weblaps.pro - secure way to get passwords of local administrators managed by LAPS. Web portal with 2FA, extended audit log, flexible access control and other paranoid security features. Mobile app helps to use LAPS passwords in more convenient way.

1. MS LAPS protection:
portal for secure access
to local admin passwords
Nikolay Klendar,
Home Credit Bank, CISO

2. #PHDaysphdays.com
Who am I
• Head of IT Security at
• Offensive Security Certified Expert
• ZeroNights speaker
• Hobbies:
• programming
• snowboarding

3. #PHDaysphdays.com
What we will talk about
• Privileged access in Windows infrastructure:
• Common approaches
• Ways to compromise
• MS LAPS (Local Administrator Password Solution):
• Overview
• Pitfalls
• WebLAPS – secure LAPS portal overview

4. #PHDaysphdays.com
Windows infrastructure and administrators

5. #PHDaysphdays.com
Points and ways of admin compromise
Credentials compromise:
• Credentials dumping
• Input capture
• Input prompt
• Network sniffing
• etc
MITRE ATT&CK Credential Access
https://attack.mitre.org/tactics/TA0006/

6. #PHDaysphdays.com
Common flaws of privileged access
• Non unique password for enabled built-in local Administrator account
• Using same account for productivity tasks (email, internet, etc) and for admin
tasks, especially when this account is admin at more than one computer
• Saving passwords at Credentials Manager, notepad, etc
• Using accounts with admin rights at “dirty” workstations
Smart cards - is not 2FA replacement, be aware of NT hash rotation
https://blogs.technet.microsoft.com/positivesecurity/2017/05/17/smartcard-and-
pass-the-hash/
Credentials guard could be bypassed with malicious Security Support Providers
https://blog.nviso.be/2018/01/09/windows-credential-guard-mimikatz/

7. #PHDaysphdays.com
Securing privileged access (quick wins)
Best practice from MS for workstation support*:
Allowed: Retrieve the local account password set by LAPS from an admin workstation before
connecting to user workstation
Forbidden: Logging on with domain account administrative credentials
* https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access

8. #PHDaysphdays.com
MS LAPS overview
• Client UI, PowerShell Module, GPO Templates
• ms-mcs-AdmPwd – a special “confidential” computer
attribute that stores the clear-text LAPS password
• ms-mcs-AdmPwdExpirationTime –stores the LAPS
password reset date/time value
• Access via LDAP over ssl
https://adsecurity.org/?p=3164

9. #PHDaysphdays.com
MS LAPS pitfalls
• Using client GUI or powershell from “dirty” workstations to get admin
passwords
• No way to get password in case of network fault
• 2FA not supported
• Leave GUI opened (no session limits)
• Setting too long password expiration time
• No limits access (single LDAP query returns all passwords)
• No IP address in security logs
• LAPS and permission to join computer to domain* => do not forget to
modify computer owner rights
*https://blogs.msdn.microsoft.com/laps/2015/07/17/laps-and-permission-to-join-computer-to-domain/

10. #PHDaysphdays.com
So what we want?
• Comfortable usage:
• web portal, mobile app to get local admin passwords
• API
• Paranoid security:
• 2FA, capcha, bruteforce protection, logoff on remote connection
detection
• IP logging, SIEM integration
• High availability
• balancer mode support
• secure passwords backup in case of AD unavailability

11. #PHDaysphdays.com
WebLAPS overview
• Web portal + mobile app
• Standalone java app (jetty based) => only JRE required
• Works under Windows and Unix in service/daemon mode (yajsw)
• DBMS: built-in sqlite or external Mysql/Maridb
• High availability mode (balancer mode support, caches
synchronizations)
• API to get passwords
http://weblaps.pro

12. #PHDaysphdays.com
Web LAPS. Web UI, mobile app

13. #PHDaysphdays.com
WebLAPS Authentication: 2FA, OTP only, push
OTP providers:
• RADIUS, LinOTP, FortiAuthenticator
• built in TOTP

14. #PHDaysphdays.com
WebLAPS users session protection
• Logoff idle users
• Logoff on remote connection detection (window size,
color depth changes)
• Sessions (jwt tokens) are bound to the source IP

15. #PHDaysphdays.com
WebLAPS audit log

16. #PHDaysphdays.com
WebLAPS & SIEM integration

17. #PHDaysphdays.com
WebLAPS access control configuration
Users access (OU-Group) API access by token
Computer attribute which holds his admin (user or group)

18. #PHDaysphdays.com
LAPS protection: access rate limiting

19. #PHDaysphdays.com
LAPS protection: extra features

20. #PHDaysphdays.com
WebLAPS quick launch buttons

21. #PHDaysphdays.com
WebLAPS. LAPS mobile

22. #PHDaysphdays.com
LAPS mobile. Main security features
• Customizable URL to work with remote server like
https://example.com/jfheuosliekusj
• AES key generated during device enrollment process, all sensitive information
is additionally encrypted during transmission over TLS
• Device profile check at server side (platform, OS version, device ID, etc)
• Fingerprint sensor/FaceID support
• Login to WebLAPS portal by push notification confirmation

23. #PHDaysphdays.com
Ideas for future releases
• Windows thick client
• quick launch actions
• context menu integration => launch any app in privileged mode
• easy RDP access (get password with OTP => put to credentials
manager => open RDP => clean credential manager)
• Just in time administration mode support: put user account to privileged
group => delete from group after defined timeout
• Something about unix, oracle, etc?
• Any ideas =>

24. Thank you!
http://weblaps.pro