Local Administrator Password Solution (LAPS)

iBrokeITiBrokeIT GRID, GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPTMember Posts: 1,312 ■■■■■■■■■□
Microsoft has finally released a solution to manage local administrator passwords across the domain with AD management.


“LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.”

“Microsoft has observed that Group Policy Preferences abuse is one of the most common tactics used by attackers to elevate permissions in a domain.”

Apparently this solution was released in response to a vulnerability created by Microsoft’s poor password encryption policies. If you defined a local admin account with a Group Policy Preference “the password is symmetrically encrypted using a static key and written to the XML file”. “If an attacker is able to get access to the SYSVOL share (which is open to all authenticated users, so a malicious or spear phished employee will have access to it) and obtain the AES encryption key used to encrypt/decrypt passwords set with GPP (which we document on MSDN), the attacker will be able to obtain the credentials set with GPP.”

-From MS14-025: An Update for Group Policy Preferences - Security Research & Defense - Site Home - TechNet Blogs

The static AES key they are referencing above is published on MSDN here: https://msdn.microsoft.com/en-us/library/cc422924.aspx

2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
2020: GCIP | GCIA 
2021: GRID | GDSA

WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops
Sign In or Register to comment.