10/9/2018

Sponsored by
Managing Local
Administrator Accounts with
LAPS; And Protecting LAPS
from Attack

© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 10/9/2018

 LAPS
 Security
Preview of key  AD
points 

User
Endpoint
 Client-side
 Auditing
 Comprehensive privileged account management

 ONLY applies to built-in Administrator account

 RID 500
LAPS  Or a single account you use instead of Administrator
 Doesn’t manage any other type of account
 Other privileged accounts
 Service accounts
 Domain accounts

2
 10/9/2018

Admin
Member
Server or
Administrator
account
Workstation

LAPS

Active Directory

Admin
Member
Server or
Administrator
account
Workstation

LAPS

Active Directory Computer Account

- ms-Mcs-AdmPwd
- ms-Mcs-AdmPwdExpirationTime

3
 10/9/2018

Reset password

Admin
Member
Server or AdmPwd.dll
Administrator
account
Workstation

LAPS
Store password

Active Directory Computer Account

- ms-Mcs-AdmPwd
- ms-Mcs-AdmPwdExpirationTime

Reset password

Admin
Member
Server or AdmPwd.dll
Administrator
account
Workstation

LAPS
Store password

Active Directory Computer Account

- ms-Mcs-AdmPwd
- ms-Mcs-AdmPwdExpirationTime
Group Policy
LAPS policy

4
 10/9/2018

Logon
Admin
Member
Server or AdmPwd.dll
Administrator
account
Workstation

LAPS Reads pw
Set pw expired
(force reset)

Active Directory Computer Account

- ms-Mcs-AdmPwd
- ms-Mcs-AdmPwdExpirationTime
Group Policy
LAPS policy

12- Local Administrator's password has been changed.

Application Logon
Log Admin
Member
Server or AdmPwd.dll
Administrator
account
Workstation

LAPS Reads pw
Set pw expired
(force reset)

Password read

Security
Log

Active Directory Computer Account

- ms-Mcs-AdmPwd
- ms-Mcs-AdmPwdExpirationTime

5
 10/9/2018

 Active Directory
LAPS Security  LAPS user training
 LAPS endpoint security
 Client-side

 Active Directory
 Passwords stored in clear text on each managed computer
account
 Access determined by AD permissions on ms-Mcs-AdmPwd
 To read pw you need standard Read permission AND the
LAPS security CONTROL_ACCESS extended right
 Full Control
 Default
 Domain Admins
 Account Operators

6
 10/9/2018

 Securing read access to ms-Mcs-AdmPwd

 Who has access already?
 Find-AdmPwdExtendedRights
 Only scans specified Ous
 To grant
 Set-AdmPwdReadPasswordPermission
 OU and principals to get permission
 To audit read accesses to password(s)
LAPS security  Set-AdmPwdAuditing
 OU
 Principals to audit
 Further auditing
 Permission changes
 OU
 Computer
 Group membership changes
 Who joins computers to domain?
 A user automatically gets the “All Extended Rights” permission when
adding a computer to the domain.
 Read only DCs – physically secure?

 LAPS user and endpoint security

 LAPS user
 Endpoint where LAPS user logs on
 Computers running LAPS
LAPS Security  LAPS user and their workstations
 Accounts with access to ms-Mcs-AdmPwd
 Treat as privileged
 Don’t allow logon to insecure systems
 Privileged user training
 How password is handled
 Reset after use?

7
 10/9/2018

 LAPS user and endpoint security

 Accounts with access to ms-Mcs-AdmPwd
LAPS Security  Treat as privileged
 Don’t allow logon to insecure systems
 Privileged user training
 How password is handled
 Reset after use?

 Client-side
 No integrity checking or signature verification on admpwd.dll
LAPS security  Can be replaced with imposter
 Proof of concept: https://www.youtube.com/watch?v=opSctm4L8kE
 Useful for persistent backdoor
 Requires attacker already have admin authority

8
 10/9/2018

1. On the domain controller, open ADSI Edit from the desktop.

LAPS security

2. If you have used ADSI Edit then it may open with something
already connected. So right click on ADSI Edit and select
“Connect to…”

LAPS security

9
 10/9/2018

3. In the Connection Settings dialog box select “Schema” from

the dropdown.

LAPS security

 How do you know if LAPS is working?

 Only if you
 Enable verbose logging
 Collect application logs from managed computers
 See informational success events
 12 and 13
LAPS health  Periodic assessment
 https://www.pentestgeek.com/penetration-testing/another-
lap-around-microsoft-laps
 LAPS Toolkit
 Find-AdmPwdExtendedRights
 Find-LAPSDelegatedGroups
 Get-LAPSComputers

10
 10/9/2018

 Can’t audit when password set from DC logs

 Can audit when it’s read
 Enable “audit directory service access”
LAPS auditing  Set-AdmPwdAuditing on each OU
 Watch for 4662 with the Schema ID GUID of ms-mcs-AdmPwd
 Different in each environment unless pre-assigned during
schema extension

 General consensus
 LAPS is decent for what it does
Bottom line  Got to keep AD neat and clean
 But very much a point solution to one narrow slice of privileged
accounts
 No health monitoring

© 2018 Monterey Technology Group Inc.

11
 10/9/2018

PowerBroker Password Safe

Martin Cannard,
Product Manager

Comprehensive Security Management

Privileged Password Management

Privileged
SSH Key
Session
Management
Management
People Services A2A

Secure and automate the process for managing privileged account passwords and keys
Control how people, services, applications and scripts access managed credentials
Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
Alert in real-time as passwords, and keys are released, and session activity is started
Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Block & Alert when SSH commands are entered during privileged sessions

12
 10/9/2018

Credential Injection Proxy

Protected Resources User authenticates to Password Safe and requests

session to protected resource

Unique one-time session key sent down to desktop

RDP / SSH

Native desktop tool (MSTSC/PuTTY etc.) connects

Password to the proxy using the session key
Proxy
Safe

Internal connection to host is established using

managed credentials and RDP/SSH session is
HTTPS RDP / SSH proxied through the Password Safe appliance

• NO creds/hostname sent to the desktop

• NO jump server required

Privileged Session Recording

All actions are indexed and
searchable, along with any
keystrokes recorded.

Clicking on an action will

immediately jump you to that
index point of the recording.

Timestamps may optionally

be displayed, as well as
toggling between showing
keystrokes only, or
keystrokes plus actions.

13
 10/9/2018

Differentiator:
Adaptive Workflow Control

Differentiator: Adaptive Workflow Control

• Time
• Day
• Date
• Where
• Who
• What

Mobile Network SaaS & Operating Security

Devices Mainframe SCADA Storage Directories Devices Cloud Systems Databases Appliances

14
 10/9/2018

Differentiator:
Controlling Application Access

Automatic Login to ESXi example

15
 10/9/2018

Automatic Login to Unix/Linux Applications

Typical Use Cases

• Jump host in DMZ

• Menu-driven Apps
• Backup Scripts
• Role-based Apps

Differentiator:
Reporting & Analytics

16
 10/9/2018

Actionable Reporting

Advanced Threat Analytics

17
 10/9/2018

What makes Password Safe different?

• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users

Why BeyondTrust? The PAM Industry Leader

Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017

18
 10/9/2018

DEMO

Poll + Q&A
Thank you for attending!

19