SHIPS vs. LAPS
Is anyone using either of these utilities and if so, what do you think are pros and cons of each.
One is Shared Host Integrated Password System (SHIPS), the other is Local Administrator Password Solution (LAPS).
The Shared Host Integrated Password System (SHIPS) is an open-source solution created by Geoff Walton from TrustedSec to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Our goal is to make post exploitation more difficult and provide a simplistic way to manage multiple systems in an environment where Windows and Linux does not necessarily support an alternative. https://www.trustedsec.com/ships/
The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords. https://technet.microsoft.com/en-us/mt227395.aspx
SHIPS looks to be more flexible in that it supports Linux infrastructure as well but LAPS seems pretty simple to use and setup. Looking forward to some feedback.
One is Shared Host Integrated Password System (SHIPS), the other is Local Administrator Password Solution (LAPS).
The Shared Host Integrated Password System (SHIPS) is an open-source solution created by Geoff Walton from TrustedSec to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Our goal is to make post exploitation more difficult and provide a simplistic way to manage multiple systems in an environment where Windows and Linux does not necessarily support an alternative. https://www.trustedsec.com/ships/
The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords. https://technet.microsoft.com/en-us/mt227395.aspx
SHIPS looks to be more flexible in that it supports Linux infrastructure as well but LAPS seems pretty simple to use and setup. Looking forward to some feedback.
“I do not seek answers, but rather to understand the question.”
Comments
-
iBrokeIT
Member Posts: 1,318 ■■■■■■■■■□
Neither, Random Password Manager seems to be meeting the needs at my new gig.
https://liebsoft.com/products/enterprise_random_password_manager/
What are your requirements?2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
Danielm7
Member Posts: 2,310 ■■■■■■■■□□
We implemented LAPS at my workplace. They went from a single local administrator password for thousands of endpoints, unchanged for many years. It's worlds better now and the service desk hasn't complained yet about the extra hassle when they might need the password for a local admin account on a laptop. -
alias454
Member Posts: 648 ■■■■□□□□□□
Neither, Random Password Manager seems to be meeting the needs at my new gig.
https://liebsoft.com/products/enterprise_random_password_manager/
What are your requirements?
Either one will serve my needs I think, which basically is local administrator password management. However, I had just recently came across SHIPS while watching the youtubes and wanted to see if anyone used one of the two products I listed or perhaps even both of them. While the Liebsoft stuff looks interesting and quite capable, I don't know if I can make a case to spend 25k just yet. crawl,walk,run...“I do not seek answers, but rather to understand the question.” -
alias454
Member Posts: 648 ■■■■□□□□□□
We implemented LAPS at my workplace. They went from a single local administrator password for thousands of endpoints, unchanged for many years. It's worlds better now and the service desk hasn't complained yet about the extra hassle when they might need the password for a local admin account on a laptop.
Thanks Daniel, were there any pain points in the implementation or was it pretty easy. From the brief time I spent looking at LAPS, it looked pretty simple to get setup.“I do not seek answers, but rather to understand the question.” -
iBrokeIT
Member Posts: 1,318 ■■■■■■■■■□
Ah sorry, should have realized cost was #1 since you were evaluating two free products and I brought up the $$$ one.
2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
MitM
Member Posts: 622 ■■■■□□□□□□
We use LAPS. It's straight forward to setup, if you follow the MS documentation
