Introducing LAPS Web UI

Removal of Local Administrator rights is everyone’s favorite topic right? The conversation generally starts with, “It’s not possible, we need those rights” and ends with “Ok, we will try it but who do we contact when we need Local Administrator access?”. Most likely the answer is, contact support, but that could flood support depending on the size of the environment, legacy application use, and number of users.

This exact situation led to the development of a new self-help tool called LAPS Web UI. The tool allows users to request the Local Administrator password for any computer they are authorized for and then sets the password to expire in a configured number of hours. LAPS Web UI only requires an internal web-server capable of .NET Core 2.1, access to on-prem AD, and of course a working implementation of Microsoft LAPS.

User Flow

1. Authentication

User navigates to the published URL and logs in using their Azure AD credentials, including MFA if enabled. This URL can be internal or external using Azure App Proxies.

2. Select Computer

A list of authorized computers is presented to the user. The user is only ever able to retrieve the password for a machine in this list.

3. Copy Password

The final step for the user is the displaying of the current LAPS password. This password can then be used to perform whatever operation is required on the machine.

Backend

LAPS Web UI does not require any ‘out of the norm’ modifications to a standard Microsoft LAPS installation. The entirety of operations that LAPS Web UI performs is within the normal operating procedures for LAPS.

Authorized Computers

The list of Authorized Computers that is presented to a user can be defined in a number of configurable ways.

SQL Provider
The SQL Provider allows a query to be defined using the identity of the user as a lookup and providing a list of computers in return. This method is currently used to pull the Device Affinity information from the System Center Configuration Manager database.
XML Mapping Provider
The XML Mapping Provider allows an XML structured file to be used that defines User –> Computers relationships. This file could be generated using Powershell for example.

LAPS Operations

Password Retrieval is completed by reading the ms-Mcs-AdmPwd attribute in Active Directory.

Password Expiration is set by modifying the ms-Mcs-AdmPwdExpirationTime attribute to expire at time of retrieval + configured hours. This will force LAPS to expire the password using it’s own internal process just as before.

LAPS Web UI is currently in Active development. Does this solution sound interesting to you? Do you have a feature you’d like to see? Contact me and let me know.


By Tim Davis

I spent my career before Truesec ensuring small financial institutions could meet the demands of todays security standards. I realized that exposure was just the tip of the iceberg and the world of IT security had much more to teach me. I love troubleshooting, finding problems, and being able to bring them to a resolution.

My true passion is programming. I spend my free time writing software for Eve Online and supporting existing deployments. I love learning new programming languages and seeing how I can use it at Truesec.