rvlsoft - Fotolia


Microsoft LAPS locks down local admin passwords

Using the same local admin password is convenient, but risky. It gives attackers limitless access across the machines on the domain. Microsoft has a tool to boost login security.

When a computer loses access to a domain or is offline, the IT department often provides a user with a local Microsoft...

Windows computer account credential for access. This solution, however, creates more problems -- opening the organization to certain risks.

Enterprises deploy machines with a common administrator password. Once a user -- or an attacker -- has the local username and password details, he can use those credentials to access data locally or gain access to other machines on the network. Microsoft's Local Administrator Password Solution (LAPS) randomizes local administrator passwords on workstations and servers to boost security. LAPS then stores these local administrator passwords in AD.

How Microsoft LAPS works

Microsoft LAPS uses a few extra schema attributes in AD and stores the local password for each computer against computer objects. It then randomly generates a password that's unique to individual computers; this prevents someone who knows the local administrator password for one PC from gaining access to every machine. While the value is stored in plaintext, it is locked down during the LAPS setup process.

Microsoft LAPS requires an admin to set a Group Policy that instructs computers to use LAPS and a lightweight client on each desktop to generate the random password. Even though Group Policy drives the password change, the local password won't update until you apply the Group Policy, which updates the AD value. This means that, whenever you use PowerShell or the LAPS UI program to view a computer's password, the current one is visible.

Set a password countdown

Admins can set an expiration date and time on a local admin password. The end user has time to complete the necessary work and the password updates once it's back on the network, removing the old password.

You can use Group Policy to examine a few other settings as well, but the default configuration is acceptable. Microsoft LAPS eases deployment and management and offers a good level of security.

With enough time and compute, any local password can be cracked, which means LAPS doesn't eliminate offline, brute-force attacks. But it's a good way to protect local administrator access. Tie Microsoft LAPS into other security offerings, such as BitLocker, to provide broader security to local data.

Next Steps

Ramp up AD password policies

Don't overlook hardware-based vulnerabilities

How IT can take advantage of two-factor authentication

Dig Deeper on Windows Server troubleshooting