Microsoft LAPS is one of the most effective ways to protect administrator passwords and prevent unauthorized users from accessing systems or data that they shouldn’t. Microsoft’s Local Administrator Password Solution — or LAPS for short — is a password management feature that randomizes administrator passwords across a single domain.
Without a tool like LAPS, a compromise of one administrator’s password could potentially lead to all others being exposed or stolen. By forcing all administrators to have unique passwords that change periodically, companies avoid users simply standing pat with their default passwords, or having passwords overlapping in the system.
In this article, we’ll cover the basics of Microsoft LAPS and installation requirements. We’ll also explain how to install LAPS and ensure it operates securely within your business and IT systems.
- What is Microsoft LAPS
- Requirements for Installing LAPS
- How to Setup Microsoft LAPS
- How to Ensure LAPS is Secure
- Microsoft LAPS FAQ’s
What is Microsoft LAPS
Microsoft LAPS is a product that manages local administrator passwords and shares permissions, storing them in Active Directory (AD). LAPS automatically randomizes and updates passwords on a routine basis, so that no two users ever have the same passwords and that passwords don’t become stale and more vulnerable to hacking. Prior to LAPS, many system administrators either used the same password across the domain, or similar naming conventions that made the entire system more vulnerable.
Get the Free Pentesting Active
Directory Environments e-book
In short, Microsoft LAPS ensures that all the devices and users throughout your system have unique, strong passwords to prevent data breaches or unauthorized logins.
Requirements for Installing LAPS
Microsoft LAPS has several key technical requirements necessary for installation. First, you’ll need the .NET Framework 4.0 and PowerShell 2.0 at a minimum. You’ll also need to be running Windows Server 2003 SP1 or higher, which is where LAPS will manage the local administrator password. And on all desktop systems, you need to be running Windows Vista SP2 or higher.
With regards to your Active Directory environment, you’ll also need to be running Windows Server 2003 SP1 or higher. Moreover, LAPS requires a schema update to support the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes. Those attributes are used to store both the local administrator password in addition to its expiration time.
If you’ve been keeping your Microsoft technology stack current and up-to-date, you should have minimal issues meeting the minimum requirements for installing LAPS.
How to Setup Microsoft LAPS
After installation, Microsoft LAPS can be set up in just a few simple, linear steps.
1. Validate Your Components
The first thing to do is to ensure that you have all of your LAPS components ready for use. This includes things like your Fat Client UI, Powershell module, and Group Policy templates, and AdmPwd GPO Extension. While you may not need all of those specific features, most management consoles require one or more of those components prior to LAPS setup.
2. Extend Active Directory Schema
Extending the AD schema allows your systems and network to accommodate LAPS. You can do this using a Microsoft Powershell module to aid in the process. The two main attributes you need to add to the schema are ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. These two attributes store the administrator password and expiry time.
3. Configure Password Settings
Once you’ve extended the AD schema, it’s time to configure LAPS passwords settings. By navigating to Password Settings, you can configure things like password complexity, length, and expiration date that LAPS will use to generate new passwords. This is a critical step to ensuring that your LAPS passwords are complex enough and changed frequently.
4. Apply Access Permissions
Now you’ll need to ensure that only the right people have access to LAPS settings and passwords. You’ll want to name the administrator that will manage the account, enter their information and enable their access. You also have the option of utilizing the default administrator account and details that come with every LAPS install.
5. Group Policy Configuration
Your AD is now ready to store and receive passwords and the correct permissions have been assigned. The final main step to LAPS installation is creating a group policy to configure the LAPS client component. Simply open the Group Policy Management Editor, select “Create a Group Policy Object,” and give it a meaningful name.
You’re now ready to essentially let LAPS do its thing. The system will generate and change passwords based on your specified complexity and time intervals based on your group policy and administrative settings. And only the administrators you designate will be able to access LAPS and make changes.
How to Ensure LAPS is Secure
You can implement several measures and tools to ensure that LAPS is secure and that none of your passwords or system access is compromised.
PowerShell Permission Scripts
Because installing LAPS adds new attributes to your system, you’ll want to double-check that access permissions to those attributes are correctly applied. You only want to grant access to the ms-McsAdmPwd attribute to users that need it. Thankfully, permission scripts are widely available, which check for current attribute access and automatically apply for new permissions if needed.
Remove All Extended Permissions
It’s also wise to remove the “All Extended Rights” permission that exists as default in LAPS. Removing this permission will prevent users and groups from viewing the passwords of local administrator accounts from unauthorized devices. Because the passwords are stored as a text attribute in PowerShell, removing extended permissions prevent people from accidentally stumbling upon passwords.
Locking Password Reset Permissions
In LAPS, certain users are allowed the capability of resetting passwords. Upon installation and setup, you’ll want to ensure that password reset permission is locked only to the local administrator. The ability to reset passwords should be strictly limited in any scenario, and Microsoft LAPS is no exception.
Administrator Training and Awareness
On an organizational level, you should also conduct administrator training sessions on how to install, configure, and utilize LAPS on a secure basis. As with any new software or technology rollout, it’s critical that administrators are aware of potential vulnerabilities in LAPS and how to avoid unauthorized users from either viewing passwords or altering settings on accident.
Integrated Approach to Data Security
The proper configurations shouldn’t be your only line of defense against LAPS compromise. You should also strongly consider implementing some form of threat detection and response software that will alert you to unauthorized access or users. It should be part of a much broader data protection platform you use to safeguard LAPS and all other aspects of your IT ecosystem.
Microsoft LAPs FAQs
Below are a few common questions and topics surrounding Microsoft LAPS, how it works, and the level of security.
Is Microsoft LAPS secure?
Yes. As long as permissions are locked down in the attributes of the Active Directory, Microsoft LAPS is extremely secure. Any systems or software can be targets for hackers, but with the proper precautions and setup LAPS is a secure product.
What is LAPS in computing?
From a purely technical standpoint, the Microsoft LAPS solution is a Group Policy Object client-side extension (CSE) designed for ongoing password security. It operates through the Active Directory of your system, generating new passwords on a regular basis.
What is Microsoft LAPs used for?
Microsoft LAPS is used in order to prevent stale, duplicate, or overly simplistic passwords. These situations leave systems vulnerable to either intentional or accidental data breaches. LAPS ensures that passwords change regularly and are adequately complex.
How much does LAPS cost?
Nothing. LAPS can be downloaded for free directly from Microsoft’s website and is a tool the company provides to Windows and enterprise users as an added password security measure. Your only cost is time and resources spent installing, configuring, and managing LAPS.
Closing Thoughts
Stale and duplicate passwords traditionally present enormous vulnerabilities to IT data security. Microsoft LAPS is a fantastic tool to ensure neither of these is an issue on an ongoing, automated basis. By installing LAPS — and limiting permissions only to authorized administrators — you can ensure that users will never gain unauthorized access to your system with old passwords.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.