Windows Security – LAPS

admin — Tue, 22 Nov 2022 03:03:29 +0000

It’s actually been around for a while now – LAPS or Local Administrator Password Solution – but honestly, it’s not something I’ve ever encountered in all the networks I’ve ever managed. I was introduced to LAPS when I ran Ping Castle against my own environment, as a strongly recommended solution to implement.

The concept is pretty simple – LAPS sets a Local Administrator password policy against all the computers (except domain controllers) in a domain environment. A typical policy:

Password is reset every X number of days
Password meets complexity requirements
Password meets length requirements

In my own environment I set a policy of 90 days and 24 completely randomized characters.

I found lots of resource online for getting started:

Both sites are great at detailing out the process.

The drawbacks I encountered:

If deploying the MSI package via GPO you do have to reboot the system for the install to happen
It doesn’t work for Domain-Joined systems in Azure unless you’ve planned for this in advance

When you deploy an Azure Windows VM, the ‘administrator’ account is reserved by Azure, so you’re prompted to create your own. Out of the box configurations for LAPS utilizes the Administrator account, so unless you plan ahead and have a policy that resets the default Administrator to a different username, and incorporated the same username into your LAPS policy, your Azure Windows VMs will accept the policy but never return a password.

Truthfully I did cheat this last bit by just adding the Administrator username to the Azure VM and giving it a random password. LAPS then did grab that account and reset the password according to policy. This isn’t the right way to do it though, so I don’t recommend it. Best practice would be to set your own Local Administrator username and implement across your domain, and incorporate into your LAPS policy.

Oct 18, 2024 – update

I keep hitting my head against needing to validate LAPS passwords. Sometimes I don’t want the password, I want to know how many or which systems have a LAPS password:

Get-ADComputer -LDAPFilter “(ms-mcs-AdmPwd=*)” | select-object name

(Get-ADComputer -LDAPFilter “(ms-mcs-AdmPwd=*)”).count

Inversely to find out how many or which systems do not have a LAPS password:

Get-ADComputer -LDAPFilter “(!(ms-mcs-AdmPwd=*))” | select-object name

(Get-ADComputer -LDAPFilter “(!(ms-mcs-AdmPwd=*))”).count

The post Windows Security – LAPS appeared first on Wiredwolf Canada.

Active Directory Backups

admin — Fri, 11 Nov 2022 16:59:09 +0000

Recently I was tasked with doing an AD audit in which I ran a utility called Ping Castle which indicated that Active Directory NTDS should be backed up frequently. This would be so you can roll back AD to a consistent state should you need to recover deleted items or deleted attributes. Typically administrators would restore the entire server to a point in time, but with AD this can cause differences in AD between servers to become a problem. Having a backup of AD on all servers at the same time would be helpful in restoring AD back to a consistent state.

The process is actually very simple using ntdsutil.

Open an elevated CMD (as Administrator

ntdsutil

activate instance ntds

snapshot

create

That’s it – the manual process.

To autotmate this process Petri has a good article on the process: https://petri.com/automating-creation-active-directory-snapshots/

Basically create a batch file in your scripts folder called ad-snapshot.bat

@echo off

ntdsutil snapshot “activate instance ntds” create quit quit

exit

Use the Task Scheduler to create a job to fire this job once a week.

The post Active Directory Backups appeared first on Wiredwolf Canada.

Best Practices Archives - Wiredwolf Canada

Windows Security – LAPS

Active Directory Backups