weblaps.pro - secure way to get passwords of local administrators managed by LAPS. Web portal with 2FA, extended audit log, flexible access control and other paranoid security features. Mobile app helps to use LAPS passwords in more convenient way.
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
MS LAPS protection: portal for secure access to local admin passwords
1. MS LAPS protection:
portal for secure access
to local admin passwords
Nikolay Klendar,
Home Credit Bank, CISO
2. #PHDaysphdays.com
Who am I
• Head of IT Security at
• Offensive Security Certified Expert
• ZeroNights speaker
• Hobbies:
• programming
• snowboarding
3. #PHDaysphdays.com
What we will talk about
• Privileged access in Windows infrastructure:
• Common approaches
• Ways to compromise
• MS LAPS (Local Administrator Password Solution):
• Overview
• Pitfalls
• WebLAPS – secure LAPS portal overview
6. #PHDaysphdays.com
Common flaws of privileged access
• Non unique password for enabled built-in local Administrator account
• Using same account for productivity tasks (email, internet, etc) and for admin
tasks, especially when this account is admin at more than one computer
• Saving passwords at Credentials Manager, notepad, etc
• Using accounts with admin rights at “dirty” workstations
Smart cards - is not 2FA replacement, be aware of NT hash rotation
https://blogs.technet.microsoft.com/positivesecurity/2017/05/17/smartcard-and-
pass-the-hash/
Credentials guard could be bypassed with malicious Security Support Providers
https://blog.nviso.be/2018/01/09/windows-credential-guard-mimikatz/
7. #PHDaysphdays.com
Securing privileged access (quick wins)
Best practice from MS for workstation support*:
Allowed: Retrieve the local account password set by LAPS from an admin workstation before
connecting to user workstation
Forbidden: Logging on with domain account administrative credentials
* https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access
8. #PHDaysphdays.com
MS LAPS overview
• Client UI, PowerShell Module, GPO Templates
• ms-mcs-AdmPwd – a special “confidential” computer
attribute that stores the clear-text LAPS password
• ms-mcs-AdmPwdExpirationTime –stores the LAPS
password reset date/time value
• Access via LDAP over ssl
https://adsecurity.org/?p=3164
9. #PHDaysphdays.com
MS LAPS pitfalls
• Using client GUI or powershell from “dirty” workstations to get admin
passwords
• No way to get password in case of network fault
• 2FA not supported
• Leave GUI opened (no session limits)
• Setting too long password expiration time
• No limits access (single LDAP query returns all passwords)
• No IP address in security logs
• LAPS and permission to join computer to domain* => do not forget to
modify computer owner rights
*https://blogs.msdn.microsoft.com/laps/2015/07/17/laps-and-permission-to-join-computer-to-domain/
10. #PHDaysphdays.com
So what we want?
• Comfortable usage:
• web portal, mobile app to get local admin passwords
• API
• Paranoid security:
• 2FA, capcha, bruteforce protection, logoff on remote connection
detection
• IP logging, SIEM integration
• High availability
• balancer mode support
• secure passwords backup in case of AD unavailability
11. #PHDaysphdays.com
WebLAPS overview
• Web portal + mobile app
• Standalone java app (jetty based) => only JRE required
• Works under Windows and Unix in service/daemon mode (yajsw)
• DBMS: built-in sqlite or external Mysql/Maridb
• High availability mode (balancer mode support, caches
synchronizations)
• API to get passwords
http://weblaps.pro
22. #PHDaysphdays.com
LAPS mobile. Main security features
• Customizable URL to work with remote server like
https://example.com/jfheuosliekusj
• AES key generated during device enrollment process, all sensitive information
is additionally encrypted during transmission over TLS
• Device profile check at server side (platform, OS version, device ID, etc)
• Fingerprint sensor/FaceID support
• Login to WebLAPS portal by push notification confirmation
23. #PHDaysphdays.com
Ideas for future releases
• Windows thick client
• quick launch actions
• context menu integration => launch any app in privileged mode
• easy RDP access (get password with OTP => put to credentials
manager => open RDP => clean credential manager)
• Just in time administration mode support: put user account to privileged
group => delete from group after defined timeout
• Something about unix, oracle, etc?
• Any ideas =>