When a computer loses access to a domain or is offline, the IT department often provides a user with a local Microsoft...
Windows computer account credential for access. This solution, however, creates more problems -- opening the organization to certain risks.
Enterprises deploy machines with a common administrator password. Once a user -- or an attacker -- has the local username and password details, he can use those credentials to access data locally or gain access to other machines on the network. Microsoft's Local Administrator Password Solution (LAPS) randomizes local administrator passwords on workstations and servers to boost security. LAPS then stores these local administrator passwords in AD.
How Microsoft LAPS works
Microsoft LAPS uses a few extra schema attributes in AD and stores the local password for each computer against computer objects. It then randomly generates a password that's unique to individual computers; this prevents someone who knows the local administrator password for one PC from gaining access to every machine. While the value is stored in plaintext, it is locked down during the LAPS setup process.
Microsoft LAPS requires an admin to set a Group Policy that instructs computers to use LAPS and a lightweight client on each desktop to generate the random password. Even though Group Policy drives the password change, the local password won't update until you apply the Group Policy, which updates the AD value. This means that, whenever you use PowerShell or the LAPS UI program to view a computer's password, the current one is visible.
Set a password countdown
Admins can set an expiration date and time on a local admin password. The end user has time to complete the necessary work and the password updates once it's back on the network, removing the old password.
With enough time and compute, any local password can be cracked, which means LAPS doesn't eliminate offline, brute-force attacks. But it's a good way to protect local administrator access. Tie Microsoft LAPS into other security offerings, such as BitLocker, to provide broader security to local data.
Ramp up AD password policies
Don't overlook hardware-based vulnerabilities
How IT can take advantage of two-factor authentication