At BeyondTrust, customers who investigate Azure Active Directory (AD) security tools while seeking to complete digital workplace transformation projects across their Windows estate, voice a common challenge: How can we maintain the functionality currently provided by Microsoft’s Local Administrator Password Solution (LAPS) in a cloud-managed Azure AD-joined device?
This blog explains what LAPS is, the shortcomings of LAPS, and how BeyondTrust Privileged Access Management (PAM) solutions can help you securely make the leap to the cloud—while bringing best practice privileged access security along with you.
What is Microsoft LAPS?
Ultimately, Microsoft’s Local Administrator Password Solution is a method of shrinking an organization’s risk surface and enables them to achieve and align to compliance mandates by reducing the likelihood of a compromised privileged account. Without this security control (and without tools such as BeyondTrust’s Endpoint Privilege Management or Password Safe to mitigate the risk) organizations often rely on unsecure practices, such as shared account passwords or allowing IT/Service Desks to use accounts with administrator rights across the entire workstation environment. The latter approach is an attacker’s dream!
LAPS has been a simple and straightforward workhorse for organizations that have a traditional style of on-premises Active Directory Windows infrastructure, and basic requirements for password management of the Local Admin account on these systems. However, during the past couple of years of our global shift to ‘work from anywhere’, remote devices have exerted a special emphasis on the benefits of moving to cloud infrastructure. Organizations are looking more intently at migration paths to Azure Active Directory and adjacent technologies, such as InTune, given the benefits they provide in enabling secure communication without a VPN, or other on-premises networking components used to manage their estate. Azure AD administrators are now tasked with adopting these technologies, while maintaining functional parity; a task easier said than done.
Don’t forget macOS
macOS estates don’t benefit from having a LAPS-equivalent technology as common as the Microsoft version. However, as the shiny aluminum footprint of macOS expands in many endpoint estates, we see a greater need for local administrator account randomization. Many organizations we speak to are relegated to relying on practices such as using a single admin account and password across all macOS devices, simply because a more secure solution doesn’t exist or would need to be created bespoke.
LAPS does not work in the Cloud – That’s a problem for Azure customers
Microsoft has not released a LAPS-replacement for Azure AD.
As organizations begin moving – or exploring the move – to an Azure AD managed estate, it may come as a surprise to find LAPS must be left behind. This would necessitate maintaining legacy AD infrastructure and impede your plans to fully transform your workstation environment to a Modern Device Management (MDM) style approach.
Thankfully, BeyondTrust customers have another set of options to help quickly plug this gap and enable their leap to become fully Azure AD-managed. As LAPS itself is inherently simple, the additional benefits of the BeyondTrust solutions can even expand your capabilities in this area, while bolstering your Azure AD security.
BeyondTrust’s approach to a Microsoft LAPS alternative in Azure AD
Customers of BeyondTrust Endpoint Privilege Management (EPM), Password Safe, or even Secure Remote Access (SRA), can avail themselves of existing capabilities to randomize the local admin accounts across Windows and macOS for a cloud-managed or hybrid estate.
BeyondTrust Endpoint Privilege Management and Password Safe
A key integration point between our EPM and Password Safe solutions is known as Disconnected (Off-network) Account Management. Any customer with the EPM agent on their Windows or macOS devices already has the infrastructure needed to enable local admin account randomization - simply and rapidly.
The EPM agent has a built-in mechanism allowing it to plug into the Password Safe vault, whether cloud or on-premises (on-premises customers can leverage a secure architecture to open traffic from the web) and take over management of a local admin account on behalf of Password Safe. This is a licensed feature of Password Safe (note: no EPM license is required for this use case) and it works from anywhere the device has an internet connection.
Unlike Microsoft LAPS, the BeyondTrust approach:
- Can manage multiple local administrator accounts per machine
- Can manage Active Directory and Azure Active Directory account passwords
- Works across macOS and Windows
- Works on domain-joined, hybrid-joined, Azure AD, and even Workgrouped Windows devices
- Provides a detailed audit trail of all password activity
- Requires no on-premises infrastructure
- Offers a simple web portal for IT/Security/Service Desk to access the local admin accounts
- Advanced features such as workflows/approvals, Roles-Based Access (RBAC), Reporting, and integrations with identity (SSO) and SIEM tools
- Configurable schedules to ensure account passwords are rotated automatically on a schedule you define, and even after every time they are ‘used’
Furthermore, BeyondTrust Endpoint Privilege Management and Password Safe offer extremely advanced additional capabilities to enhance privileged access security, of which this ‘LAPS’ replacement is one very small slice of the overall feature sets. For example, BeyondTrust EPM should be reducing the need for the local admin account to ever be used, except in cases where true administrative work is needed, while Password Safe is there for whenever the necessary-evil of using an admin account is required. Moreover, these BeyondTrust solutions can implement a just-in-time access approach—meaning privilege is only granted for the finite moments it is needed, then immediately revoked.
In short, these BeyondTrust solutions offer a far more enhanced set of capabilities versus what LAPS can natively provide.
If you are already a customer of Endpoint Privilege Management, of Password Safe, or of both, please reach out to us so we can walk you through our process of enabling this functionality and delivering a successful outcome.
BeyondTrust’s Secure Remote Access family: Local Admin Account rotation
Like our EPM approach above, the Jump Client (and Jumpoints) used in the Secure Remote Access family of products—which includes Privileged Remote Access (PRA) and Remote Support—has the capability to automatically rotate and secure local administrator accounts on Windows systems. As a licensed feature of PRA and Remote Support, any of our customers who leverage Jump Clients can rapidly enable this feature inside the respective vaults.
Key features of Jump Client account management:
- Can manage multiple local admin accounts
- Secure network architecture works anywhere with an internet connection
- Works on Windows devices (Workgrouped, Domain-joined, Hybrid-joined, and AzureAD)
- Requires no on-premises infrastructure
- Web or thick-client access, available to users of the Secure Remote Access solutions
- Advanced features such as Role-Based Access (RBAC), Reporting, and integrations with identity (SSO) and SIEM tools
- Configurable schedules for maximum password age on managed accounts
Additionally, any ‘Jumpoints’ can be used for agentless management of Windows accounts, such as Active Directory, AzureAD Domain Services, Local Windows Server accounts, and automated management of Windows Services. This capability helps bolster your privileged account protection through your existing investment in BeyondTrust Privileged Remote Access or Remote Support.
Why BeyondTrust is your Microsoft LAPS alternative
For anyone who already understands and leverages the security benefits that legacy solutions such as LAPS provide, BeyondTrust can enable your migration to modern infrastructure, while we maintain, and enhance, your security posture. Solutions like LAPS are basic by design, whereas BeyondTrust solutions are designed first and foremost as enterprise-class with scalability, user experience, auditability, resiliency, security, and availability as core pillars of our technology. If you are a customer of our EPM, Password Safe, and SRA products, you already have the tools needed to bring your privileged account security practices quickly and painlessly to the next level.
If you, like many of our customers, are making strides into modern workplace technology, but struggle to identify a LAPS replacement solution, reach out to BeyondTrust to explore how we can better help you scale your digital transformation initiatives. Contact us here.
Max Berg, Senior Solutions Engineer
As a Senior Solutions Engineer at BeyondTrust, Max works with organizations to achieve their security and compliance goals, while ensuring their businesses, as well as their end users and IT staff, remain flexible and productive. Since joining BeyondTrust (formerly Avecto) in 2015, Max has worked with large enterprise, public sector agencies, as well as small-medium businesses across North America and Europe, spanning the most highly technical and the most highly regulated industries and verticals. He has over 5 years’ experience delivering successful least privilege, application control, credential management, and secure remote access projects for both desktop and server environments, both for on-premises and cloud-based IT infrastructure.