Craig Hays

You are here: Home / Archives for ransomware

ransomware

Microsoft LAPS: Setup, Install, Use, And Secure With Multi-Factor Authentication

By Leave a Comment

Reading Time: 7 minutes

The ultimate guide to deploying, configuring, securing, and using LAPS to mitigate the impact of ransomware attacks.

What is Microsoft LAPS

Microsoft LAPS ultimate guide

Microsoft LAPS is short for Microsoft Local Administrator Password Solution. When installed and enabled on domain-joined computers it takes over the management of passwords of local accounts. Passwords are automatically changed to random characters that meet the domain’s password policy requirements at a frequency that you define through Group Policy.

The passwords are stored in a protected “confidential” attribute on the Computer object in AD. Unlike most other attributes which can be read by all domain users by default, the confidential attributes require extra privileges to be granted in order to read them, thus securing the managed passwords.

Is Microsoft LAPS free?

Yes. Microsoft LAPS is completely free.

How does Microsoft LAPS work?

There are four components to the Local Administrator Password Solution:

  1. The 32-bit or 64-bit LAPS client you install on computers in the domain
  2. A Group Policy configuration that enables and configures the LAPS management policy on computers included in scope
  3. The Active Directory domain in which the managed computers can be found. The computer objects in this domain store the randomised passwords inside a protected attribute.
  4. Management tools, including a thick client GUI, a powershell module, and Group Policy templates.

When you first enable LAPS on a domain you add two new attributes to the domain schema for Computer objects:

  1. ‘ms-mcs-admpwd’ is used to store the password for the local administrator account
  2. ‘ms-mcs-admpwdexpirationtime’ is used to store a timestamp of when the current password will expire. This is defined in the Group Policy settings which we’ll get to in a bit.

How does a Computer update its local admin password through LAPS?

Password changes take place during group policy updates (gpupdate). A computer performs a group policy update when it first starts up, when a user signs in, and every 90 minutes after that by default. Because of this, LAPS can only change passwords when a domain controller is reachable. If you take a laptop home and do not connect to a VPN, the LAPS client will not rotate passwords.

So what actually happens when the LAPS client executes during a group policy update execution?

  1. The LAPS client is executed. It queries the ms-mcs-admpwdexpirationtime of it’s own computer object within AD. If an Active Directory domain controller is unreachable then the entire gpupdate skips, including the LAPS password check.
  2. The ms-mcs-admpwdexpirationtime timestamp is compared to the current time. If ms-mcs-admpwdexpirationtime is in the future, nothing happens. If ms-mcs-admpwdexpirationtime is in the past, the current password is flagged as expired and must be changed.
  3. The LAPS client creates a new password which meets the minimum requirements of the password policy set for the computer object and changes the password of the local administrator account.
  4. The LAPS client updates the ms-mcs-admpwd attribute on its computer object in the Active Directory database. Computers have full permission to edit their own attributes so this still works even through ms-mcs-admpwd is protected.
  5. The LAPS client updates the ms-mcs-admpwdexpirationtime to show the new expiration time based on whatever is configured through Group Policy.

If a domain controller cannot be reached, passwords do not change. This is useful for remote support as you know that when users are working from home you still have a valid local administrator password in AD which will continue to work until they connect to a VPN or come back to the office.

How do you get Microsoft LAPS?

As of the Windows 11 Build 25145.1011 (KB5016159), the Microsoft LAPS client comes installed natively as part of the Windows Operating System. For all older installations of Windows and for Windows Server you can download the Microsoft LAPS client installation files from www.microsoft.com/en-us/download/details.aspx?id=46899

The download page offers the following files:

  • LAPS.x86.msi – a 32-bit Microsoft Software Installer file for the LAPS client
  • LAPS.x64.msi – a 64-bit Microsoft Software Installer file for the LAPS client
  • LAPS.ARM64.msi – a 64-bit Microsoft Software Installer file for the LAPS client compiled for devices running on the ARM architecture instead of Intel or AMD.
  • LAPS_OperationsGuide.docx – A document describing how to deploy the LAPS client, configure group policy, and grant users permission to read the LAPS ms-mcs-admpwd attribute
  • LAPS_Datasheet.docx
  • LAPS_TechnicalSpecification.docx

Minimum Requirements

The Microsoft Local Administrator Password Solution (LAPS) client, also known as the Group Policy Client Side Extension (GP CSE), supports:

Supported Server Operating Systems

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003

Supported Client Operating Systems

  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows Vista

Note: Windows 11 is not included as LAPS is now a native feature of Windows.

Active Directory Domain Services

Active Directory requires
  • Windows 2003 SP1 or later (requires AD schema extension to add the ms-mcs-admpwd and ms-mcs-admpwdexpirationtime object attributes)

The default management toolset requires:

  • NET Framework 4.0
  • PowerShell 2.0 or later

Is Microsoft LAPS secure?

It certainly should be but the true answer, like most things, is ‘that depends’. Provided you install it according to best practices, and adhere to good cyber security principles, then yes, LAPS is as secure as you would hope it to be.

Common mistakes people make when deploying LAPS include:

  • Not requiring multi-factor authentication (MFA) in order to view a LAPS managed password
  • Granting too broad a level of access to individual user accounts
  • Not requiring separate admin-only accounts, not used for browsing the web or reading email, for viewing LAPS passwords
  • Not applying rate limits to the number of passwords which can be viewed
  • Not monitoring and alerting on suspicious viewing and usage of LAPS-managed passwords

When should LAPS not be used?

LAPS should never be enabled on domain controllers. The last place you want your domain controller built-in administrator account passwords is in your Active Directory database for anyone with general LAPS visibility to read.

How to Setup Microsoft LAPS

How do I use Microsoft LAPS?

How to use LAPS to mitigate ransomware attacks

When deployed in the right way, Microsoft LAPS can be a highly effective tool to contain, slow down the spread of, and even mitigate the impact of ransomware attacks. In order to describe how this can be done, it is essential to understand how ransomware attacks happen.

Domain Compromise

When a ransomware gang attacks an organisation, their attacks typically follow this pattern:

  1. First, they gain a foothold into a network. This can happen by:
    1. Exploiting unpatched or otherwise vulnerable internet-accessible software
    2. Compromising valid accounts and entering a network via remote access services such as a VPN
    3. Delivering malicious software to an unsuspecting victim by email who then opens and executes it.
  2. Then they elevate from Domain User to Administrator of as many systems as possible. This can be achieved by:
    1. Obtaining Domain Admin or equivalent credentials.
    2. Obtaining one or more Local Admin credentials that work on lots of different computers. These can be Domain Users who are in the local Administrators group on more than one computer or a single local account with the same password on many computers. e.g. ‘support’ or ‘helpdesk’ which is placed in the local Administrators group.
    3. Obtaining hundreds of Local Admin credentials, each of which works on a single computer, for example, by exploiting a poor configuration of Microsoft LAPS.
  3. Next, they use the harvested credentials to steal and exfiltrate data
  4. Finally, they use the harvested credentials to encrypt files on as many computers in the organisation as quickly as possible.

The root cause of the problem described above is the abuse of a small number of passwords, often just one, that provides Administrator access to many or all computers in a domain. Microsoft LAPS helps to prevent this problem by randomising the password of the built-in Administrator account on all computers in the domain to which LAPS is deployed. It doesn’t solve the problem though as organisations tend to add or leave additional accounts in the local administrators group.

Damage Control – Containing the impact of a compromised administrator password

In order to limit the damage the compromise of a single administrator password can cause, the principle of ‘One Computer, One Admin, One Unique Password‘ should be followed. As standard, the only members of the Administrators group on each computer should be:

  • .\Administrator (the local built-in administrator account, managed by Microsoft LAPS)
  • DOMAIN\Domain Admins (and no Domain Admin should sign in to any device which is not a Domain Controller)

All users should sign in as Domain/Local User and elevate to admin using ‘run as’ -> .\Administrator to temporarily execute as admin, or log out and log in as .\Administrator for use cases where ‘run as’ will not work.

Unless you’re using some other Privileged Access Management tool to manage and randomise passwords, no other accounts should be members of the local Administrators group on each computer unless it is absolutely unavoidable. If this does happen, the more computers the same password works on (Domain User in Local Administrators on more than one computer), the more damage can be caused if that password is compromised.

Require MFA to view LAPS-managed passwords

With the standard set of management tools, authorised users can view LAPS-managed administrator passwords without re-verifying their identity. If their account is ever compromised it can be used by the attacker to view LAPS passwords. If they are authorised to view a large number of passwords their account can be used to compromise all of them by simply requesting the LAPS ms-mcs-admpwd attribute for each of them.

To protect against this, it is best to deploy a LAPS password viewer which implements controls such as Multi-Factor Authentication, rate-limiting, and good auditing and alerting. My preference is to use Lithnet Access Manager.

Lithnet Access Manager LAPS password viewer

Microsoft LAPS and Lithnet Access Manager with Azure App Proxy and MFA
Microsoft LAPS and Lithnet Access Manager with Azure App Proxy and MFA

Lithnet Access Manager is a web-based LAPS password viewer which supports rate limiting, simple group-based access control, usage auditing, and automatic password rotation after checkout and use.

Because it is a web-based solution we can deploy it through Azure App Proxy and use conditional access to require pre-authentication before the web app can be accessed, provide single sign-on from Azure AD through Kerberos delegation, require MFA for all sign-ins, limit session duration to whatever we wish (e.g. 1 hour) and require re-verification of identity through MFA regularly.

By blocking all direct access to the web application internally and forcing all users to go through Azure App Proxy we can easily wrap the whole thing with strong Azure AD access controls. It also means that it can be accessed on any mobile device which is great for on-the-go support technicians who can access LAPS passwords from their smartphones without being connected to the corporate network.

Installing Lithnet Access Manager LAPS Viewer

Deploy to all clients and servers. Use role-based access control. Link to Principles -> One computer, one admin account, one unique admin password. Prevents lateral movement and rapid encryption (provided your Domain Admins are safe). <Describe how it can be used as a low cost/free alternative to BeyondTrust Cyber Ark, Tycotic, etc.> Combine with <link to> RDS Gateway over Apache RDS thing for secure remote access and Azure PIM for just-in-time access to devices.

Phishing Email to Company Devastating Ransomware in 5 Hours

By 2 Comments

Reading Time: 6 minutes

How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

It started with a phish ransomware in 5 hours
Photo by Pixabay from Pexels

(This article aims to contextualise an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victims inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company CEO. It looked identical to many of other emails received that same day.

The company email servers scanned it and allowed it straight through to the victim’s inbox. It was sent through a legitimate and well-known email delivery service with a good reputation. There were no attachments to be scanned for malware. All it contained was a politely written request and a link to a web page.

The web page didn’t ask them to log in. It wasn’t trying to steal their password by masquerading as a trusted login page. All the victim saw was a message saying: ‘Oops! The document preview isn’t available. Click here to download’, or words to that effect. This is the sort of error message that we’ve all seen many times over the years. Most of us wouldn’t think twice about clicking that link, myself included.

Malware In Disguise

The browser downloaded a file named something like PreviewReport.DOC.exe. A warning message came up at the bottom of their browser asking if the user wanted to keep or discard the file as it could be harmful.

Regrettably, our unfortunate user downloads all sorts of documents all day every day and many of them give the exact same warning. They’ve learned that this warning message is just a regular part of online life. One more thing they must click on in order to get work done. Out of habit, they clicked on ‘keep’, then opened the file.

The executable was signed with a trusted certificate from a well-known vendor. It was malicious, and yet it was signed. The thing is, anyone can buy legitimate and trusted software signing certificates on the internet these days if you know where to look. The user’s PC had AppLocker configured to block unsigned executables but it made no difference. The trusted, signed malware executed without a problem.

Their local antivirus software had the latest virus signatures downloaded and available. As the malware was unique to this victim, the signature didn’t match anything on record. Nothing was blocked.

As far as the user was concerned, the file did nothing. Perhaps it was corrupted. Nevermind…

Sadly, it wasn’t corrupted. It sent a message out to a command and control server on the internet to say, ‘Hello, I’m here, And I’m waiting’, then opened a backdoor into the heart of the company network. It checked-in using standard, encrypted, HTTPS traffic, and notified the ransomware gang that it was active and waiting for instructions. From the outside, it looked exactly the same as the device’s owner viewing any other secure web page on the internet.

[Read more…] about Phishing Email to Company Devastating Ransomware in 5 Hours

How Will I Recover from Ransomware?

By Leave a Comment

Reading Time: 5 minutes

There are very few things that genuinely worry me in cybersecurity. Recovering from ransomware is one of them.

Photo by Echo Grid on Unsplash

Ransomware is the digital equivalent of someone breaking into your house, while you’re in it, and deliberately destroying everything. There are no other, prevalent, cyber weapons that do that. Ransomware is the only one. It is the cruellest, most violent, and most invasive type of malware on the internet. If someone did it in the physical world they would be imprisoned for a long time.

The catch with ransomware is that it offers you a lifeline. An undo button. A chance to reverse all damage. ‘Pay us and we’ll put it all back the way it was.’ Like it never happened. But it did.

Ransomware is Generally Indiscriminate

Ransomware doesn’t care who you are. The threat of ransomware affects both my personal and professional life. The photographs and videos of my daughter’s entire existence are just as vulnerable as the data and systems of FTSE listed companies.

Wannacry, one of the most famous ransomware variants, originally spread from machine to machine through an unpatched file-sharing service. Once a host becomes infected it encrypts all local files and begins looking for other vulnerable hosts to attack. Whoever owns the host is irrelevant. If you’re on a network connected to a compromised host then you’re going to see infection attempts coming your way. Internet, home network, corporate office, or public Wi-Fi, it makes no difference.

The vulnerable hosts that allowed Wannacry to spread initially have been patched or are already compromised. Now ransomware tends to spread through user interaction. A phishing email or drive-by download is the most likely cause of infection. Some malware variants even request permission to run to as an administrator to ensure no chances to access everything a missed. The recipient doesn’t matter, the outcome is the same.

But Ransomware Criminals Will Discriminate

The only thing that differs between victims is the size of the ransom demand. If an attacker is able to identify the system as belonging to a registered company then the price of the decryption key will be proportionate to the company’s annual returns. The victim’s goal is to recover from the ransomware attack. The attacker’s goal is to receive payment. Therefore, ransomware criminals walk a fine line between ‘I can’t afford to do that’ and ‘I can’t afford to not do that’.

While individuals may struggle to pay more than a few hundred dollars, a big corporation can usually afford to pay a lot more. Many cyber insurance providers will willingly negotiate the value of the ransom demand on behalf of their customer. Paying for the decryption key can be cheaper than recovering everything from backups. It’s not always a certainty though as it’s hard to rely on criminals to honour the terms of an agreement. That said, ransomware criminals rely on the general public consensus of their own compliance in order to make money. Unless the majority of people who pay for a decryption key actually get what they pay for, people will stop paying.

Criminals are Getting Smarter

In the early days of ransomware, criminals would compromise a system then almost immediately trigger the encryption process. This generated a lot of short term profits but reduced the size of overall payouts possible from corporations. For many companies, restoring from backups was a painful but acceptable solution to the problem. For a criminal, this isn’t the outcome that makes money.

Now, ransomware attacks against corporations have evolved. Instead of immediately starting the encryption process, criminals are hanging around, observing, exploring, and waiting for the right moment to strike for maximum effect. If you were watching them you’d find them slowly poisoning backups, corrupting stale data, and monitoring backup software until retention periods have expired. In the style of Mr Robot, criminals are going after production systems and their online and offline backups through corruption and expiration.

This evolution makes it much, much harder to recover from ransomware. If you can’t recover from offline backups your only option is to buy the decryption key. At least that’s the reasoning of the new approach. Another other attack vector is to exfiltrate data before encrypting it locally and using the threat of GDPR fines to coerce payment. By leaking sensitive information to the press bit by bit until payment is made, a stronger case for paying the ransom demand can be built. Especially if someone is trying to keep the breach a secret. (By the way, don’t ever do that. Transparency and honesty are key.)

So How Will I Recover from Ransomware?

Thankfully I haven’t been hit by ransomware, yet. Unfortunately, it’s only a matter of time. No matter how hard you try you will always get hacked in the end. That’s why we apply our focus on response and recovery as much as on the protection against and detection of threats. Just like everyone else, the best way to recover from ransomware is to ensure you have offline backups of everything. Not just the data but full images of servers, installation files, license keys, processes and documentation, your active directory database in a tested, recoverable form… literally everything you could need to rebuild everything from scratch.

As evolved ransomware attacks are targeting offline backups, the solution here is longer retention periods. If you only keep backups for 30 days it is really easy to lose everything. If you keep a combination of daily, weekly, monthly, and yearly backups, you’ll at least have something to work with. It’ll be less than ideal but something is better than nothing. Long retention and early detection are your best defences.

In my personal life, I take the same approach. I use a combination of different online backup solutions with different retention policies. I combine that with offline snapshots of everything important to me on multiple disks. Simply replicating everything to a cloud-based mirror of isn’t enough as ransomware changes to your local files will be replicated offsite just like your regular updates. Even if you use a backup provider that guarantees immutability of your data for a given period of time, all an attacker has to do is observe your password and delete your account before encrypting everything. Offline backups are the only safe option. Just don’t plug them back in again unless you’re sure your machine is safe.

You Can’t Backup Your Reputation

The only thing you can’t backup is your reputation. No matter how well you respond, if you were the one responsible for protecting against a ransomware threat and you ‘failed’, you will be blamed. Even if only by yourself. Just remember, there’s only so much you can do with the time, money, and people available to you. Make sure you have offline backups that can’t be corrupted and at least you’ll be able to recover something in the end. You might not be able to backup your reputation, but with perseverance, you’ll be able to restore it.

Craig Hays