In the previous post we discussed some hurtful omissions for local administrators password randomization. Yes, it’s not enough to simply deploy LAPS for workstations and forget about it, it’s better to start using LAPS according to all its purposes. And it could be necessary to make some changes in current administrative practices and approaches.
From the technical standpoint HelpDesk/Workstation admins should be able to extract local admins passwords for workstations for support needs. So you will need to delegate LAPS-related rights to some users. If your organization is large enough, you probably have multiple support teams distributed across multiple branches, and you will need to take this in account while performing delegation. Also, it’s important to audit password extraction events to limit impact in case of a workstation admin’s account compromise, as an example. If an admin account starts requesting dozens of LA passwords for different workstations every single minute – this is not good. You should audit and monitor this sensitive kind of operations (LAPS Operations guide tells how to implement audit properly).
In case your company is already using MIM (Microsoft Identity Manager) as an identity management solution, you might want to use it to simplify the delegation process for LAPS, and gain more control and visibility over local administrator passwords management.
MIMLAPS is a GitHub project that could be leveraged in this case. The main features of MIMLAPS:
- It’s an add-on to LAPS and MIM-based solution that doesn’t add unnecessary dependencies.
- It could be installed and removed without affecting basic LAPS functionality.
- It’s installed on top of an existing MIM solution.
Here’s a short recording where you can see how to use MIMLAPS:
Link to GitHub project: https://github.com/secpfe/MIMLAPS