Privileged Access Management
Privilege Manager features beat Microsoft LAPS
Matt WielandTopics: Privileged Access Management
Contemporary malware spreads like wildfire by using the vulnerabilities created by fallible end users and incomplete systems management. Any IT environment where users’ devices have unnecessary system admin IDs is a paradise for blackmailing ransomware and the like.
If an organization wants to be as cybersecure as possible, end user rights need to be managed and distributed in a straightforward manner—no exceptions. There are several solutions available to manage end user access rights. Here we’ll take a look at Microsoft LAPS and Recast Software’s Privilege Manager.
The Challenge of Controlling Ender User Admin Rights
In a closed environment where the end user doesn’t have admin rights, the biggest challenges arise during atypical situations. For example, end users frequently travel for business. The users might need to fix a problem, change settings, or install a new device, but they now find themselves out of the reach of IT support. Their limited user rights won’t give them this capability.
There are several tools for managing temporary admin rights and different rights levels, both free and paid, all with different features.
Microsoft has a free application for admin rights management, Microsoft LAPS. However, it is limited. LAPS, short for Local Administrator Password Solution, is an application that manages a single admin ID, and it is designed for solving an IT admin’s problem.
“The idea of LAPS is basically to create a backup ID for the IT administrator, who can then check the backup’s password from Active Directory.”
Juha Haapsaari of Recast Software
Temporary Admin Rights: Privilege Manager versus Microsoft LAPS
Compared to LAPS, Privilege Manager has significantly more features, and is therefore a more useful tool for both managing and accessing admin rights. In Privilege Manager, you can configure two different methods for activating user rights with different access levels—even without internet access!
The easiest method for an end user to get temporary admin rights running is to select Privilege Manager as the authentication method when prompted by the Windows’ User Account Control window. After selecting Privilege Manager, the end user logs the reason for activation. They are granted the admin rights for the operation’s duration only, and the rights revert to their normal status automatically.
You can also activate the temporary admin rights by contacting the service desk, who creates an activation key the user can use to activate a temporary ID with limited validity. This model gives the administrator a bit more control with rights activation, as the end user needs to connect with the IT support team.
Privilege Manager automatically ensures that when the end user reaches the deadline or performs the operation, the ID utilized can’t be used again without a new activation code. The activation code doesn’t contain a password or any other sensitive information. These functions mean that Privilege Manager can create a genuinely temporary admin right, unlike Microsoft LAPS.
LAPS creates a user ID for the device, which then allows IT teams to access the ID and device when needed. This doesn’t support the end-user self-service model, which is a central feature needed by most organizations to effectively implement admin rights management. Privilege Manager, however, allows end users to have the power to safely access admin rights for a clear, defined action and for a limited time.
Manage your Azure AD devices with Privilege Manager
Microsoft LAPS only incorporates your Active Directory devices. Devices on the cloud-based Azure AD or devices in a work group can’t be connected to the service. This means LAPS is out of the question for any organizations that use Azure AD or work group devices instead of Active Directory.
Unlike Microsoft LAPS, Privilege Manager allows you to manage devices in work groups. Privilege Manager data is saved in a SQL database, which means that it requires a Microsoft SQL server, 2005 or newer. Microsoft LAPS, on the other hand, doesn’t need a SQL base or an IIS.
However, a database is a safer location for Privilege Manager’s device account data when compared to Active Directory. When operations are performed in Active Directory, there is an increased risk for accidentally deleting an account or a device password.
In Privilege Manager, you can configure user IDs and groups based on the structure of the existing Active Directory. For example, you can set domain-specific ID and group rules on the domain level, specify them further on the level of the organization unit, and then go even deeper at the device level.
You can also create and manage new IDs and groups. Privilege Manager supports known user IDs and groups, meaning it’s easy to manage them even if the devices’ operating systems use different languages.
Comprehensive Reporting Improves Cybersecurity
Privilege Manager keeps a log on each operation performed and records the reason for each change in access right status. Everything is logged and reported: who was given an admin ID and when, for how long, and why.
These reports help maintain a high level of cybersecurity. Privilege Manager makes it easy to get system-wide reports on devices’ current settings related to user IDs and user groups. Microsoft LAPS, on the hand, has very limited reporting functions.
Support and Product Development
Technical user support is included with Privilege Manager. With Microsoft LAPS, only the Premium Support customers have access to technical support, and only with problems related to the application’s use or installation. And this service is only available for large organizations.
Privilege Manager offers technical support for all of its users. Additionally, the whole product design and development is done with the user experience in mind.
| Privilege Manager | LAPS | |
| Number of Managed IDs | Individual and groups | One device only |
| Temporary Admin ID | Yes | No |
| End-User Self-Service | Yes | No |
| Managed Environments | AD, Azure AD, work groups | On-prem AD-devices only |
| Reporting | Yes | No |
| Onboarding | Yes | No |
| Customer Support | Unlimited | Premier customers only |
How does your admin team benefit from Privilege Manager?
- Improve your level of cyber security by significantly limiting the risks of malware and incorrect operations. When admin rights are limited to specific operations and granted based on case-by-case consideration, users can’t accidentally harm their own system or let malware into the company’s environment.
- Less pressure on the IT support thanks to users who can, where permitted, perform admin operations independently. The specialists on the IT support team can focus on more demanding operations and boost their performance.
- Privilege Manager provides a report specifying the reasons the users requested and accessed admin rights.
How does Privilege Manager help the end user?
- Your work is more efficient when you can install applications and drivers independently, without intervention from the IT support crew.
- It’s fast and easy to request the admin rights activation key.
- The activation key doesn’t require internet access to work, meaning you can perform admin operations when you are traveling for business.
Learn More
Privilege Manager by Recast is a service that removes permanent admin rights from workstations and instead gives out temporary rights, without adding burden on the IT support team or the end user. With Privilege Manager, you can manage local user IDs and groups on Windows devices in an efficient, centralized way. This means easier workstation and server management and significantly improved cybersecurity.
Additional Resources
Privileged Access Management (PAM)
- Privileged Access Management (PAM) Overview
- Open-Source Privileged Access Management Software: A Solution for You?
Admin Rights
- Removing Admin Rights Hardens your Environment
- 2 Core Rules of Zero Trust with Sami Laiho
- The Principle of Least Privilege
- Principle of Least Privilege: #1 Solution for Security
