Scribd Logo
Carica

Benvenuto in Scribd!

  • Configuring LAPS Part 1

    Caricato da

    munivenkat
    73 visualizzazioni7 pagine
    Local administrator passwords are commonly shared across workstations, compromising security. Microsoft's LAPS solution mitigates this by randomizing and storing local admin passwords in Active Directory, changing them on a schedule. Part 1 of configuring LAPS covers preparing Active Directory by installing management tools, extending the schema, and configuring computer and user permissions to support LAPS functionality.

    Descrizione originale:

    Simple document from Microsoft on How to configure LAPS. Part 1 of 2

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOCX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Local administrator passwords are commonly shared across workstations, compromising security. Microsoft's LAPS solution mitigates this by randomizing and storing local admin passwords in Active Directory, changing them on a schedule. Part 1 of configuring LAPS covers preparing Active Directory by installing management tools, extending the schema, and configuring computer and user permissions to support LAPS functionality.

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    73 visualizzazioni7 pagine

    Configuring LAPS Part 1

    Caricato da

    munivenkat
    Local administrator passwords are commonly shared across workstations, compromising security. Microsoft's LAPS solution mitigates this by randomizing and storing local admin passwords in Active Directory, changing them on a schedule. Part 1 of configuring LAPS covers preparing Active Directory by installing management tools, extending the schema, and configuring computer and user permissions to support LAPS functionality.

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 7

    Configuring LAPS (Part 1)- Configuring Active Directory

    Why is Local Administrator Password Management


    Needed?
    The question of how to deal with users having administrative rights on computers or other
    network resources is one that has many different answers and has evolved over time. While the
    scenarios around network and domain administrative access may be more complex, the local
    administrative rights scenario should be very similar for almost everyone.

    A common scenario, in organizations of all sizes, is all workstations sharing a common local
    administrator account password. The help desk uses this local administrator password when
    needing to do something on a computer that requires administrative rights. Occasionally this
    password has been given out to normal users for various reasons.

    This scenario has some large security issues.


     Help desk users or other network administrators using the local administrator account makes it
    more difficult to maintain accountability. Actions taken as the local administrator account could
    have been carried out by anyone with access to the credentials.
     If a normal user is given the local administrator account credentials, they now have local
    administrator access to every computer with those credentials.
     As more people know the local administrator credentials, the more likely they are to get passed
    around to other users. Eventually many users that are not supposed to have access to the
    credentials have them.

    How to Mitigate These Security Issues


    The local administrator account on domain joined devices should rarely, if ever, be used.
    Ideally, normal users would not have local administrative rights on computers. If a normal user
    did require local administrative access on a permanent basis, they should have access to a
    domain account that has been granted local administrative access to their computer. Help desk
    personnel should have access to domain accounts that are set as local administrators of devices
    they may need to manage or troubleshoot. Logging in as the local administrator account should
    be saved for the rare occasion that a computer loses its domain trust relationship and needs to be
    re-joined to the domain.

    Now that the local administrator account is going to rarely be used, it would be nice to be able to
    change that password, so anyone who previously had known it can no longer use it. This is
    where Microsoft’s Local Administrator Password Solution (LAPS) comes into play. LAPS is
    a solution developed by Microsoft to handle the management of the local administrative accounts
    on domain joined computers. Any device that LAPS is deployed to is able to randomize the local
    administrator password, store that password in Active Directory, and then change that password
    on a set schedule.

    The instructions below are part 1 of a 2-part series and will cover the process of configuring
    active directory to support LAPS. The sections marked as (Required) are necessary to
    implement LAPS functionality. The sections marked as (Optional) are not necessary, but can
    add additional value or functionality to the implementation.

    (Required) Install the LAPS Management Utilities


    1. Download the LAPS Installer(s) to a domain joined computer
    a. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899
    2. Run either the msi or LAPSx86.msi depending on your computer’s architecture
    3. At the Welcome screen, click Next
    4. At the License Agreement screen, accept the EULA and click Next
    5. At the Feature Installation screen, select to install all the available features, and click Next

    6. At the Confirmation screen, click Install


    7. At the Completion screen, click Finish
    (Required) Extend the Active Directory Schema
    LAPS requires an AD schema extension to create the attributes needed to store the administrator
    password and the password expiration date.

    1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
    with an account that has Schema Admin rights
    2. Run the command to import the LAPS PowerShell module
    a. Import-Module AdmPwd.PS

    3. Run the command to extend the AD Schema


    a. Update-AdmPwdADSchema

    4. After extending the schema, there will be two new attributes visible on the properties of the
    computer objects in AD
    a. ms-Mcs-AdmPwd – This attribute stores the local administrator password
    b. ms-Mcs-AdmPwdExpirationTime – This attribute stores the password expiration time
    (Required) Configure Active Directory Computer
    Permissions
    By default, computers will only be able to read the AdmPwd and AdmPwdExpirationTime
    attributes. For LAPS to work, computers need to be able to write to both attributes. The below
    steps will grant write permission to both attributes for the SELF account, which will then allow
    computer objects to update their own password and expiration time attributes.

    1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
    with an account that has Domain Admin rights
    2. Run the command to import the LAPS PowerShell module
    a. Import-Module AdmPwd.PS
    3. Run the command to grant write permission to the SELF account. Replace OU Name with the
    name of the OU that contains computers that will be managed with LAPS. The permissions will
    apply to any sub OUs of the OU you specify.
    a. Set-AdmPwdComputerSelfPermission -Identity “OU Name”
    NOTE: In the examples throughout this article, the common name of the OU is specified.
    The common name of the OU can be specified if the name is unique, otherwise specify the
    distinguished name of the OU.

    (Optional) Configure Active Directory User Permissions


    By default, only Domain Admins will be able to view and change the password and reset time
    attributes. These commands will allow you to delegate rights to users or groups to be able to
    either read or change the attributes.

    Delegate rights to an AD user or group to view the password and reset time attributes

    1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
    with an account that has Domain Admin rights
    2. Run the command to import the LAPS PowerShell module
    a. Import-Module AdmPwd.PS
    3. Run the command to delegate read access to a specific user or group. Replace OU Name with
    the name of the OU that the user or group will be able to read the attributes for. Replace User or
    Group Name with the name of the user or group that will be delegated the read permission.
    Multiple users or groups can be specified in a comma separated list.
    a. Set-AdmPwdReadPasswordPermission –Identity “OU Name” –AllowedPrincipals
    “User or Group Name”

    Delegate rights to an AD user or Group to modify the reset time


    attribute
    1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
    with an account that has Domain Admin rights
    2. Run the command to import the LAPS PowerShell module
    a. Import-Module AdmPwd.PS
    3. Run the command to delegate write access to a specific user or group. Replace OU Name with
    the name of the OU that the user or group will be able to modify the reset time attribute on.
    Replace User or Group Name with the name of the user or group that will be able to modify the
    reset password attribute. Multiple users or groups can be specified in a comma separated list.
    a. Set-AdmPwdResetPasswordPermission –Identity “OU Name” -AllowedPrincipals
    “User or Group Name”

    Verify User Permissions


    After delegating rights, this command can be run against an OU to determine which users or
    groups have access to view the password and reset time attributes.

    1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
    with an account that has Domain Admin rights
    2. Run the command to import the LAPS PowerShell module
    a. Import-Module AdmPwd.PS
    3. Run the command to view the permissions on a specific OU. Replace OU Name with the name
    of the OU the command will run against.
    a. Find-AdmPwdExtendedRights –Identity “OU Name”

    By default, NT AUTHORITYSYSTEM, and Domain Admins should be listed as extended


    right holders. Additionally, the group that was delegated read permissions should be listed as an
    extended right holder.
    If there are any other users or groups listed under the ExtendedRightHolders property, these
    could be users or groups that unintentionally have access to view the attributes. This can happen
    if a user or group was previously delegated rights to this OU and the All extended rights
    permission was selected.

    To make sure any of these extra users or groups cannot view the password or reset time
    attributes, follow these steps

    1. Open Active Directory Users and Computers as an account with Domain Admin rights
    2. Right click on the OU in question and select Properties
    3. Click on the Security tab
    4. Click Advanced
    5. Select the user or group to modify permissions for
    6. Click Edit
    7. Uncheck the All extended rights box

    At this point, active directory has been configured to support LAPS, computer objects have been
    given permission to update their password attributes, and the appropriate users have been
    delegated rights to read and reset the passwords. Part 2 of this series will cover the creation and
    configuration of the group policy object needed to enable LAPS on devices.

    Configuring LAPS (Part 2)- Configuring and Deploying Group Policy

    Potrebbero piacerti anche