Implementing Local Administrator Password Solution (LAPS)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi everyone today's video we're going to talk about a security enhancement you can put into your windows enterprise estates and it's called local administrator password solution or lapse for short as you can tell from the name this is aimed at securing the local admin passwords on your windows endpoints so that they're not all the same and they can't be easily guessed or exploited by an attacker now this video is aimed obviously at enterprise clients and systems admins and people like that so i would put this down as an intermediate on the difficulty level so before we get started just a little bit of background to lapse now as you probably know every windows system has a local administrator account it's not a demand account a local administrator account on that machine now we've moved on from the days where every user was a local admin on their machines or at least we should have and it's pretty standard practice these days in the enterprise for administrators to have a non-non-admin account for doing their day-to-day work and an admin account that they use when they need to elevate themselves this separation of duty is pretty much standard practice but that single local admin account remains and in a lot of cases this local admin account often would have a single password which meant if that password was exposed to an attacker every machine in your demand would be at risk now for a long time enterprises addressed this by disabling that local admin account whether in the image or through group policy and then they allowed groups of ad-based users to be local admins i.e members of the local admins group on those machines this raises a couple of tricky points though firstly if you're relying surely on active directory users to be able to administer your machines if a machine can't contact active directory then you're pretty snug when it comes to fixing the machine you simply won't be able to log on and also if you make lots and lots of users administrators on lots of lots of your devices then if one of those air day-based admin accounts is compromised then the attacker potentially has access to all those other machines and can swiftly escalate their intrusion through your estate another common way of dealing with this was that enterprises made that local administrator account password unique so that you could re-enable that account rather than having big groups of ad-based users as admins but not take the risk of an attacker who you know might know the password being able to log on to every single machine however humans being humans it was often standard practice to use something memorable or that could be guessed from a known value as the password so the mac address the serial number the computer name any of the above really with some added constants now this offers slightly more in the way of security but any attacker getting insight into the variables that make up that local admin password would again have free rein across the environment so it's been clear for a long time that a more secure answer to this question is required and this is where an application called lapse local administrator password solution comes into its own okay without further ado going to show you how to deploy laps into your environment now lapse installer can be downloaded from the link that i'm showing you right here which is also linked in the description and it's a single installer whether for x64 x86 when you install it it has four components to it there's the lapse powershell extension the lapse user interface the lapse group policy client side extension and the lapse gpu editor templates now the way i would normally deploy it in an environment is shown in this diagram here which i'm now showing on the screen so you can see that the powershell extension is installed on a dc the management user interface and the gpu editor template are on my management desktop and the gpu cse gets installed to all of the devices that you want to manage in this way however for the purposes of this video i'm actually going to install the powershell extension and the management ui and the gpu templates all onto my domain controller because that's what i'm using as a management desktop but separate those out as required for your environment the powershell extension needs to go where you're going to run the upgrades to the ada schema from and the jp or csa needs to be on all of your managed devices the other bits you can install as you need to so let's get started showing you how to install laps as i said it's available free from microsoft it's no cost associated with it all you need to get it up and running on your windows endpoints is basically a functional active directory so let's get going okay if i just browse across to wherever i've saved my lap software to once you've downloaded it you'll see there's a number of installers in there for different processor architectures obviously we're on x64 so we'll run this one now select watch parts you need to install as i said on my domain controller which this is i'm going to install three of the components i'm going to install the user interface i'm going to install the powershell module and i'm going to install the jpo editing templates as well as i said you can spread those out around different areas if you need to in your environment but just click on install respond to the elevation prompt and you're done that's it it's installed on my domain controller now and i'll show you how to prepare those bits in just a moment but obviously you also need to install it to all of your managed end points right so obviously um for purposes of this video i'm just showing you installing it under one managed endpoint however if you've got hundreds if you've got thousands of them you'll need to deploy it out using something like sccm you know um something like that there's many ways you could deploy it out there onto your machines it supports all the usual msi switches so you should be able to get that done no problem but just the purpose of this video i'm going to install it on my target endpoint by hand now what you need to install on the managed devices is you don't need any of that stuff if you don't have the user at the first the powershell jpo templates you just need the top one the adm pwd gpu extension which enables laps to work on this machine so just let that run through that's done there now it's now installed on our managed endpoint as well so that's it that's the installation phase we can now move on to preparing it right let's get the prep done so that we can get the laps solution working first thing we need to do is a little bit of a date work so i'll just switch across to my demand control here first thing you need to do is identify the all u's and the groups that you want to use so you need to find out the distinguished name of the organizational unit and for this you need to turn on advanced features in aad usa like i've just done that you need to find the distinguished name of the organizational unit that you want to manage to relapse now you may have lots of these but i've just got one so if i drill down through my workstations with you it's this one here the workers or you that i want to manage through laps so if you right click on that and choose properties and go to attribute editor and find the distinguished name at review which she said yeah i literally just copy that out there and i'll pop it in a notepad window so i can reference that later what you also need as well is you need an active directory group of users who can then manage that particular or you in lats who can read the password and set the password so if i look in my groups security groups here i've got a group i've already created called lapse users put one of my test users in there those are the users in that group who are going to be able to manage the passwords on that or you now you may have many different i've spent the group in there you may have many different or use you want to manage and obviously once you manage all you it manages all the machine accounts under that or you even in subway use and you may want specific groups of machines to be lapse managed by specific groups of users so map all of them out at those this point and make a note of them right next thing you need to check is we need to make an extension to the active directory schema for this to work now if you're in a production environment make sure you do this through proper testing and change control i'm not going to be held responsible for you breaking a production active directory in this way even if you're in a lab environment take a snapshot so you need to run an administrative windows powershell instance and what you also need to do is quickly check in ad you see that the user you're running this powershell um as is a member of the schema admits group check my schema admins group say my admin account's already in there so i'm good but if you're not make sure you add yourself in and then log out and log back in now first thing you need to do is you need to import the required module to make the schema extension so if you can spell if you type import dash module adm pwd dot ps you should get a response there without any errors next you need to run update dash adm pwd schema run that and this will update your active directory schema with the new attributes if it's successful you will see a status of success in there so that's the first part done you've extended the active directory schema next what we need to do is we need to make sure that no users have what are called extended writes on any of the ou's that we're trying to manage so you can identify this by typing in a command and putting in the names of the oru's that you're targeting which is why i got my self to serve the the distinguished name of the or you earlier in here which makes it handy so i'm just going to copy that out for posterity now so the command unit type here is find dash am pwd extended rights i think that's it minus identity and in there inside quotes paste that distinguished name there and if you pipe this to a command of format table as well run that command now what you'll see here is what you should see here is if everything's okay is that it says groups like domain admins have authority that's okay domain admins being able to read extended rights however if there are any other users or groups listed there what you will need to do is run a console called add see edit i'd see edit with one e add to edit dot msc expand that up right click here choose connect to click ok and if you scroll down until you find the organizational unit that you're working with so i was in devices workstations cyrix and it was called workers right click on this and choose properties and what we are looking at is the security tab if there are any other users um or groups appearing in that powershell apart from domain admins or other admin groups that you may have added in there find them in here look in advanced so if for instance it should add another print operators group click on that one click on edit and what you would need to remove is this one here this all extended rights make sure that it's unchecked and propagated properly but you'll only need to do that if something shows up in there that you weren't expecting right so then you can close the answer down and you're done with that but as i said only if something shows from that polish output that doesn't look right next we need to run another bit of powershell and this command is required so that the machines can actually update their own passwords and the timestamps of those password changes in a d so what you need to do is remember this come on so it's set dash adm pwd computer self permission rightly then you have a flag minus org unit and then open your quartz paste in not that which is something i was quickly doing in the meantime switch back here and copy that again pop that in there and once that is done simply press enter and it should come up with a status of delegated which means it's successful right finally the final bit of um powershell we need to do another couple of commands we need to run the commands that delegate the authority to read or reset password you can mix things up if you want but we're going to do them both for the same group so set adm pwd read password permission is the first one minus org unit and paste that in there but also on the end here put a flag called allowed principles like that and in here pop in the name of the group that we also specified earlier so this is telling you to set read permission on that organizational unit and apply it to that group again you should say delegated if it's successful and finally next one is reset password permission instead of typing all that in again i'll just edit the command here and just literally change read to reset so to give reset password permission to the machines in that organizational unit to that group simply press return there you will be able to tell you know obviously if you want to make sure if you want to have different groups that could read in different groups that could read and reset you can mix that bit up there but just for posterity we've applied the read and the reset permission to one group on one or you so that's all of the active directory side work done we should be now ready to move on to configure the group policies that drive this the next bit that we need to do we need to simply set up some group policy objects which will deliver the lapse configuration settings down to the machines that we want to manage now a quick word before you get started when you install the gpu admin template it pops these in the law alt c call on backslash windows backslash policy definitions folder on that machine which should work for most people but if like me using a group policy central store don't forget to copy the admx and the adml files across to your group policy central store as well once you've done that if you're going to group policy management console and drill down to the ou that you want to sell full apps management which in my case is the workers one create a jpoo on the domain and link it here call it whatever it needs to be called and then if you edit this group policy object you should see in there that now we have policies admin templates and you have a folder called lapse which has four settings in there that's all there is four settings that drive the laps configuration now the number one one that you need to turn on is this one enable local admin password management this actually turns laps on right so make sure that's actually turned on all apps isn't going to work at all you then have an option called password settings which is a very handy one it lets you set the complexity the length and the maximum edge of the password now in my environment i like to knock this up to 15 you do it whatever you want and i like to set the maximum password age to one therefore if a password is compromised for whatever reason its maximum life span on each machine is only 24 hours at the most that's the way i like to configure that now if you're in an environment where you've changed the name of the administrator account for instance you might disable the built-in one or renamed it or both then you need to put in here what's the actual name of the administrator account name on mine i've admin rather bizarrely not really a very clever one but there you go only do that when you actually rename it so that's the one of these settings you may not need to set up and finally this one do not allow password expiration time longer than required by policy when a user goes into lapse and checks out a password they can pick a length of time for that password to be reset once they've finished it and they could set it to a very long time they could say it's a week to two weeks if you configure this to enable the policy that you set for the maximum password length don't forget i've got that set to one day a user would never be able to configure more than one day's worth of checking out of an admin password so i always find it's very handy to turn that one on as well so now when a user logs into laps if they can say the password they can but then they can only use it for a maximum of 24 hours before that password's reset and they have to go back into lapse and check it out again so that's how you set all of the group policy objects for that now if i quickly jump across to my managed machine here and i quickly run a gp update what should happen is those policies should then be brought down to this machine and they will then be active and we'll be able to see that the machine is actually being managed by a lap so let's not let that complete and we'll pick that up again in a second now that group policy update's completed so those policies should be done on all of our target devices all of them uh we're now going to switch back to our domain controller if you remember where we installed the lapse user at the first we're going to see if the users can see the passwords in there now first of all i'm actually going to run the laptops as a different user i'm going to run it as a user that doesn't have access right so when i run the laptop the target machine we have is called dt004 what we do is we see when the password expires right we can read that attribute we can't say the password itself so that user doesn't have any access to the local admin passwords they can't check it out they can't reset now if i then go and run the lapse ui as the user who was actually in the group that we gave access to by that powershell so if we run it as this user and if this time we type in dt004 you should say this time there is a password there that the user can check out they can take and then they can choose to set the password as i said a maximum of 24 hours in the future so that's the standard one so user can then turn that password and use it for 24 hours to get local admin access to that machine now the idea is that you would stop adding great big groups of users into the local administrators group users would still have an admin account that they used things like active directory work and things like that but with respect to actually going on to an end user workstation they would simply check out that local admin password which is then valid for 24 hours to get their work done so one final bit i should mention we've got a laptop and running but in a secure environment it's always useful to have it checked when a user checks a password out is to audit that and then save that using some sort of si am tool so that we can understand what's going on in case there actually is a breach so the final thing that i'd recommend doing is run another bit of polish oh this is set adm pwd auditing in fact let's spell auditing as well will be handy set adm pwd auditing minus all units as the um parameter again again copy the ou that you want to do the auditing on so pop that in there in between the quotes like so and also add another uh parameter there audited principles and this tells it which group you're going to order as well so mapping lapse space users which i know is the name of that group press return there you see it now says delegated what will happen now every time a user checks the password house it will write an event to the security log with a 4662 event id showing that the password was checked out and you can now track that so if you do have a breach and you need a track back that's where you would go to do it so there you go that's uh just over 20 minutes i think uh probably under 20 minutes if you take out my bit of introduction at the beginning to get laps set up and running in your environment and that's a very good thing you do to improve your security posture right across the board and improve your pen testing results thanks very much for watching also thanks to rory monahan and everybody who subscribed from the auc community to get me over a thousand subscribers which is a great achievement so thank you very much to all of those people and hopefully now that i have got over a thousand subscribers i'll be able to do much more content and hopefully many more things that you're interested thank you very much
Info
Channel: James Rankin
Views: 3,271
Rating: undefined out of 5
Keywords:
Id: J8MePQZOMY8
Channel Id: undefined
Length: 21min 2sec (1262 seconds)
Published: Wed Mar 10 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.