Running LAPS: No Blood, No Sweat, No Tears

If the title scared you, don't let it. There's no physical effort to put forth in this hardening exercise, so you can safely continue to enjoy crunching down on Doritos dipped in peanut butter. (What? Just me on that one? Oof.) Anyway, to follow up on my Five Easy Security Wins in Windows post, I wanted to write about running LAPS. Because I'm not good at all with sport metaphors, let's just dive in.

What is LAPS?
LAPS stands for Local Administrator Password Solution, and it basically does what it says on the tin. As long as you use the same local administrator account name on your Windows endpoints, you'll be able to get LAPS set up in a matter of minutes. LAPS is a major and easy security win for Windows admins because it gives every endpoint a unique, randomized local administrator password. The passwords change as often as you tell them to, use whichever character sets you tell them to, and you can see what they are in the computer object's attributes in Active Directory. Rare as it is to have to use a machine's local admin password to do anything, it's important all the same to keep those accounts secure with good passwords.

So... How do I set it up?
There are two components to LAPS setup. The first and most important step is to download and install LAPS on all of the endpoints you want to protect. (I also recommend downloading and reading through the Operator instructions, if, like me, you RTFM before doing anything.) How you deploy it is up to you--what matters is just getting it installed before you move any further. 

From a central server, I deploy LAPS with this command:
msiexec.exe /i "LAPS.x64.msi" ALLUSERS=1 /qn /norestart /log output.log /quiet

Once you have LAPS installed, you can move on to the second step and configure its settings in Group Policy. Here's the path: Computer Configuration > Policies > Administrative Templates > LAPS. You'll want to enable everything, and set up each component to fit your environment.

By default, passwords will be 14 characters. Bump this up to at least 15 characters to avoid LM hashing. How long you want the password to be is up to you, as is how often you want the local admin password to change. If you need aggressive local admin security, you might want to maximize the password to the 64-character limit, and set it to change every day. But for most environments, I'd say 15 or more characters and a 30 day expiry should suffice for end user computers. If you're running LAPS on computers and servers, but computers and servers have different local administrator account names, you'll want to set up separate GPOs--one for each local administrator account name. 

I do have one word of warning here: if you use "Administrator" as the local administrator account name on your Domain Controllers, you will want to specify it as localhost\Administrator in the LAPS GPO. Otherwise, the DCs will change the domain Administrator account password... which is very much not good.

Once your LAPS dance is done, you should verify that it's worked to harden your endpoints. Choose a computer object in Active Directory, and go to Attribute Editor from its properties. You'll want to look for the ms-Mcs-AdmPwd entry and verify that the entry looks like Alphabetti Spaghetti on steroids:

If it looks like an incomprehensible jumble of letters, numbers, and special characters, it's working. Yay! 

And that's pretty much it! It takes minimal effort to harden your Windows computers and servers with LAPS. Your pentesters will praise you, and you'll have one or two fewer admin credentials to worry about managing. Now... back to my apparently weird Doritos and peanut butter...