The LAPS and the furious!

by: rudyoomsPosted on:

Last Updated on December 4, 2021 by rudyooms

LAPS is a solution that makes sure you have unique administrator passwords on each device which will be changed automatically after a certain time period has passed. It makes sure that when a device is compromised, the attacker has no access to all devices in the company domain. So, life is simple. You make choices and you’ll implement LAPS.

LAPS is very easy to deploy within an existing active directory. When going full Microsoft 365, you still need LAPS. There are many Azure AD LAPS tools out there and some of them are pretty good. But if you’ve read any my blogs, you’ll know I want a fast and simple solution…

For this solution, you’ll need 3 things.

  1. Windows app (win32)
  2. Baseline AppLocker deployed to block registry tools
  3. A remote management tool for your devices

1.Win32 app:

Instead of creating a function app and key vault etc. I needed to create an Intunewinapp. (which can be automatically deployed to new tenants). Convert the PowerShell script to an intunewinapp to deploy it to Intune. You can change the $registrypath variable to your liking.

$content = @'
function Get-RandomCharacters($length, $characters) {
    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
    $private:ofs=""
    return [String]$characters[$random]
}
 
function Scramble-String([string]$inputString){     
    $characterArray = $inputString.ToCharArray()   
    $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length     
    $outputString = -join $scrambledStringArray
    return $outputString 
}
 
$password = Get-RandomCharacters -length 8 -characters  'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters  'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 1 -characters '!$%&/()=?@#*+'

net user admin $password

$registryPath = "HKLM:\SOFTWARE\Microsoft\LAPS"
New-Item -Path $registryPath
$name = "lapsww"
$value = $password
New-ItemProperty -Path $registryPath -Name $name -Value $value -Force | Out-Null

#Change Register permissions
$path = 'HKLM:\software\microsoft\laps'
#breaks inheritens.
$acl = (Get-Item $path).GetAccessControl('Access')
$acl.SetAccessRuleProtection($true,$true)
set-acl $path -AclObject $acl
#removes all access rules based on 'BUILTIN\Users'
$acl = (Get-Item $path).GetAccessControl('Access')
$acl.Access |where {$_.IdentityReference -eq 'BUILTIN\Users'} |%{$acl.RemoveAccessRule($_)}
set-acl $path -AclObject $acl

'@


# create custom folder and write PS script
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\rotate.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false
 
# register script as scheduled task
$Time = New-ScheduledTaskTrigger -At 11:00AM -Weekly -WeeksInterval 4 -DaysOfWeek Monday
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\rotate.ps1`""
Register-ScheduledTask -TaskName "Rotate" -Trigger $Time -User $User -Action $Action -Force 
Set-ScheduledTask -taskname "Rotate" -Settings $(New-ScheduledTaskSettingsSet -StartWhenAvailable -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)
Start-ScheduledTask -TaskName "Rotate"

2. Baseline

You’ll need a baseline AppLocker policy to prevent registry tools. When deploying this solution, the password will be put in a registry key on the local device. You don’t want the user to be able to search for the password, do you?

Where the Wild Applocker Rules Are
Block Access to Administrative Apps like the Command Prompt In Intune.

3. RMM tool:  

In the first step, we made sure the admin password is changed and noted in a registry key on the local device. Now, we want to be able to read this key with an RMM tool. For example, here is a PowerShell (check) script you can push to your devices when using Solarwinds/NABLE RMM. With Solarwinds you can automatically apply a template with this check-in it when a new device is enrolled!


$regPath = "HKLM:\SOFTWARE\Microsoft\LAPS"
$regVal = "lapsww"
try{
$regData = Get-ItemProperty $regPath -Name $regVal -ErrorAction Stop
if(($regData.$regVal) -ne 0)
{
Write-Output $regdata.lapsww
#Exit 1001
}
else
{
Write-Output $regdata
#Exit 0
}
}
catch
{
Write-Warning "Value Missing"
#Exit 1001
}

Conclusion

There should be no question why you need to implement LAPS and there are multiple ways to implement it. Of course, my solution maybe not be the best or fanciest. But hey? it could be the easiest and fastest one out there! You can enrol it within a few seconds (when you automated the whole Intune app deployment).

Also beware, this solution is version 1.0. There may be improvements down the line. Here is V2 of this LAPS version

The LAPS: Reloaded / Revolutions

LinkedIn

2 thoughts on “The LAPS and the furious!

  2. Pingback: The forgotten fruits of securing your Windows 10 Endpoint - Call4Cloud
  3. Pingback: Microsoft and Solarwinds, the holy grail - Call4Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  4  =  12