Bringing Visibility to an Overlooked Security Necessity
Microsoft LAPS (Local Admin Password Solution) has been around for several years, and we know many organizations haven’t implemented it yet. The good news is that many have. Thankfully, it’s simple to setup and greatly reduces a previously exploitable attack vector. LAPS … mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers . – Microsoft
If you are one of those who have yet to set up LAPS, see our Overview of Microsoft LAPS post. The post guides you through the setup process. For the rest, many have moved on with operational duties and firefighting the issues your manager throws at you today. Why is that? Who seriously did client health for LAPS once it was setup? Who confirmed it was working on all endpoints? As with any implementation, you need to check up on it from time to time. This shouldn’t be a surprise, as you do this with the ConfigMgr Client, you monitor Client health, and perhaps even implemented auto remediation scripts. You probably monitor your AV / Anti-Malware system, IDS, Disk Encryption, etc. So why not LAPS?
LAPS Dashboard Monitors Health
The team at Recast Software created a nifty dashboard for you to monitor your LAPS health. This is included in the Enterprise version of the Right Click Tools. Here is an image from their Documentation, showcasing the additional data unearthed by this feature:
Most of us are in the ConfigMgr Console every day. Having this LAPS dashboard keeps it visible and at the front of our minds, which is highly useful. It only takes a few seconds to pull it up, check the stats, and move on. If an anomaly exists, the team can start looking into it.
Teams can also look up the passwords here. No need to make a special package for Service Desk Techs to be able to lookup passwords. Most Service Desk Techs already have the ConfigMgr Console, so now you can grant them permissions to this feature and they have a powerful tool to look up these passwords for their support needs.
Additionally, you can export the LAPS dashboard results to a CSV file. This makes it easy to provide to the Security Team / Audit Folks, who want to confirm compliance.
So how do you set this up? First, get your Right Click Tools Enterprise license and setup the Recast Management Server.
What permissions are required to allow my Service Desk the ability to view the passwords?
We’ll go over that, building off of the last post where we setup LAPS and created AD Groups with different permissions for LAPS. Assumptions before continuing: You have Specific AD Groups you want to grant permissions to.
First, in the Lab, we have Service Desk Tier 1 -3 Support positions that have different access to the ConfigMgr Console. We want all of them to have the ability to see the Dashboards and pull up the passwords.
In ConfigMgr / SCCM:
Before adding any permissions, this is what the Dashboard would look like without the proper permissions: (Using Service Desk Tier 1 User)
Lets add some permissions. In Recast Management Server, we’ve created a ReLAPS role with just permissions for the ReLAPS console.
Testing with 3 “Rights” from the options.. getting close…
Ok, this looks better: (Still using a Service Desk Tier 1 User)
So what does this look like in the Recast Management Server Console?
Created a ReLAPS Role with minimum requirements for ReLAPS console.
Then added the LAPS Read Only Group, and assigned it to the ReLAPS Role:
Ok, now you can rest easy knowing your Service Desk has the ability to do the tasks you want them to do, and no more.