https://www.microsoft.com/en-us/download/details.aspx?id=46899
For environments in which users are required to log on to computers
without domain credentials, password management can become a complex
issue. Such environments greatly increase the risk of a Pass-the-Hash
(PtH) credential replay attack. The Local Administrator Password
Solution (LAPS) provides a solution to this issue of using a common
local account with an identical password on every computer in a domain.
LAPS resolves this issue by setting a different, random password for the
common local administrator account on every computer in the domain.
Domain administrators using the solution can determine which users, such
as helpdesk administrators, are authorized to read passwords.
LAPS simplifies password management while helping customers implement
recommended defenses against cyberattacks. In particular, the solution
mitigates the risk of lateral escalation that results when customers use
the same administrative local account and password combination on their
computers. LAPS stores the password for each computer’s local
administrator account in Active Directory, secured in a confidential
attribute in the computer’s corresponding Active Directory object. The
computer is allowed to update its own password data in Active Directory,
and domain administrators can grant read access to authorized users or
groups, such as workstation helpdesk administrators.
Use LAPS to automatically manage local administrator passwords on domain
joined computers so that passwords are unique on each managed computer,
randomly generated, and securely stored in Active Directory
infrastructure. The solution is built on Active Directory infrastructure
and does not require other supporting technologies. LAPS uses a Group
Policy client-side extension (CSE) that you install on managed computers
to perform all management tasks. The solution’s management tools provide
easy configuration and administration.
*How does LAPS work?*
The core of the LAPS solution is a GPO client-side extension (CSE) that
performs the following tasks and can enforce the following actions
during a GPO update:
• Checks whether the password of the local Administrator account has
expired.
• Generates a new password when the old password is either expired or is
required to be changed prior to expiration.
• Validates the new password against the password policy.
• Reports the password to Active Directory, storing it with a
confidential attribute with the computer account in Active Directory.
• Reports the next expiration time for the password to Active Directory,
storing it with an attribute with the computer account in Active Directory.
• Changes the password of the Administrator account.
The password then can be read from Active Directory by users who are
allowed to do so. Eligible users can request a password change for a
computer.
*What are the features of LAPS?*
LAPS includes the following features:
• Security that provides the ability to:
• Randomly generate passwords that are automatically changed on
managed machines.
• Effectively mitigate PtH attacks that rely on identical local
account passwords.
• Enforced password protection during transport via encryption using
the Kerberos version 5 protocol.
• Use access control lists (ACLs) to protect passwords in Active
Directory and easily implement a detailed security model.
• Manageability that provides the ability to:
• Configure password parameters, including age, complexity, and length.
• Force password reset on a per-machine basis.
• Use a security model that is integrated with ACLs in Active Directory.
• Use any Active Directory management tool of choice; custom tools,
such as Windows PowerShell, are provided.
• Protect against computer account deletion.
• Easily implement the solution with a minimal footprint.
