Do you have a standard password for all local Administrator accounts? Can you say that you know or have documented all the local Administrator account passwords on your servers and workstations? The local Administrator account is a great way to log on to a computer when the Active Directory Domain is not available, but having a standard password isn’t a very good idea and maintaining a secure list of passwords isn’t a good use of your time.
One of the programs that I recommend my clients use to secure their local Administrator accounts and get themselves out of the password maintenance business is the Local Administrator Password Solution (LAPS) tool from Microsoft.
LAPS is used to manage and rotate passwords for local Administrator accounts on domain joined servers and workstations that are configured for management. Utilizing Group Policy extensions, LAPS can set and manage these passwords which are securely stored in attributes on the Active Director computer objects. The passwords are unique, randomly generated, and complex. When needed, users with the proper access level can retrieve these passwords through the LAPS UI or the PowerShell commandlet Get-AdminPassword.
Even if you follow best practices and rename your local Administrator accounts, the LAPS solution can work for you with password management. In the settings you can configure to change the name of the account that LAPS is looking for. So, if you change the account name to Admin or HumptyDumpty, LAPS can still manage the password. Combining the use of LAPS with the practice of changing local Administrator account names makes the management and security of these passwords much easier to keep track of.
Passwords are retrieved through the LAPS UI tool shown below. Users with proper access rights to the target computer account can enter a computer name, press Search, and view the password. You can also highlight and copy the password directly from the UI.
Downloading and understanding how to use LAPS is easy. The LAPS Microsoft site contains links to the installation bits as well as the Operations Guide and other technical documentation. Once installed and configured, you will have access to the Group Policy Settings as seen here:
The LAPS Group Policy settings let you control password complexity and password change frequency as seen below.
As you can see, LAPS is a very useful tool that can help protect your environment from unauthorized access, lateral movement and privilege escalation and should be added to your security arsenal. For more information on how to properly implement LAPS, consult the Microsoft documentation or reach out to us here at ZAG Technical Services.