ReLAPS, bringing visibility to an overlooked security necessity.

Good hook of a title right? Here’s why I say that, LAPS (Local Admin Password Solution) has been around for several years, and I’d be willing to bet, a lot of orgs haven’t implemented it yet (total guess here, no actual data, other than my twitter survey shown below). Good news, many have, as I had at a previous employer. It’s simple to setup, and greatly reduces a previously easily exploitable attach vector. LAPS … mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers . -Microsoft

So there you have it, you have it setup, if not, see previous post, now you move on with your operational duties and focus on what fire your manager throws at you today. Why is that? Who seriously did client health for LAPS once it was setup? Who confirmed it was working on all end points? I certainly didn’t, I had “bigger fish to fry”. But as with any implementation, you need to check up on it from time to time. This shouldn’t be a surprise, you do this with the ConfigMgr Client, you monitor Client health, perhaps even implemented auto remediation scripts. You probably monitor your AV / Anti-Malware system, IDS, Disk Encryption, etc. So why not LAPS?

So the team at Recast Software created a nifty dashboard for you to monitor your LAPS “health”. This is included in the Enterprise version of the Right Click Tools. Here is an image from their Documentation, has a bit more date than my little lab:

ReLAPS Security Tools screenshot

Why I like this is because I’m already in the CM Console every day, to have a dashboard for LAPS, to keep it visible and at the front of our minds, I find this highly useful. It only takes a few seconds, pull it up, check my stats, and move on. If I find an anomaly, I can start looking into it.

What else do I like? Glad you asked, I like that I can look up the passwords here. No need to make a special package for my Service Desk Techs to be able to lookup passwords, they already have the CM Console, now I just grant them permissions to this feature and they now have a powerful tool for when they need to look up these passwords for their support needs.

Is that all? Nope, I like that I can export this list to CSV file, and provide it to the Security Team / Audit Folks, who want to confirm compliance.

Currently in version 4.0, this dashboard is querying AD to see which computers have a LAPS password. In 4.1, additional features are planned to be incorporated into this dashboard, which will require additional permissions, but I’ll cover that once it’s released.

So how do you set this up? I’ve got the Right Click Tools Enterprise license and setup the Recast Management Server, what are the permissions I need to allow my Service Desk to view this dashboard? What permissions are required to allow my Service Desk the ability to view the passwords?
I’m going to go over that, building off of my last post where I setup LAPS and created AD Groups with different permissions for LAPS. Assumptions before continuing: You have Specific AD Groups you want to grant permissions to.

First, in my Lab, I have my Service Desk Tier 1 -3 Support positions have different access to the CM Console. I want all of them to have the ability to see the Dashboards and pull up the passwords.
In CM:

Before I add any permissions, this is what the Dashboard would look like without the proper permissions: (Using Service Desk Tier 1 User)

So now we know what it looks like when you don’t have rights, lets add some permissions. In Recast Management Server, I’ve created a ReLAPS role with just permissions for the ReLAPS console.
Testing with 3 “Rights” from the options.. getting close…

Ok, this looks better: (Still using a Service Desk Tier 1 User)

So what does this look like in the Recast Management Server Console?

Created a ReLAPS Role with minimum requirements for ReLAPS console.

GetADComputer, GetADComputerWithLAPSData, GetADComputers,GetADContainers

Then added the LAPS Read Only Group, and assigned it to the ReLAPS Role:

Ok, now you can rest easy knowing your Service Desk has the ability to do the only tasks you want them to do, and no more. Sure, you probably already granted them far more rights to use other tools already, but hey, if you find you have a need to only allow users to view that Dashboard, you will now know how.

In a future post, once Right Click Tools 4.1 is released, I’ll be creating an updated post with the additional permissions required. I’m also thinking about going into scoping LAPS, ie allowing Server Admins to only see Server LAPS passwords and Service Desk to only see Workstation LAPS passwords. Let me know if this is something of interest.

Posted on RECASTSOFTWARE.COM