Since Pass-the-Hash is such an integral part of hackers campaign, internal penetration testing and real-
world incidents, we are taking a first look at how this security advisory addresses the underlying issues
with Pass-the-Hash and how it affects hackers of all sorts, both good and evil.
LAPS take a different approach. LAPS do not eliminate the ability to Pass the Hash, rather it reduces the
impact of Pass-the-Hash by making each local administrator password unique. This effectively helps limit
the attack after a single machine is compromised. Once an attacker gains access to a client workstation,
they can no longer access every other workstation in the environment through the shared local admin
account.
LAPS are designed to run in a least privilege model. No need to put a service account into the domain
admins to manage passwords, the password resets are done in the context of the computer/system.
There’s no additional server to install and the passwords are stored in Active Directory. This has led to
some interesting discussion on the Internet, with some saying, that makes AD a clear target. Active
Directory has always been a clear target for attackers and has always held “golden keys” that would
allow an attacker to take complete control of an infrastructure.
Domain Admin level compromise, the Golden Ticket post exploitation technique, etc. LAPS, just like
many other security controls, should be part of a holistic solution. Just taking care of local administrator
passwords is a great step and a massive reduction in overall attack surface, but without the other
mitigating controls in an environment it’s true that attackers will still be able to gain a foothold and
compromise your entire network. Randomizing local passwords is just a step in a security strategy, but
it’s a necessary step which is now easy and free with LAPS.
4
What is LAPS The Local Administrator Password Solution provides a centralized storage of secrets passwords in Active
Directory without additional computers. Each domain administrators determine which users, such as
helpdesk admins, are authorized to read the passwords.
For occasions when login is required without domain credentials, password management can become
complex. LAPS simplify password management while helping customers implement recommended
defenses against cyberattacks. It mitigates the risk of lateral escalation that results when customers
have the same administrative local account and password combination on many computers.
A lot of organizations will use the same local administrator password across all machines, which is a bad
idea for many reasons. At a basic level, if this password is learnt, it allows anyone to install software as
an administrator – at a higher level it facilitates things such as pass the hash, MimiKatz and general
reconnaissance against your machines (usually with the goal of elevating to Domain Admin).
If you currently deploy your Local Administrator Account via Group Policy Preferences, this makes things
even easier for an attacker to obtain the shared local administrator password. The cpassword value is
easily searchable against SYSVOL and Microsoft provide the 32 byte AES key which can be used to
decrypt the cpassword.
So, what can we do?
Local Administrator Password Solution! As you know this is Microsoft solution to managing Local
Administrator account passwords across an organization. LAPS solution features include:
• Sets a unique randomly generated password PER machine
• Automatically change the Local Administrator Password
• Stores Local Administrator Passwords as an attribute in Active Directory
• Password is protected in AD
• Granular security model can be easily implemented
• Password is protected during the transport via Kerberos encryption
Why use LAPS instead of other password managers or vaults?
Other password managers typically require either, additional hardware, trusting a third party, or ad hoc practices
LAPS provide a streamlined approach to:
• Periodically randomizing local administrator passwords
• Ensures password update to AD succeeds before modifying locally
• Centrally store secrets in existing infrastructure in Active Directory
• Control access via AD ACL permissions
• Transmit encrypted passwords from client to AD
5
Emphasis and Tips During the implementation It’s important to pay attention to some points
• Delegation model and a workflow for using the passwords.
If your ou structure isn’t laid out based on policy boundaries, or if you don’t already have well
defined RBAC this can will be a challenge. Your workflow for accessing the passwords will dictate
a lot of how you design the access. Do you plan to use the passwords sometimes? you want to
block attackers?
• LAPS only randomize one local account password.
By default, it randomizes the built-in admin account (the one with 500 SID account) and
discovers it by well-known SID. A different local account can be specified via GPO, but
remember that it can discovered by name.
• Embrace the 500 SID account
the 500 SID account is always there, always an admin and always something you can re- and
LAPS will always find it and manage it.
• Local accounts are tricky to manage, and you need to manage with Local Account principle. The
strategy is to have one local administrator account – the built-in one!
• Make LAPS part of your larger Credential Theft Mitigation strategy
Implement the best practice steps in the Pass the Hash documentation, use Restricted Groups to
be authoritative on who is an admin, deny Local Accounts access over the network and manage
machines in secure way.
• Monitor local accounts creation
These are indicators of compromise and the successful logon of the local administrator account
is a far more accurate metric of danger than auditing access to the password in many
organizations.
• Monitor for Lateral Movement
Stopping Lateral Account Movement from stolen credentials and preventing the attacker
wandering unfettered around your network is the thing that would have made the Incident
Responses I’ve been to this year less of an Incident.
• Reset Password and Technician side
Since ms-MCS-adminpwd only stores one password, some customers have expressed concerns
for what this means for a system restored from backup. The supported scenario there would be
to reset the password with a supported tool such as DART.
• LAPS and Password Expiration
By enable the password expiration with higher value and with LAPS there will be a conflict
because LAPS will thing that you mean to other values.
• Auditing
To audit LAPS you need to work with Windows Event Forwarding which means that need access
and tracked via AD Attribute logging and event 4662. So, the meaning is a lot of events.
6
• Access LAPS and Settings
Access to the password is allowed via control access right on the attribute. Control access is an
extended right in Active Directory, which means if admin granted for extended permissions he
will view all password therefore LAPS includes the Find-AdmPwdExtendedrights cmdlet to track
who has those permissions.
• LAPS and Plain Text
LAPS stored in a Plain Text therefore the LAPS settings must to be with stronger ACLs and
restrict access to irrelevant admins.
How LAPS Work The LAPS process
1. Machine with LAPS queries Group Policy and receives the LAPS policy settings defined above 2. Machine queries ms-Mcs-AdmPwdExpirationTime, if not set, or expired it will generate a new
password and set this locally and securely write this value to the mc-Mcs-AdmPwd attribute in Active Directory
3. Password is now set locally, stored in Active Directory and is ready for use 4. The LAPS CSE will query this value on each Group Policy update, when the ms-Mcs-
AdmPwdExpirationTime is met, or the attribute is not set it will re-generate a new password 5. If machine cannot contact Active Directory, no changes are made
Components • Agent - Group Policy Client-Side Extension that installed via MSI
o Event logging
o Random password generation - written from client computer to AD computer object
• PowerShell module
o Solution configuration
• Active Directory Centralized Control
o Audit in security log of Domain Controller
o Computer object and confidential attribute
Solution automatically manages the with X500 account
password on domain joined computers, so the password must
to be:
• Unique on each managed computer
• Randomly generated
• Stored in existing AD infrastructure
Solution is built upon AD infrastructure, so there is no need to
install and support other technologies.
7
Solution itself is a Group Policy Client-Side Extension that is installed on managed machines and
performs all management tasks
Management tools delivered with the solution allow for easy configuration and administration.
Core of the solution is GPO Client-Side Extension that performs the following tasks during GPO update:
• Checks whether the password of local Administrator account has expired or not
• Generates the new password when old password expired or is required to be changed
• Changes the password of Administrator account
• Reports the password to password Active Directory, storing it in confidential attribute with
computer account in Active Directory
• Password then can be read from AD by users who can do so
• Password can be forced to be changed by eligible users
8
Prepare, Deploy and Configure LAPS The first step is to check the if the environment is compatible with LAPS, the requirement is on Active
Directory level and Client level.
Requirements
Active Directory
• Forest Level based on Windows Server 2003 and higher
• Domain Level based on Windows Server 2003 and higher
• FSMO configured on Windows Server 2003 SP1 and higher
• Managed DC based on Windows 2003 SP1 and higher
• RODC installed in the environment and must have the value of the attribute ms-Mcs-AdmPwd
*Itanium-based machines are not supported
Windows OS Support (Client and Managed PC) • Windows Server 2016
• Windows Server 2012 R2 (Datacenter, Standard, Essentials, Foundation)
• Windows 8.1 (Enterprise, Pro)
• Windows Server 2012 (Datacenter, Standard, Essentials, Foundation)
• Windows 8 (Enterprise, Pro)
• Windows Server 2008 R2 Service Pack 1
• Windows 7 Service Pack 1
• Windows Server 2008 Service Pack 2
• Windows Vista Service Pack 2
• Microsoft Windows Server 2003 Service Pack 2
*Itanium NOT supported
Management tools • .NET Framework 4.0
• PowerShell 2.0 or above
Membership
• The Admin member that run the schema update must be part of Schema Admins
9
Deploy Now that we prepared and have all requirements we can continue to next step and to prepare the
Active Directory, configure policies, deploy client and configure all other settings.
LAPS deployment can be divided into few steps:
1. Installs LAPS on management machine
2. Configure LAPS settings in Active Directory
3. Deploying LAPS client to those machines you wish to manage
4. Configure Group Policy to enable and set the relevant policies
5. Configure post settings
6. Perform simulation attack on client pc
Install on Managed Server and Client First, we need to download and install the LAPS that includes the PowerShell module, Group policy
template on management pc or server, download both 64 bit and 32 bit versions from Microsoft official
site Local Administrator Password Solution (LAPS)
10
Configure LAPS settings in Active Directory
Update Active Directory Schema
LAPS PowerShell commands
Now that we’ve the relevant PowerShell command we can update the schema on Active Directory from
the AdmPwd module
Now let’s check that we’ve the relevant PowerShell command with:
Get-Command *admpwd*
And Get-Command *admpwd*|GM
11
Now that we know what commands are available to use, we should update the schema so our computer
account objects have the required attributes.
Import AdmPwd Module with the following command:
Import-Module admpwd.ps
Update Active Directory Schema
Update Active Directory Schema with the following command:
Update-AdmPwdADSchema -Verbose
The AD Schema extended includes few changes:
• Admin account to manage will member of Schema Admins Active Directory group
• extended by two new attributes
o ms-Mcs-AdmPwd that stores the password in clear text
o ms-Mcs-AdmPwdExpirationTime that stores the time to reset the password
Grant Permission to Objects
Grant computers the ability to update their password attribute using the Set-
AdmPwdComputerSelfPermission command below
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local”
Note: AdmPwdComputerSelfPermission delegate rights allow the computer object to write to the ms-
MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.
12
Removing the extended rights
You must restrict the ability to view the password and remove “All extended rights” from users and
groups that are not allowed to read the value of attribute ms-Mcs-AdmPwd
Grant Permissions to Specific Admin group
To grant permissions for users to allow them to retrieve a computers password right the command
below:
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local” -
AllowedPrincipals "Domain Admins"
Set-AdmPwdResetPasswordPermission -OrgUnit "OU=AllComputers,DC=LAB,DC=Local” -
AllowedPrincipals "Domain Admins"
13
Configure Group Policy to enable and set the relevant policies Once we prepare and set all configuration in Active Directory, objects and permission we need to
prepare LAPS policy with specific settings on Group Policy.
• Password Settings
This is where you’ll choose your password policy. The default is complex passwords, 14 chars
and a password age of 30 days.
• Password Settings
The default is complex passwords; 14 chars and a password age of 30 days and machines will
automatically change their password when this is met.
14
• Enable local admin password management
Enables management of password for local administrator account
• Do not allow password expiration time longer than required by policy
Planned password expiration longer than password age dictated by “Password Settings” policy is
NOT allowed. When such expiration is detected, password is changed immediately, and
password expiration is set according to policy.
15
Check Active Directory Schema and Extended Rights Quick report to see all of the accounts and groups with this permission
Get-ADOrganizationalUnit -Filter *|Find-AdmPwdExtendedRights -PipelineVariable OU
|ForEach{$_.ExtendedRightHolders|ForEach{[pscustomobject]@{OU=$Ou.ObjectDN Object = $_ } } }
Another way to look at the settings before it configured is to run the following command:
Get-AdmPwdPassword -ComputerName ESLAB-CL01 | fl
From ADUC we can check the Computer object attribute
top related