You’re crazy if you don’t have Windows Local Administrator Password Solution

You’re crazy if you don’t have Windows Local Administrator Password Solution

Apr 05 2024 - Many organizations should have a local administrator password solution in place. Have you met my friend Windows Local Administrator Password Solution (LAPS) from Microsoft?

4 min read

Maybe you’re not crazy and perhaps you have another solution for local administrator password management. However, many organizations don’t have a local administrator password solution in place and absolutely should. You can decide for that yourself after reading further.

Quite simply, Windows LAPS centralizes the password for Windows local administrator passwords across Windows clients and rotates the passwords in an automated service. IT teams can then utilize them as required for a variety of activities.

Table of Contents

TL;DR;

Key Scenarios for Windows LAPS

Here are just a few scenarios where having Windows LAPS already deployed will be a lifesaver for your organization:

  1. Ransomware and Cyberattacks
  2. Law Enforcement
  3. Forensics (Internal)
  4. Troubleshooting
  5. Migrations

In all the scenarios listed above, a given Windows server or client operating system environment (OSE) may need to be accessed using a local administrator account.

In the case of Law Enforcement, there may be a requirement to provide access to a given laptop that was seized through a search warrant. The authorities may require the organization to gain access to the device, but this doesn’t mean provides access using a given users password AND the device may not be directly connected to the Internet.

In the case of Migrations, there are some organizations that are transitioning from a hybrid scenario with a local Windows Active Directory with Entra ID and going pure Entra ID cloud managed devices. When doing this, there is a point in time when the local Windows client will be in a workgroup and not managed by Windows Active Directory or Entra ID. To complete the migration, the IT team or user will need the local administrator password to act.

Licensing

From Microsoft: The Windows LAPS feature itself is available for free in all supported Windows platforms.

For the Small and Medium Business any single or combination of the following, Windows LAPS is available to you with Entra ID!

  • Microsoft 365 Apps for business
  • Microsoft 365 Business Basic
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium

For organizations with Microsoft 356 Enterprise licensing, you have this as well.

What if you only want to do this with a local Windows Active Directory environment and you’re not interested in integrating with Entra ID? Yes, this is still available. (more on this below)

Best Practices says don’t do this

The IT socially accepted view and best practices for Local Administrator accounts on Windows Servers and Windows Clients (e.g. Windows 11) is to disable the local administrator account. Without a LAPS of any kind in place, that’s the right starting point.

However, with Windows LAPS freely available and pretty easy to manage, then this changes things a bit.

Can’t we log on locally with an Entra ID RBAC role or local Windows AD role?

Yes of course, but that won’t work in any of the scenarios listed above.

For Entra ID, there is documentation here: https://learn.microsoft.com/en-us/entra/identity/devices/howto-manage-local-admin-passwords#recovering-local-administrator-password-and-password-metadata

Why not deploy Windows LAPS?

With the need to support the scenarios listed earlier, there is a huge set of security risks to have ALL the local administrator passwords across all those devices that are within scope of management.

While I wouldn’t suggest there is a good reason NOT to deploy Windows LAPS, I would recommend the following before you do:

  1. Process documentation with periodic training and updates
  2. Monitoring and alerting of any usage
  3. Forced password rotations when staff leave either planned or unplanned

There may be compliance, contractual, or other reasons where some Windows devices maybe excluded.

What about Windows Servers and Active Directory Domain Controllers?

Yes, Windows LAPS does support these. If you’re going to store the passwords within Active Directory, there will be a schema extension required which also has a requirement on 2016 Domain Functional Level (DFL).

Two key components for managing Windows LAPS specifically for local Windows Active Directory are PowerShell (PowerShell module is used for Entra ID as well) and a Windows LAPS MMC Snap-in.

References

Microsoft’s documentation on this has been pretty good but spread out. Here are links to get you going:

Next Steps

If you have ANY Windows Servers or Windows Clients (e.g. Windows 10, Windows 11) in your organization, then you should give this a look.

If you’re going to use Windows LAPS in local Windows Active Directory, remember this will require a Schema update and maybe updates to your Domain Functional Levels. These can be a big deal and proper planning and communication should be in place.

Comments

Feel free to leave a comment below. Keep in mind that all comments are moderated and will be approved before being published.