Windows LAPS: What can the "new" LAPS do and should I use it?
8881
post-template-default,single,single-post,postid-8881,single-format-standard,bridge-core-3.3.1,,qode-title-hidden,qode-child-theme-ver-1.0.0,qode-theme-ver-30.8.1,qode-theme-bridge,disabled_footer_top,qode_header_in_grid,qode-wpml-enabled,wpb-js-composer js-comp-ver-7.9,vc_responsive

Windows LAPS: What can the “new” LAPS do and should I use it?

The topic of managing local administrator passwords is a real perennial issue in IT security. It is certainly a minor measure, but it is definitely part of “basic hygiene”. One of our most popular blog articles in our (E)SAE Deep Dive series is the article on Microsoft’s Local Administrator Password Solution (LAPS).

A new version of LAPS – Windows LAPS – has been available for some time now. In this article, we want to discuss the new features and shed light on whether it makes sense to migrate to the new version.

Why should LAPS be used in general?

In many companies, the same password is used for the local administrator account on all Windows servers and clients. If, for example, an attacker compromises a single client and gains possession of this password, they automatically have access to all other systems that use this password. This is independent of security gaps or misconfigurations that can be exploited. In addition, these passwords are often known to many employees and often also to former employees of the company or its service providers. This makes it necessary to change the passwords of local admin accounts on a regular basis. This can be done free of charge with Windows LAPS.

What’s new in Windows LAPS?

The new version of LAPS is available on all UPDATED Windows Server 2019 and Windows 10 or higher operating system versions. The basic functionality remains the same. The aim is still to manage the local administrator password. However, we would like to present some new features in detail:

Entra ID / Intune and Active Directory

While the previous version of LAPS could only be used in AD environments, the new version also makes it possible to save local passwords in EntraID. In concrete terms, this means that the password is generated by the local LAPS client and stored either in EntraID or Active Directory, regardless of whether it is a domain computer or a cloud-managed machine. This also means that cloud-managed devices and hybrid devices should only be controlled via Intune and only on-prem systems via GPOs.

Encryption of the password

Instead of relying solely on access control lists (ACLs) to protect passwords, passwords can now be encrypted. Only users who are entered as “ADPasswordEncryptionPrincipal” are allowed to decrypt passwords.

On-premises, this requires at least domain functional level 2016. However, the vast majority of environments should meet this requirement by now. If this is the case, it makes sense to activate password encryption. In EntraID, the passwords are encrypted by default.

In both cases, the LAPS client encrypts the password locally on the machine and transmits the encrypted password to the AD or EntraID.

Password history / Password history

One topic that has been on the minds of many administrators is the password history for a machine. Their wishes have been granted. Up to 12 passwords can be stored in Windows LAPS. The prerequisite is that password encryption is activated.

At this point, it should be noted that the Microsoft documentation can be misleading. It says:

Encrypted password history
“Windows LAPS supports a password history feature for Windows Server Active Directory domain-joined clients and domain controllers. Password history is supported only when password encryption is enabled. Password history isn’t supported if you store clear-text passwords in Windows Server Active Directory.”

Since the text does not mention EntraID or cloud-managed devices, but explicitly mentions domain-joined clients, it can be concluded that only on-prem systems are supported. Fortunately, this is not the case. We have tested it and numerous other articles also describe this functionality in the cloud environment. Nevertheless, we would like Microsoft to update the documentation here.

Automatic response to the use of a password

Thanks to the implementable “PostAuthenticationActions”, it is possible to follow authentication using a password managed by Windows LAPS with a preconfigurable action. For example, you can set the password to be changed automatically one hour after authentication and the account to be logged out.

The following options can be configured:

DSRM-Password Backup

Opinions are divided on the DSRM backup feature. We have had many discussions and most experts are very cautious about this function. But first things first.

First of all, we would like to criticize the Microsoft documentation:

DSRM password support
“Windows LAPS supports backing up the DSRM account password on Windows Server domain controllers. DSRM account passwords can be backed up only to Windows Server Active Directory and if password encryption is enabled. Otherwise, this feature works almost identically to how encrypted password support works for Windows Server Active Directory-joined clients.
Backing up DSRM passwords to Microsoft Entra ID isn’t supported.”

If you read carefully, you will notice that only one backup is mentioned. But how does the DSRM password change? Do I need a separate procedure for this? No, this is not the case. Windows LAPS also rotates the DSRM password and saves it in Active Directory. Just as above, we would like to see clear documentation here.

Why should the feature be used with caution?

The answer is obvious. When do I need my DSRM password? Right, usually when I want to recover the domain. Since the password is stored in the Active Directory, you can no longer access it in case of doubt. Microsoft also points this out and demands that the password should also be stored outside the ad.

Theoretically, of course, you need the password, even if a single domain controller causes problems. I can then access the AD database and read out the current password. It remains to be seen how often this is really needed. It is much more likely that the DSRM password will be used in the first-mentioned total failure, so if you use Windows LAPS to rotate the DSRM password, you must ensure that the password is saved in a password safe immediately after it is changed.

Migration from Legacy LAPS to Windows LAPS: A guide

Migrating from an older version of the Local Administrator Password Solution (LAPS) to the newer Windows LAPS version is an important step to improve the security and management of passwords for local administrator accounts.

Note: In general, a “side-by-side” approach with Windows LAPS and Legacy LAPS running in parallel is possible for testing purposes, but requires more administrative effort, as multiple local administrator accounts must exist (there can only be one version of LAPS that manages one password). In this article, we refrain from this variant.

From our point of view, most companies should switch to the new version. If it is ensured that all machines in the domain support Windows LAPS, Windows LAPS can be rolled out to completely replace legacy LAPS. We will not provide step-by-step instructions at this point. There are numerous good descriptions and also the official MS documentation: Microsoft documentation.

However, there are probably also systems that do not support Windows LAPS. If legacy LAPS must continue to exist in the environment, care must be taken to ensure that you receive the correct LAPS version depending on the version of the operating system.

This is done, for example, when using Windows LAPS with the help of GPOs with the following WMI filters:

GPO WMI-Filter Explanation
Windows LAPS GPOs SELECT * FROM Win32_OperatingSystem WHERE (Version LIKE “10.0%” AND ProductType <> “2”) AND NOT (Version < “10.0.17763”) Systems with Windows Server 2019 and Windows 10 or higher operating system versions should receive the Windows LAPS GPOs.
Legacy LAPS GPOs SELECT * FROM Win32_OperatingSystem WHERE NOT (Version LIKE “10.0%” AND Version >= “10.0.17763”) If the operating system is older than Windows Server 2019 or Windows 10, the legacy LAPS GPO must continue to apply.

Note: Support for legacy LAPS is also linked to the support of the respective operating systems that do not yet support Windows LAPS.

Migrating from an older version of the Local Administrator Password Solution (LAPS) to the newer Windows LAPS version is an important step to improve the security and management of passwords for local administrator accounts.

Note: In general, a “side-by-side” approach with Windows LAPS and Legacy LAPS running in parallel is possible for testing purposes, but requires more administrative effort, as multiple local administrator accounts must exist (there can only be one version of LAPS that manages one password). In this article, we refrain from this variant.

From our point of view, most companies should switch to the new version. If it is ensured that all machines in the domain support Windows LAPS, Windows LAPS can be rolled out to completely replace legacy LAPS. We will not provide step-by-step instructions at this point. There are numerous good descriptions and also the official MS documentation: Microsoft documentation.

However, there are probably also systems that do not support Windows LAPS. If legacy LAPS must continue to exist in the environment, care must be taken to ensure that you receive the correct LAPS version depending on the version of the operating system.

This is done, for example, when using Windows LAPS with the help of GPOs with the following WMI filters:

Note: Support for legacy LAPS is also linked to the support of the respective operating systems that do not yet support Windows LAPS.

Conclusion

Windows LAPS offers interesting new ways to increase the security of the environment. Password encryption, history and automatic actions after a login are useful extensions for password management in any environment. It is also essential that cloud-managed systems are taken into account. We are only critical of the DSRM functionality. Otherwise, we recommend everyone to switch to the new Windows LAPS version.

LATEST POSTS

  • In this article, we give you a closer look at the importance of Microsoft Tiering for your IT security. We have looked at the underlying issues and the critical areas and systems that need to be protected to prevent total loss ...

  • This year we will be represented for the first time together with our partner FB Pro GmbH with a stand and a specialist lecture at one of the most important IT security trade fairs in Europe: it-sa 2024 in Nuremberg...

  • A new version of LAPS - Windows LAPS - has been available for some time now. In this article, we will look at the new features and discuss whether it makes sense to migrate to the new version....