In May 2015, Microsoft presented Local Administrator Password Solution (LAPS) in the Security Advisory 3062591. LAPS is a mitigation against lateral movement attacks, as each system has a different randomly generated password for a defined local administrator account. We explained the use of LAPS as well as advantages and disadvantages in a article in 2017. A few years later, Microsoft releases an improved version called Windows LAPS with the security update April 2023. The first version is renamed Legacy LAPS.

Windows LAPS is natively integrated into the operating system and no longer needs to be installed via an MSI package. Updates are thus distributed via the usual update channel. LAPS now supports encrypted passwords and the use of the Azure Active Directory (AAD). Passwords in the AAD are retrieved via Microsoft Graph and access rights are managed with Azure Role-Based Access Control (Azure RBAC) policies. Password management is done through the Azure Portal and policies are distributed using Intune. On 21 April 2023, AAD support for LAPS was released as a Public Preview.

In the article, we describe the new functions of Active Directory integration, the encryption of passwords, the use of LAPS and what to consider when migrating from legacy LAPS. The use of LAPS in Azure Active Directory is not part of the article.

Active Directory

Microsoft developed new functions for use in an Active Directory infrastructure. The username and password are now stored in an attribute in the AD object. This attribute can now also be stored in encrypted form, which was one of the most requested functions in legacy LAPS. It is also possible to configure a password history to retrieve old passwords. This is useful when a system has been restored from a backup. If a LAPS account has been used on a system, the password can be automatically rotated afterwards to minimise the risk if the password was compromised during the operation.

Besides the native integration into the operating system, new group policy settings and the integration into the AD management tools have been implemented. LAPS now has its own event log channel. In addition to managing local administrator accounts, LAPS can also be used to rotate passwords for Directory Services Restore Mode (DSRM).

A demonstration of LAPS is shown in the video Managing local admin account passwords in AD and Azure AD by Microsoft’s Jay Simmons.

Windows LAPS requires Windows 10, 11 and Windows Server 2019, 2022 as well as the Domain Functional Level (DFL) Windows Server 2016 and the installation of the Security Update April 2023.

Password Encryption

In legacy LAPS, the password was stored unencrypted in the AD object under the attribute ms-Mcs-AdmPwd. By setting an ACL, access to this attribute could be restricted to authorised users and groups. In the new version, Microsoft implemented encryption for storing the passwords.

The documentation Key concepts in Windows LAPS describes the encryption function only briefly. The Cryptography API: Next Generation Data Protection API (CNG DPAPI) is used. LAPS only supports encryption against an AD security principal (user or group) and is based on the AES-256 method. The principal can be defined via GPO, by default it is the group Domain Admins. The encryption process takes place on the client, the encrypted blob is stored directly in the msLAPS-EncryptedPassword attribute.

According to Microsoft, the key material is stored on domain controllers and replicated via AD. Our assumption is that Microsoft uses the same principle for Windows LAPS as for Managed Services Accounts (gMSA) and uses Key Distribution Services KDS Root Keys for this. The procedure is explained in detail by Microsoft’s Windows and authentication specialist Steve Syfuhs in the article How Managed Service Accounts in Active Directory Work.

Jordan Borean, Senior Software Engineer at Red Hat, is working on a LAPS decryption project, which may provide further insight into the functionality. He publishes his work on GitHub in the repository sansldap. Further research was conducted by Adam Chester, he also published a proof of concept on GitHub.

Windows LAPS in Action

The introduction of LAPS is documented by Microsoft in the article Get started with Windows LAPS and Windows Server Active Directory.

Installation and Configuration

The basic requirement is the installation of the Security Update April 2023. Since Windows LAPS uses new AD attributes, a schema extension is necessary. The PowerShell cmdlet Update-LapsADSchema can be used for this. The schema extension is documented under Windows LAPS schema extensions reference.

For the roll-out of LAPS, an organizational unit (OU) needs to be defined and the LAPS clients need to be granted permission to self-manage their AD object. The cmdlet Set-LapsADComputerSelfPermission can be used for this task.

PS C:\Windows\system32> Set-LapsADComputerSelfPermission -Identity 'OU=t2_Workstations,OU=Systems,OU=scip-red.ch,DC=lab,DC=scip-red,DC=ch'

Name            DistinguishedName
----            -----------------
t2_Workstations OU=t2_Workstations,OU=Systems,OU=scip-red.ch,DC=lab,DC=scip-red,DC=ch

The ACL for access to the LAPS attributes is essential for the security of LAPS. The cmdlet Find-LapsADExtendedRights can be used to check who has access to the attributes. By default, this is the Domain Admins group.

PS C:\Windows\system32> Find-LapsADExtendedRights -Identity 'OU=t2_Workstations,OU=Systems,OU=scip-red.ch,DC=lab,DC=scip-red,DC=ch'

ObjectDN                                                              ExtendedRightHolders
--------                                                              --------------------
OU=t2_Workstations,OU=Systems,OU=scip-red.ch,DC=lab,DC=scip-red,DC=ch {NT AUTHORITY\SYSTEM, LAB\Domain Admins}

After the installation and the rights assignment, a policy must be created. The settings can now be found under Administrative Templates\System\LAPS. First, the setting Configure password backup directory defines where the passwords are stored, in AD or AAD – both are not possible.

Other settings include the use of password encryption, the definition of the security principal who may decrypt passwords, the name of the user to be managed, settings for password complexity and length of history. The group policy settings are documented under Configure policy settings for Windows LAPS.

Usage

In the first step, LAPS was activated, and encryption function was deliberately deactivated. On the client, the policy was rolled out and the first LAPS password was set. The user has the LAPS access rights and can read out the password via the cmdlet Get-LapsADPassword. With the parameter AsPlainText the password is returned in plain text, by default it is returned as Secure String.

PS C:\> Get-LapsADPassword -Identity client01 -AsPlainText

ComputerName        : CLIENT01
DistinguishedName   : CN=CLIENT01,OU=t2_Workstations,OU=Systems,OU=scip-red.ch,DC=lab,DC=scip-red,DC=ch
Account             : LapsAdmin
Password            : W1MH0B97/Aro&qpVR77;{Xj74Y9U}9o7
PasswordUpdateTime  : 4/12/2023 2:18:40 PM
ExpirationTimestamp : 5/12/2023 2:18:40 PM
Source              : CleartextPassword
DecryptionStatus    : NotApplicable
AuthorizedDecryptor : NotApplicable

The attributes for the expiry date and the credentials are now stored in the AD for the client:

msLAPS-Password: {"n":"LapsAdmin","t":"1d96d38ea49092f","p":"W1MH0B97/Aro&qpVR77;{Xj74Y9U}9o7"}; 
msLAPS-PasswordExpirationTime: 5/12/2023 2:18:40 PM W. Europe Daylight Time; 

As mentioned, the username is now also saved. The password is visible in plain text in the attribute msLAPS-Password. Now the policy will be adjusted so that the password is encrypted and can only be decrypted by the security principal LAB\laps_admins. When querying via PowerShell, the source is now set to EncryptedPassword.

PS C:\> Get-LapsADPassword -Identity client01 -AsPlainText

ComputerName        : CLIENT01
DistinguishedName   : CN=CLIENT01,OU=t2_Workstations,OU=Systems,OU=scip-red.ch,DC=lab,DC=scip-red,DC=ch
Account             : LapsAdmin
Password            : h460}65,O02wI[}9hv05$#!Z]1/DvN5]
PasswordUpdateTime  : 4/12/2023 2:20:59 PM
ExpirationTimestamp : 5/12/2023 2:20:59 PM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : LAB\laps_admins

In the AD object itself, the attribute msLAPS-Password was removed and replaced by msLAPS-EncryptedPassword. The encrypted blob is stored in this attribute.

msLAPS-EncryptedPassword: <ldp: Binary blob 1312 bytes>; 
msLAPS-EncryptedPasswordHistory: <ldp: Binary blob 1312 bytes>; 
msLAPS-PasswordExpirationTime: 5/12/2023 2:20:59 PM W. Europe Daylight Time; 

The group LAB\laps_admins has the right to decrypt the password. In this example, the group Domain Admins is not a member of this group. Therefore, it is not possible to decrypt the password as a domain administrator:

PS C:\Windows\system32> Get-LapsADPassword -Identity client01 -AsPlainText

ComputerName        : CLIENT01
DistinguishedName   : CN=CLIENT01,OU=t2_Workstations,OU=Systems,OU=scip-red.ch,DC=lab,DC=scip-red,DC=ch
Account             :
Password            :
PasswordUpdateTime  : 4/12/2023 2:20:59 PM
ExpirationTimestamp : 5/12/2023 2:20:59 PM
Source              : EncryptedPassword
DecryptionStatus    : Unauthorized
AuthorizedDecryptor : LAB\laps_admins

The decryption fails and the status is returned as Unauthorized. With the definition of the security principal for the password decryption, a further security layer can be implemented.

Migration

Legacy LAPS migration is not documented at the time of publication. In a comment on the release announcement, Jay Simmons describes the procedure as follows when Legacy LAPS is in use with an additional local account:

• Installation LAPS and schema extension
• Create a new local admin account
• Define new policies for Windows LAPS and use the new account
• Legacy LAPS and Windows LAP can be run in parallel as long as it is necessary to gain confidence in the solution and adjust support processes
• Uninstall Legacy LAPS CSE on the clients
• Delete the original Legacy LAPS account
• Optionally, remove the Legacy LAPS policy settings that are no longer functional from the registry

If LAPS is used for the default administrator account (RID 500), then parallel use is not possible. Therefore, Jay Simmons recommends uninstalling Legacy LAPS CSE on the clients first and then roll out Windows LAPS, a transition period is not possible.

Conclusion

Microsoft has introduced new functions with the new version of LAPS and eliminated the criticism of the lack of encryption. Now it is possible to activate encryption through group policies and define which user or which group is allowed to decrypt a password. If someone gains (unauthorized) access to the LAPS AD attribute, but has no right to decrypt the content, the access alone is useless.

Native integration has made LAPS even easier to use, and support for Azure Active Directory gives cloud-only infrastructures the ability to manage on-premises administrator accounts. LAPS therefore provides a simple way to automate the management of the local administrator account password and should be used in a Windows infrastructure.

About the Author

Michael Schneider has been in IT since 2000. Since 2010 he is focused on information security. He is an expert at penetration testing, hardening and the detection of vulnerabilities in operating systems. He is well-known for a variety of tools written in PowerShell to find, exploit, and mitigate weaknesses. (ORCID 0000-0003-0772-9761)

Links

• https://blog.xpnsec.com/
• https://gist.github.com/xpn/23dc5b6c260a7571763ca8ca745c32f4
• https://github.com/jborean93/sansldap/blob/laps-enc/get_key.py
• https://learn.microsoft.com/de-de/security-updates/securityadvisories/2015/3062591
• https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts
• https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings
• https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory
• https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference
• https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key
• https://support.microsoft.com/en-us/topic/april-11-2023-kb5025239-os-build-22621-1555-5eaaaf42-bc4d-4881-8d38-97e0082a6982
• https://syfuhs.net/how-managed-service-accounts-in-active-directory-work
• https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blogintroducing-windows-local-administrator-password-solution-with/ba-p/1942487
• https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/160485#profile
• https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747
• https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/bc-p/3793087/highlight/true#M5375
• https://twitter.com/BoreanJordan/status/1647758906289197056
• https://twitter.com/SteveSyfuhs
• https://www.bloggingforlogging.com/
• https://www.youtube.com/watch?v=jdEDIXm4JgU&t=1229s