Lately, we have received questions about using Microsoft Local Administrator Password Solution (LAPS) to manage local administrative privileges. With more employees working remotely these days, companies are looking for ways to boost their security posture and lock down privileged accounts. But is MS LAPS the right tool for this?
What is LAPS?
Microsoft LAPS is a free password management and rotation solution that uses Active Directory (AD) to store, manage, and rotate passwords for local administrative accounts across a Windows environment. LAPS forces local admin accounts to have strong passwords. This helps prevent lateral movement and privilege escalation by ensuring that accounts aren’t sharing the same password. If an attacker is able to compromise one admin account, they are unable to move to other endpoints and accounts. This is very important as hackers see admin accounts as the keys to a company. With admin credentials, hackers attempt to move laterally through your network to access data and systems. They can cause serious damage to your business reputation and put you in violation of compliance regulations.
LAPS is deployed using Group Policy and rotates passwords (based on length / complexity) on every machine. The password is applied to a local admin account and securely recorded in AD schema. It can be retrieved when access is needed.
Benefits & Limitations of Microsoft Local Administrator Password Solution
At first glance, LAPS looks like a good solution for small and medium-sized businesses whose IT budgets and resources are tight. While LAPS does require an agent to be installed on your systems, it does not require additional servers or computers. It’s all done through AD and offers a seamless experience for Microsoft Windows-based companies. Companies receive local admin password rotation and can improve their security against hackers and malware.
However, LAPS only offers basic password management capabilities. Once a company begins using it, they quickly realize LAPS’s limitations when it comes to securing all types of privileged accounts. First, the solution only supports local admin accounts. This means you will need another solution to manage domain admin accounts as well as database, service, application and machine to machine accounts. With more companies using non-person accounts (think IoT devices), it’s important to have a solution that manages ALL types of privileged account passwords.
LAPS is completely Windows-based. If you use a mix of UNIX, Linux or MacOS accounts, LAPS won’t be able to help. You will need additional software. Since most companies run a combination of Windows and UNIX or Linux Servers, this requires a full set of privileged access management capabilities that just aren’t available in Local Administrator Password Solution.
Lastly, if your company deals with any type of personally identifiable information (PII), you must adhere to privacy controls or industry/government regulations. LAPS falls short of meeting compliance or audit regulations. It doesn’t allow you to record sessions or keystrokes and offers no reporting functionality. At your next IT audit, this could be an area of concern and lead to non-compliance.
Modern Privileged Access Management Software
After researching or trying LAPS, many companies realize that they need a more comprehensive solution that goes beyond just password rotation and local administrative accounts. This leads them to privileged access management software.
PAM offers complete control for privileged passwords, secrets, certificates, and documents. Most PAM software includes secure identity vault with approval workflow; a robust job engine with password rotation and discovery; and session management with recording. It also supports on-premise, cloud, and hybrid environments. And PAM solutions offer out of the box support for many compliance regulations.
The challenge is that traditional PAM solutions can be complicated and costly to deploy and maintain. Many companies feel that PAM is out of their reach from a budget and resource perspective.
This is where XTON helps. We bring a modern approach to PAM. Our XTAM software combines all the features of a traditional enterprise PAM solution in one affordable platform. With a low cost of ownership, our goal to bring the benefits of PAM to more organizations and help them simplify and secure privileged accounts.
According to Martin Kuppinger, founder of the leading analyst firm KuppingerCole, “Xton provides a well-thought-out solution that is focused on an efficient implementation of key capabilities within PAM, avoiding the overhead that comes with other tools in the market.”
Want to learn more about Xton? Schedule a demo today.