To prevent unauthorized access, computers need unique local account passwords that are frequently changed. Some IT professionals turn to Microsoft LAPS (Local Administrator Password Solution) to accomplish this task.
However, according to our survey at Microsoft Ignite 2017, many Microsoft LAPS users still have problems managing local passwords. Their troubles include not being able to change admin passwords on offline systems and not securely storing current passwords.
Almost half (47%) of all survey respondents have experienced problems with LAPS managing systems that are not connected to Active Directory. Microsoft LAPS only operates on connected machines. This means that systems that are not on the corporate domain – such as in-field laptops, cloud-based systems and air-gapped servers – often miss scheduled password changes. These systems are more likely to be at risk from cyber attacks like pass-the-hash.
The survey also found that 61% of respondents who have used Microsoft LAPS are unaware of its security flaws. One of the weaknesses of LAPS is that it stores passwords in clear text, making them easy targets for hackers. According to Dark Reading, attacks on cleartext passwords in memory are one of the “top five activities in the cyber kill chain”.
Also from the survey – nearly two-thirds of respondents (65%) admit they use Microsoft LAPS because it’s free. But 42% of those surveyed intend to upgrade to a paid enterprise password management solution. Perhaps due to LAPS’ security and management issues that were reported above.
What is the Alternative to Microsoft LAPS?
The findings of this survey reflect what we hear from Microsoft LAPS users. LAPS is generally considered better than nothing by those who are unaware of alternatives. However, because of its poor security model, people using LAPS should consider commercial alternatives.
That’s why we developed the new Disconnected Account Management feature in RED Identity Management. With Disconnected Account Management, we provide the first product that can update local passwords on both online and offline servers, desktops and laptops.
Unlike Microsoft LAPS, RED Identity Management works on Windows, UNIX, Linux and Mac systems. It also encrypts stored passwords and has no dependency on Active Directory.
Want to learn more about securing passwords on offline systems? Download the free white paper Online vs. Offline Account Management: Connected vs. Disconnected Privileged Identity Management.
If you like this topic, please subscribe to our Cyber Defense Newsletter for a monthly roundup of our blog posts.