What is Microsoft LAPS
Microsoft LAPS: Local Administrator Password Solution is a service that allows network administrators to check the password status of local users on Microsoft-based networks. LAPS is often used in environments where there are multiple users on a network and a high level of security is required.
So LAPS is a Microsoft product that allows companies to improve password protection of local administrator accounts. It involves generating a password for each account and storing it in Active Directory. Thus, companies can ensure that their accounts are not abused by hackers or other threats. LAPS can be useful in a variety of scenarios. For example, it can be used in a school or university to ensure that only authorized people can access the network. In enterprises, LAPS can be used to ensure that only authorized employees can access business-critical networks and data.
What are the benefits of integrating Microsoft LAPS?
The integration of Microsoft LAPS offers many advantages. First of all, the management of passwords is greatly simplified. Thanks to the automatic generation and assignment of passwords, they no longer have to be assigned manually. In addition, the passwords are changed regularly, so that an attacker has no chance to remember them. Furthermore, the passwords are stored in encrypted form, so that even in the event of a data leak, no sensitive information is released to the public. Permissions for reading and writing passwords can also be assigned flexibly, so that only authorized persons can access the passwords. So all in all, Microsoft LAPS offers a very secure and flexible way to manage passwords. The ease of installation and configuration also makes it suitable for small businesses that do not have a large IT budget. In summary, the three main advantages of using on MS LAPS are:
- Security: Since passwords are generated and stored automatically, they cannot be attacked by human threats such as social engineering or phishing.
- Simplicity: LAPS greatly simplifies the management of local administrator passwords. Administrators no longer have to worry about forgetting passwords or giving them to unauthorized people.
- Cost savings: By using LAPS, organizations can save on the cost of maintaining and managing local administrator passwords.
Microsoft LAPS is standard feature on Windows 11
As useful as LAPS is, it always had to be installed on each computer, along with the client-side Group Policy extension and PowerShell module. You also had to add the ADMX template, which adds new attributes to your AD schema to store the password and password expiration timestamp for each computer. This could lead inexperienced administrators to think they have implemented LAPS on all computers, when in fact they are only protecting the administrator account.
Now Microsoft is finally integrating LAPS into both Windows 11 and the next version of Windows Server: The preview is part of Windows 11 Insider Preview Build 25145 and Windows Server Preview Build 25151.
However, you will no longer see the LAPS app on managed PCs: You now work with it through PowerShell (and the Group Policy Editor). This is probably a good thing, since the font in the rather aged app could make it difficult to distinguish a capital I from a lowercase l, and many administrators routinely copied and pasted the password into Notepad. If you are already familiar with using LAPS with PowerShell, some of the commands have new names.
Password-less administration of servers using a PAM solution with seamless LAPS integration
The leading German PAM solution VISULOX manages administrative passwords seamlessly with Microsoft LAPS. This enables easier and more secure user account management and increases network security. The integration of LAPS into the VISULOX PAM solution offers numerous advantages. For example, multiple user accounts with different permissions can be set up to access different resources. It also reduces the number of passwords a user has to assign. This minimizes the risk of a password being forgotten or stolen. PAM solutions such as VISULOX offer a range of security features that help companies make their systems more secure. These include, for example:
- Session Recording: This Function enables companies to record the activities of their users and thus uncover potential security vulnerabilities.
- MFA (Multi-Factor Authentication): This Function increases security by requiring users to use multiple authentication factors (e.g., password and fingerprint).
- Cooperation: This Function enables companies to grant external partners or customers secure access to their systems - without them being able to use access data for other systems or services.
How can the functions of LAPS be used efficiently in the Linux environment?
LAPS is a powerful tool to manage passwords securely. But what if you want to use LAPS in a Linux environment? The good news is that the functions of LAPS can also be used under Linux with the help of the PAM solution VISULOX. VISULOX integrates the functionalities of LAPS into the LINUX administration and provides password management on Linux systems. VISULOX was developed to enable the use of LAPS in heterogeneous environments where both Windows and Linux are used. With VISULOX you can securely manage your LAPS passwords and have them generated automatically.
Would you like to learn more? Feel free to book yourself a non-binding initial consultation HERE