Listen to this Post
Small and medium-sized businesses (SMBs) often believe they lack the resources to defend against advanced cyber threats. However, tools like Microsoft Local Administrator Password Solution (LAPS) prove that robust security doesn’t require a Fortune 500 budget.
LAPS mitigates lateral movement by randomizing and regularly rotating local admin passwords, storing them securely in Active Directory (AD). This prevents attackers from exploiting predictable credentials after initial access.
You Should Know:
1. How LAPS Works
- Randomizes passwords for local administrator accounts.
- Stores passwords in AD, encrypted with a unique key.
- Automatically rotates passwords at set intervals.
2. Enabling LAPS
Step 1: Install LAPS
- On a domain controller, run:
Add-WindowsFeature RSAT-AD-PowerShell
- Download LAPS from Microsoft’s Official Site.
Step 2: Configure LAPS Permissions
- Grant specific users/groups access to read LAPS-managed passwords:
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,DC=domain,DC=com"
Step 3: Apply LAPS Policy via GPO
- Navigate to Group Policy Management → Create a new GPO.
- Under Computer Configuration → Administrative Templates → LAPS, enable:
- Configure Password Backup Directory
- Password Complexity (e.g., 14+ characters)
- Password Age (e.g., 30 days)
Step 4: Deploy & Verify
- Force GPO update:
gpupdate /force
- Check applied settings:
Get-AdmPwdPassword -ComputerName "TARGET_PC"
3. Key Commands for LAPS Management
- List all LAPS-enabled computers:
Get-AdmPwdComputers -SearchBase "OU=Computers,DC=domain,DC=com"
- Reset a LAPS password manually:
Reset-AdmPwdPassword -ComputerName "PC01"
- Audit LAPS usage:
Get-AdmPwdPassword -ComputerName * | Export-Csv "LAPS_Audit.csv"
4. Linux Alternative: SSSD + Randomized Local Passwords
For hybrid environments, use SSSD to integrate Linux systems with AD and implement password rotation:
sudo apt install sssd-ad sudo systemctl restart sssd
Automate password rotation with a cron job:
echo "0 0 * * * root echo 'username:$(openssl rand -base64 12)' | chpasswd" | sudo tee /etc/cron.d/laps_linux
### **What Undercode Say**
LAPS is a must-deploy for SMBs to disrupt lateral movement. Combine it with:
– Windows Event Log Monitoring: Detect brute-force attempts.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625}
– Restricted Admin Mode: Prevent credential theft via RDP.
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
– Linux Hardening: Use `fail2ban` to block repeated attacks.
sudo apt install fail2ban sudo systemctl enable fail2ban
Security isn’t about budget—it’s about **smart, layered defenses**.
### **Expected Output:**
- LAPS Deployment Guide: Microsoft Docs
- SSSD + AD Integration: Red Hat Docs
- Fail2Ban Configuration: Fail2Ban Wiki
References:
Reported By: Spenceralessi Defending – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
