SHIPS vs. LAPS

Is anyone using either of these utilities and if so, what do you think are pros and cons of each.

One is Shared Host Integrated Password System (SHIPS), the other is Local Administrator Password Solution (LAPS).

The Shared Host Integrated Password System (SHIPS) is an open-source solution created by Geoff Walton from TrustedSec to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Our goal is to make post exploitation more difficult and provide a simplistic way to manage multiple systems in an environment where Windows and Linux does not necessarily support an alternative. https://www.trustedsec.com/ships/

The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords. https://technet.microsoft.com/en-us/mt227395.aspx

SHIPS looks to be more flexible in that it supports Linux infrastructure as well but LAPS seems pretty simple to use and setup. Looking forward to some feedback.

Find more posts tagged with

Comments

iBrokeIT

Neither, Random Password Manager seems to be meeting the needs at my new gig.

https://liebsoft.com/products/enterprise_random_password_manager/

What are your requirements?

Danielm7

We implemented LAPS at my workplace. They went from a single local administrator password for thousands of endpoints, unchanged for many years. It's worlds better now and the service desk hasn't complained yet about the extra hassle when they might need the password for a local admin account on a laptop.

alias454

iBrokeIT wrote: »

Neither, Random Password Manager seems to be meeting the needs at my new gig.

https://liebsoft.com/products/enterprise_random_password_manager/

What are your requirements?

Either one will serve my needs I think, which basically is local administrator password management. However, I had just recently came across SHIPS while watching the youtubes and wanted to see if anyone used one of the two products I listed or perhaps even both of them. While the Liebsoft stuff looks interesting and quite capable, I don't know if I can make a case to spend 25k just yet. crawl,walk,run...

alias454

Danielm7 wrote: »

We implemented LAPS at my workplace. They went from a single local administrator password for thousands of endpoints, unchanged for many years. It's worlds better now and the service desk hasn't complained yet about the extra hassle when they might need the password for a local admin account on a laptop.

Thanks Daniel, were there any pain points in the implementation or was it pretty easy. From the brief time I spent looking at LAPS, it looked pretty simple to get setup.

iBrokeIT

Ah sorry, should have realized cost was #1 since you were evaluating two free products and I brought up the $$$ one.

MitM

We use LAPS. It's straight forward to setup, if you follow the MS documentation