I know it’s been quite some time since Microsoft first released LAPS (way back in 2015), but one issue I see ALL the time auditing MSPs is a lack of way to manage changing out local administrative passwords.
Why worry about local admins?
First and foremost, the more local admin accounts you leave on a network, the more opportunities you are giving a hacker a way in. But more importantly, if you leave your admin accounts lying around every network you manage with a stale password, you are just setting yourself up to deal with a major attack.
What Exactly is LAPS?
Back in 2015 as a way to deal with growing network-based attacks, Microsoft developed a means utilizing active directory (AD) to manage administrator account passwords across all endpoints utilizing the operating system.
The benefit for an MSP was having the ability to manage and force rotation of unique and complex passwords across administrator accounts (something that previously was not really done) through a Group Policy Object (GPO).
Passwords are then applied to local administrator accounts and stored in AD. There are policies controlling which users are eligible to retrieve these passwords when needing to access the admin account.
How Does LAPS work in practice?
Microsoft definitely gave us some pretty good tools with LAPS back when it was released to aid in controlling our cybersecurity issues. Having password management handled entirely within Active Directory is definitely a big help. And Microsoft generally provides decent guides to get users running LAPS.
But there are some downfalls with LAPS.
What concerns me is the scalability of LAPS within your MSP. The more clients you add on, the harder it will be for you to manage every single client in LAPS.
What I’ve been finding it operationally challenging to simply use LAPS for all of your clients. Especially if you have more than a handful of clients, you probably will want to move away from LAPS and onto a solution that can be automated.
One way we’re helping our partners with password changing within local admin accounts, is by passing a password all the way through your RMM to a password vault. Imagine running a script that you can automatically run once a month to switch out local admin passwords. The password gets pushed all the way to your IT Glue (or password vault). If someone on your team needs to access the password, they go to one spot and use it as necessary. Nothing stored and floating around active directory and you have a complete understanding that your clients’ network passwords are getting change frequently. No more liability for missing steps or forgetting to change out passwords and no more not knowing whether something you expected to be done may or may not be done.
If you aren’t quite sure whether your local admins are being handled properly, one of the first steps I would recommend is getting an evaluation on how your and your client networks are doing. One of the easiest ways to do this is by getting an evaluation of your cyber stack.
