Open Mobile Menu

Blog

Who’s Managing your LAPS Implementation

Views: 846

Written By: Michael Becher January 07, 2020

What is Laps?

In May 2015, Microsoft released a password management tool to combat the rising abuse of encrypted passwords (which effectively became encoded when Microsoft released the key) stored in Group Policy Preferences, or worse, in cleartext scripts pushed via GPO. Every domain user was able to access these preferences and scripts in the ‘SYSVOL’ share and could obtain the single local administrator password for all machines on the domain, which would provide total lateral movement opportunities within the domain. Microsoft describes it this way:

For environments in which users are required to log on to computers without domain credentials, password management can become a complex issue. Such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack. The Local Administrator Password Solution (LAPS) provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain.

What is the concern?

The necessary problem here is that at least one user has to be able to see these LAPS passwords to administer the process. Who within your domain has this power? You might be surprised at how often this is overlooked, thus leading to the availability of all these passwords to more users than intended.

Two new attributes were added to the Active Directory Schema, ‘ms-MCS-ADMPwd’ and ‘ms-Mcs-AdmPwdExpirationTime’, which store the cleartext password and password expiration time, respectively. The ‘ms-MCS-ADMPwd’ attribute is confidential and requires specific permissions to view, while the ‘ms-Mcs-AdmPwdExpirationTime’ is viewable to anyone. Microsoft further clarifies:

...the ms-Mcs-AdmPwd attribute that stores password in AD is marked as Confidential in AD - this means that users need to have extra permission (CONTROL_ACCESS permission) to read the value - Read permission is not enough. AD honors the read request for confidential attribute value when at least one of the following is true:

Caller is granted 'Full Control' permission

Caller is granted 'All Extended Rights' permission

Caller is granted 'Control Access' on the attribute permission (this is what LAPS PowerShell uses to grant the permission)

Depending on the size of your organization, the users that do have this permission can be convoluted. Utilizing a least privilege model is one way to segment and secure this permission. The simplest way would be to create a “LAPS Admin” security group and only add those few individuals that need to be able to pull those passwords. So, who within your domain needs this power? It is a very subjective question and will completely depend on your organization’s risk tolerance, as well as balancing security and usability.

The key takeaway is that this permission will result in compromising one or more Domain Admin accounts with a little time and effort from an adversary. For this reason, the delegation of the ‘ms-mcs-AdmPwd’ attribute has to be cautiously applied and only extended to individuals that absolutely require it.

Who can view LAPS passwords?

There are multiple ways to identify users that have permission to see LAPS passwords including the PowerShell module that is installed with LAPS, the LAPSTookit, and PowerView. The quickest method would be to use LAPSToolkit’s ‘Find-LAPSDelegatedGroups’ function to determine access to the ‘ms-mcs-AdmPwd’ attribute on a group basis. From there, further enumerations of the group(s) can identify all users that inherit this power from the group.

Only two authorized groups can view the passwords.

 

Additionally, users with ‘ExtendedRights’ enabled on certain computers within the domain can be identified with the ‘Find-AdmPwdExtendedRights’ function if they are not a part of a delegated group. ‘ExtendedRights’ describes a special privilege that encompasses many additional permissions, including viewing cleartext LAPS passwords. Many times, users are giving this permission as a ‘catch-all’ instead of narrowly assigning rights based on their job’s requirements. Utilizing the aforementioned function can uncover additional users that are able to view LAPS passwords for further auditing.

An additional user is uncovered when searching for ExtendedRights.

 

We identify that an unauthorized user ‘ffranklin’ has ‘All Extended Rights’ enabled

 

 Removing those rights in ADSI Edit results in the user no longer being displayed in the query.

 

What is the way forward?

As users, groups, and permissions are modified in the domain, it becomes very easy to overlook unnecessary permissions on an object. System administrators should routinely run the above queries to identify any anomalies in the LAPS attribute permissions. Once identified, ensure that necessary rights are revoked, and attempt to identify the cause of the issue to adjust procedures to prevent the misappropriation of rights in the future. Lastly, BSI AppSec offers a variety of red team engagements that can be used to help identify these types of issues on your domain. We pride ourselves on not only delivering an actionable report of findings but also working with blue teams to increase their awareness of current attack techniques as well as how best to secure their domain.

 

References:

https://www.microsoft.com/en-us/download/details.aspx?id=46899

https://blogs.msdn.microsoft.com/laps/2015/06/01/laps-and-password-storage-in-clear-text-in-ad/

Michael Becher

Michael Becher is a Penetration Tester with BSI AppSec with 12 years of experience in the Information Technology field. He started as a Cyber Security Analyst with the U.S. Army, then transitioned to incident response and later, security consulting. He holds multiple certifications including the Offensive Security Certified Expert (OSCE), the Offensive Security Certified Professional (OSCP), and the GIAC Web Application Penetration Tester (GWAPT).

Michael graduated from Excelsior College with a Bachelor’s degree in Information Technology and is currently enrolled in SANS’s Master of Science in Information Security Engineering. He has worked with both government and commercial organizations to test and secure their networks. His work experience includes both network and web application penetration testing, social engineering, and wireless hacking.   

Expertise

  • Network Penetration Testing
  • Web Application Penetration Testing
  • Social Engineering
  • Incident Response

Professional Certifications

  • Offensive Security Certified Expert (OSCE)
  • Offensive Security Certified Professional (OSCP)
  • GIAC Penetration Tester (GPEN)
  • GIAC Web Application Penetration Tester (GWAPT)
  • Offensive Security Wireless Professional (OSWP)
  • GIAC Certified Incident Handler (GCIH)

read more articles by Michael Becher