Local admin password solution - Enterprise Detailed functional specification Version 7.2.0.1 Jiri Formacek Change log and Approvals Change log Date Author Version Summary of changes 14.8.2014 Jiri Formacek 5.0 Description of features in version 5.0 of the solution 6.1.2015 Jiri Formacek 5.5.5 Description of features in version 5.5.5 of the solution 1.2.2015 Jiri Formacek 5.5.5.1 Corrected typos 10.4.2015 Jiri Formacek 5.5.7 Updated based on feedback from deployments - Mentioned case sensitivity of config file Added description of PowerShell modules interactions and permissions needed Added description of autodiscovery process 22.4.2015 Jiri Formacek 5.5.8 Added description of RODC support 25.8.2015 Jiri Formacek 7.1.1 Added description of features added in version 7.1.1 of the solution 1.12.2015 Jiri Formacek 7.2.0 Added description of features added in version 7.2.0 of the solution 4.1.2016 Jiri Formacek 7.2.0.1 Fixed typos Approvals Name Approved version Position Date Page 2 Content 1 Management summary ......................................................................................................... 5 2 Project Vision/Scope Summary ............................................................................................ 6 3 Requirements and design Goals ........................................................................................... 7 3.1 Business Requirements Summary ................................................................................................................. 7 3.2 User Requirements Summary ......................................................................................................................... 8 3.3 Security Requirements Summary .................................................................................................................. 8 3.4 Installation requirements.................................................................................................................................. 9 4 Solution architecture ........................................................................................................... 10 4.1 CSE on managed machines .......................................................................................................................... 11 4.2 Active Directory................................................................................................................................................. 11 4.3 Group Policy ....................................................................................................................................................... 13 4.4 Password Decryption Service ....................................................................................................................... 13 4.5 Client UI ............................................................................................................................................................... 14 4.5.1 Fat client ............................................................................................................................ 14 4.5.2 PowerShell module .......................................................................................................... 14 4.5.3 Web UI ................................................................................................................................ 14 5 Implementation of requirements ....................................................................................... 15 5.1 Business requirements ................................................................................................................................... 15 5.2 User requirements............................................................................................................................................ 16 5.3 Security requirements..................................................................................................................................... 17 5.4 Installation requirements............................................................................................................................... 17 6 Solution Design .................................................................................................................... 18 6.1 Client Side Group Policy Extension............................................................................................................ 18 6.1.1 Implementation ................................................................................................................ 18 6.1.2 Configuration .................................................................................................................... 20 6.1.3 Logging .............................................................................................................................. 23 Page 3 6.2 Information security ........................................................................................................................................ 26 6.2.1 Active Directory ................................................................................................................ 26 6.2.2 Network communication ................................................................................................ 27 6.2.3 PDS ...................................................................................................................................... 27 6.2.4 Protection against deletion of computer account ................................................... 28 6.3 Active Directory infrastructure .................................................................................................................... 28 6.3.1 AD Schema ........................................................................................................................ 29 6.3.2 Extended rights ................................................................................................................ 30 6.4 Password Decryption Service ....................................................................................................................... 31 6.4.1 API ....................................................................................................................................... 32 6.4.2 Interface ............................................................................................................................. 33 6.4.3 Configuration .................................................................................................................... 37 6.4.4 Logging .............................................................................................................................. 40 6.4.5 Autodiscovery ................................................................................................................... 43 6.4.6 Service account ................................................................................................................ 45 6.5 Installer ................................................................................................................................................................. 46 6.5.1 CSE ...................................................................................................................................... 46 6.5.2 PDS ...................................................................................................................................... 47 6.5.3 PowerShell module .......................................................................................................... 47 6.5.4 Fat client UI ....................................................................................................................... 48 6.5.5 ADMX templates .............................................................................................................. 48 6.6 Management tools........................................................................................................................................... 49 6.6.1 Configuration .................................................................................................................... 49 6.6.2 PowerShell module .......................................................................................................... 50 7 Delivery ................................................................................................................................. 51 Page 4 1 Management summary This document provides technical specification of features available in Enterprise version of “Local Administrator Password Solution” (“LAPS.E”). There is also Basic version of Solution, freely available on MS Download Center here: http://www.microsoft.com/en-us/download/details.aspx?id=46899 . Enterprise version brings additional functionality, namely: - Encryption of admin password stored in AD - Password history - Simplified security model and auditing - Detection of change of password of managed local administrator account - Multi-forest deployment support Technical specification covers the following areas: - Summary of requirements for the solution - Architecture of the solution - Functional specification of particular components of solution - Summary of deliverables Solution implements framework for management of local administrator account (built-in or custom) on domain joined computers. Password of administrator account is stored in Active Directory with computer account. Client side component (“CSE”) – part of Group Policy Framework (“GPO”) – automatically checks for expiration of password on managed administrator account on local computer based on criteria configured in GPO (maximum age) and if the password is older than allowed by configured maximum age, it generates new password according parameters configured in GPO (length, complexity), optionally encrypts the password, reports the new password to Active Directory (“AD”) along with timestamp of next password expiration and sets the password of managed administrator account. In AD, password is protected by Access Control List (ACL) associated with computer account, so AD administrator can decide who is allowed to read password for given computer. In addition, password can be stored encrypted in AD to achieve cryptographically strong protection. CSE is configured via GPO, the following parameters are configurable: - Name of administrator account (when not configured, built-in local administrator account is managed) Page 5 - Complexity of password - Length of password - Maximum age of password (password is automatically changed when password is older than maximum age) - Whether or not to allow manually set password expiration that is longer than configured maximum password age - Whether or not to encrypt password stored in AD o And encryption key in case that encryption is required - Whether or not to maintain password history - Whether or not to check if password of managed local admin account was manipulated with Users read password of managed admin account from AD via Password Decryption Service (“PDS”) that works as Trusted subsystem, performing authorization checks and auditing. PDS uses its own identity to read from/write to AD. All data transfers are protected by Kerberos encryption, so it is not possible to know the password by sniffing the network traffic, even when password encryption is not used. 2 Project Vision/Scope Summary Support scenarios for servers and workstations include scenarios when it is not possible to use domain account to log on to server and perform administrative tasks. Such scenarios include: - Machine loses connection to corporate network and there is not cached credential with administrative privileges - Machine loses connection with domain or is accidentally disjoined from domain, so domain credentials cannot be used to log on to the server and repair it - It is required not to use domain accounts for machine administration to prevent caching of credentials and lateral movement using stolen cached credentials (Pass-the-Hash Attack) - Machine is reverted to backup, or snapshot (in case of VM) and current local admin password is reverted to password that was valid in time when backup/snapshot was created. Previous password of local admin account is required For this type of support scenarios, support staff needs to know current password of built-in Administrator account to be able to log on to computer and perform necessary administrative tasks. Page 6 Additionally, there are security aspects of managing built-in administrative account’s password in distributed environment: - In many environments, password is the same on many machines and is changed infrequently, which opens the space for Pass-the-hash (PTH) attack - It is difficult to maintain strong, unique local admin account passwords and provide access to them on need to know basis. - It is difficult to regularly change such passwords, force the password change or plan password expiration on certain machine(s) 3 Requirements and design Goals The following paragraphs summarize requirements that solution must fulfil. 3.1 Business Requirements Summary There are the following business requirements for the solution: [B01] Solution is required to be resistant against tampering with by user of the computer it is implemented on, even if the user of the computer is member of local Administrators group [B02] Solution must be centrally manageable. This includes: o Ability to know the password for certain computer without the need to directly touch it, either locally, or remotely o Ability to install, update and uninstall the solution in unattended way and on many computers at the same time [B03] Solution must support built-in or custom (other than built-in) local administrator account [B04] Solution must be able to handle the scenario when built-in Administrator account is renamed, without the knowledge of the new name [B05] Solution must be able to correctly handle the situation when computer is disconnected from corporate network, i.e. not to change the password when it is not possible to report it to the password repository [B06] Solution must support OS Windows XP/2003 and above [B07] Solution must support x86 and amd64 hardware platforms [B08] Solution must support encryption of stored data using industry standard asymmetric algorithm Page 7 [B09] Solution must be able to maintain history of passwords, along with information about time of validity of those passwords [B10] [B11] Solution must support deployment in environments with RODC: o Not to allow sensitive data replication to RODC o To work in sites where RODC is installed Solution must be able to detect scenario when password of managed local administrator account was changed manually, making password reported in password storage outdated 3.2 User Requirements Summary There are the following requirements in the area of end user experience: [U01] Solution must contain simple to use tool for retrieval of password for administrator account on given computer [U02] In default configuration, solution must not show any traces of activity on the computer it is installed on – it must be hidden from user as much as possible [U03] When configured by an administrator, solution must provide with logging of its activity [U04] Solution must offer easy to use configuration tools integrated with PowerShell configuration tools framework [U05] Solution must offer password retrieval and reset from single place in multiple AD forests, provided there is AD trust relationship among forests 3.3 Security Requirements Summary There are the following security requirements for the solution: [S01] Solution must generate unique random password of managed local Administrator account for every managed computer [S02] Generated passwords must fulfil the following complexity requirements: o Password length must be configurable by the administrator of the solution, with default of 12 characters o Password complexity must be configurable. Most complex password must contain at least 1 character from each of the following character groups: Capital letters Small letters Numbers Special characters Page 8 Characters belonging to each category are specified in table below: Category Characters Capital letters ABCDEFGHIJKLMNOPQRSTUVWXYZ Small letters abcdefghijklmnopqrstuvwxyz Numbers 0123456789 Special characters ,.-+;!#&@{}[]+$/()% [S03] Maximum age of password must be configurable with default of 30 days. After this time, solution must automatically change the password to new value o [S04] Granularity of configuration value needs to be 1 hour Solution must allow only authorized personnel to know the password of built-in Administrator account for particular computer [S05] Solution must support changing the password of built-in Administrator account on demand, without the need to directly touch the workstation either locally or remotely, so it is possible to force password change when necessary, before password gets automatically changed because of its age o It must be possible to plan the password expiration on per-workstation basis, to support scenarios such as “Password is set to expire today at midnight” [S06] Solution must allow for auditing of password reads from password repository and password resets 3.4 Installation requirements Requirements for the installer are: [I01] Installer must support unattended installation [I02] Installer is expected to be a single file performing all tasks related to installation [I03] Installer must run on Windows XP/2003 and above [I04] Installer must support creation of custom admin account during installation o Password of this custom account needs to be complex and random after installer finishes its creation Page 9 o This password is not required to be logged or reported anywhere: it is expected that regular password management will change the password shortly after the installation and report changed password to AD o Newly created custom admin account needs to be made a member of local Administrators group as a part of its creation process [I05] Installer must be able to set random complex password on existing built-in administrator account. o This password is not required to be logged or reported anywhere: it is expected that regular password management will change the password shortly after the installation and report changed password to AD 4 Solution architecture Solution architecture is depicted on schema below: Legend Green = solution specific Blue = Windows platform features Bold lines = encrypted connection Password Decryption Service Active Directory Audit GPO Audit log Computer account Read password Reset password Public Private Encryption keys Password + Expiration + (History) CSE Password + Expiration + GP Update GP Update (History) Parameters Parameters Encryption key Encryption key Admin Admin Configuration of solution DNS SRV record Maintain keys Get password Reset password Computer account Autodiscovery API Service discovery Read password Read password Read password Reset password Reset password Reset password Key management Key management Powershell module Fat client Web CSE Managed machines Client tools Roles of particular solution components are specified below. Page 10 4.1 CSE on managed machines Core of the functionality of solution is implemented as Client Side Group Policy Extension (CSE), installed on every managed machine. CSE works as part of Group Policy framework and is responsible for maintenance of password of managed local admin account based on parameters specified in GPO. It is also responsible for processing of password reset requests. This implementation model will bring the following benefits: - Resistance against tampering with from the side of user of the computer: security of CSE will be basically the same as security of GPO framework itself - Provide privileged security context for local execution: all local operations will be performed under LOCAL SYSTEM security. This will ensure high enough privileges for local operations (especially password reset of managed admin account). - Provide security context for network operations: Network operations (especially interaction with password repository) will use identity of computer account of managed computer. - Automatic timing of operations: password management (check of password age and change of password if necessary) will be performed every time GPO refresh event occurs on the computer - Automatic detection of offline state: when managed workstation is offline, GPO refresh event will not occur and CSE execution is not triggered - Scalability: locally installed solution is more independent, reliable and scalable than any central solution that touches every managed computer across the network. 4.2 Active Directory Another important component of the solution is Active Directory. Active Directory (AD) is used as authentication and authorization provider for the solution, and is also used as repository for: - passwords of managed admin accounts - password reset requests Password repository is implemented using newly defined attributes in AD schema, added to maycontain property set of computer accounts. Usage of AD as repository brings the following benefits: - Availability: Design goal is to manage passwords on domain-joined computers, so for every managed computer, AD infrastructure is reachable by design Page 11 - Security: AD infrastructure offers advanced tools for implementation of security model for the solution by allowing for per-attribute Access Lists (ACLs) and implementing confidential attributes for password storage - Independence: Solution is highly self-contained. It depends mostly just on AD infrastructure, which makes it more secure and robust and makes implementation of desired security model easier. Also, management of the solution is easier because set of components to maintain is minimized. - Simplicity of implementation of transport encryption: When transferring passwords from managed workstations to the AD, and from AD to users requesting it, it is necessary to protect it from eavesdropping on the wire. AD client on managed workstation supports Kerberos-based encryption for LDAP protocol operations. Encryption relies only on Kerberos authentication protocol that is available to any domain-joined workstation by default. That means that there is no need to implement other encryption means (such as SSL or IPsec) that require additional planning and implementation of prerequisites (such as deployment of server certificates to domain controllers and PKI infrastructure in place) - Scalability: Using AD infrastructure as password repository will allow reporting the password to any writable DC, typically the one that is closest to the workstation; thus password repository is not a single point of failure and solution scales to the same extent as AD infrastructure itself - Firewall friendliness: Usage of AD as repository for password reset requests eliminates the need to touch managed machine when password reset is requested, simplifying overall management by eliminating the need to open firewall holes for inbound communication. In addition, managed machines communicate using existing protocols that are used by every machine joined to AD domain. This makes implementation in environment with hardened network security straightforward - Protection against attacks: AD database is one of most important assets for each company, as it contains user identities including their passwords. That means that it is usually accordingly protected, including backup media. This solution just reuses current protection model of AD database for its sensitive data – passwords of built-in Administrator account of managed computers. Additionally, AD infrastructure supports Read-Only Domain Controllers (RODCs) that are designed for environments with insufficient physical security. This solution is not blocker for RODC implementation: passwords of managed admin accounts are by default prevented from replication to RODC. Page 12 4.3 Group Policy Group Policy is used as configuration repository and transport mechanism of chosen configuration to managed machines. Solution contains ADMX template that defines configuration values and allows their management via GPO Editor. Usage of GPO allows easy integration of configuration of solution into existing configuration management processes 4.4 Password Decryption Service PDS is responsible for the following tasks: - Creation and maintenance of key pairs used for password encryption and decryption - Processing of requests to password reads and resets and authorization of this requests, based on security model implemented in AD - Communication with Active Directory – password reads and decrypts, password resets - Auditing of requests of users for password reads and resets - Registration and maintenance of DNS SRV record used for discovery of service by clients PDS uses own security context when communicating with AD – it does not perform delegation. PDS runs under NETWORK SERVICE account by default, so it accesses AD authenticated as computer account of machine PDS is running on. Note: When PDS is hosted on DC and running under default account, which is NETWORK SERVICE, it accesses DC as NETWORK SERVICE rather than computer account. Running of PDS under domain account is fully supported. PDS registers and maintains SRV record in DNS: _admpwd._tcp.<domain>, so clients are able to find service without any specific configuration. PDS supports more than one encryption key pair, so different managed machines can use different keys to encrypt the password reported to AD. Also key rollover is fully supported, so solution is ready to change encryption key without disruption of the service. PDS protects transport channel when reading data from AD, and when sending data to clients using Kerberos Encryption, that is available to all domain joined machines out of the box. So clear text password is never revealed on wire. Page 13 4.5 Client UI Solution comes with the following client UIs: - Fat client - PowerShell module - Web UI 4.5.1 Fat client Allows easy access to password read and reset functionality for a computer. Can also be run from network (so installation to every machine that needs to run it is not necessary), and allows to be registered as context menu extension for Active Directory Users and Computers tool1 4.5.2 PowerShell module Cmdlets provided by PowerShell module allow complete usage and configuration of the solution. Module allows: - Read and reset local admin password for given computer - Prepare AD schema for the solution - Implement security model for the solution - Manage key pairs in PDS 4.5.3 Web UI Web UI offers the following functionality: - Read and reset local admin password for given computer - Manage key pairs in PDS Web UI calls into PDS for its operation and uses Kerberos Constrained Delegation (KCD) for passing caller’s identity into PDS for proper authorization of requests. 1 See http://msdn.microsoft.com/en-us/library/ms677915(v=vs.85).aspx for details Page 14 5 Implementation of requirements Following chapters summarize how requirements specified above are implemented by solution architecture. 5.1 Business requirements [B01] Client side of the solution is implemented as Group Policy Extension. This means that protection level is the same as for built-in Group Policy Framework that is used for configuration management of other components running on the machine [B02] Solution stores data in Active Directory. Both password reads and password resets are performed against AD, without the need to reach managed workstation. Solution contains MSI installer that supports unattended installation with config management solution of choice (such as SCCM) Solution comes with ADMX template that defines parameters configurable via GPO. Configuration on managed computers is completely manageable via GPO. [B03] Solution automatically detects built-in admin account, even when renamed. Support of custom admin account is implemented via GPO – it is possible to configure name of admin custom account to be managed [B04] Solution detects built-in admin account via well-known SID, so it does not depend on specific name for built-in admin account [B05] Solution is triggered on client side by GPO refresh events. When computer is disconnected from domain, GPO refresh event does not occur, so password change does not occur as well. In addition, solution is implemented the way it requires connectivity to AD infrastructure in order to reset local admin password – so when managed machine is offline, there is no AD connectivity and thus no local admin password management event [B06] Solution is developed using APIs that are available on Windows XP/2003 and newer OS’s. Roadmap for development takes OS lifecycle into consideration, so solution is supported on all supported Windows OS’s [B07] Delivery contains installers for x86 and amd64 hardware platforms [B08] Solution supports encryption of password stored in AD using RSA public key. Password is then decrypted with corresponding RSA private key. Key pairs are maintained by PDS service; PDS is only holder of private key. Page 15 Password encryption is optional; requirements for encryption and public key are configured via GPO. [B09] Solution supports maintenance of password history. Password history is maintained along with information about time when password was valid. Passwords in password history support encryption the same way as current password [B10] Default AD schema definition prevents replication of password and password history to RODC, so sensitive data is not replicated to RODC Both managed clients and management tools avoid connection to RODC and always connect to writable domain controller to make sure that password can be reported to AD and read from AD in all scenarios. [B11] CSE remembers timestamp when it changed the password of managed local administrator account, and compares it with age of password as reported by OS. When password age is different than expected, it is considered as password was manipulated with outside of the solution, and password is reset immediately. 5.2 User requirements [U01] Solution contains simple fat client application that allows to enter computer name and: o Retrieve current local admin password o Optionally retrieve complete password history o Request local admin password reset (both immediate and planned) Fat client application allows to be registered as context menu extension for Active Directory Users and Computers tool and to be run from network location for even easier integration with existing support processes. In addition, solution contains web UI that offers the same functionality as fat client application. [U02] Solution only logs error messages on managed machines by default. Warning and information messages are logged only when requested by administrator. [U03] Solution provides with the following logging capabilities: o On managed machines: Operational logging into Application log o On PDS: Operational and audit logging into dedicated log [U04] Solution comes with PowerShell module that implements necessary cmdlets for configuration of solution. Page 16 [U05] Solution supports delegation of permissions cross forest, and administrative tools allows specifying of forest DNS name where to look for computer account to retrieve password for and reset password for 5.3 Security requirements [S01] Solution generates cryptographically random password – RSA CSP is used to generate random numbers used to construct the password. [S02] Generated password has parameters as specified by requirements; password parameters are configurable via GPO. [S03] Password change is triggered by GPO update event on managed machines. This happens by default every ~90 minutes (can be shortened if needed), so potentially, password can be changed as often as every ~1 hours if needed. Password age is configurable via GPO and default is 720 hours (30 days) [S04] Solution relies on AD security model and allows to grant permission to read/reset computer account on per-computer basis, or delegate those permissions on container level [S05] Solution relies on AD security model to grant permission to reset local admin password on per computer basis. Password reset request is written to AD to computer account of computer. Computer then processes password reset request upon next GPO refresh. Password reset request can be immediate or planned for the future. Usage of AD as storage for password reset requests allows to manage workstation without touching it directly [S06] Password reads and resets are handled by PDS working as trusted subsystem. PDS provides auditing of all operations into own log, so it is very easy to collect those audit events for further analysis by tool of choice (such as ACS). In addition, it is possible to setup auditing on AD level to audit actions performed by PDS and administrators of AD service. 5.4 Installation requirements [I01] Part of the delivery is MSI installer that supports unattended installation via /q switch. Running installer silently without parameters installs just CSE – the only component of solution that is expected for bulk installation. Page 17 [I02] All components of solution (except Web UI) are contained in installer MSI package. Web UI is installed separately because it is expected to be customized according to look and feel requirements for environment where deployed [I03] MSI can be installed on all supported versions of Windows [I04] Installer supports creation of custom local admin account during installation of CSE. Account name is specified via installer variable CUSTOMADMINNAME – variable can be set from command line or via MST transform [I05] Installer supports protection of built-in local admin account by complex random password during installation of CSE. This protection is turned on via installer variable PROTECTBUILTINADMIN – variable can be set from command line or via MST transform 6 Solution Design 6.1 Client Side Group Policy Extension 6.1.1 Implementation CSE is implemented as single DLL file, publishing the following entry points: - ProcessGroupPolicy o It is main entry point for Group Policy framework. This entry point implements ProcessGroupPolicy() callback as described in MSDN2 - DllRegisterServer o Can be used for manual registration of CSE with GPO framework and with Event Log service during the CSE installation/upgrade in case that it is not possible to use MSI installer for installation - DllUnregisterServer o Can be used for manual deregistration of CSE from GPO framework and Event Log service during the uninstallation process of CSE in case that it is not possible to use MSI installer for installation Logic of the processing is as follows: 1. CSE connects to Active Directory; to the computer object managed machine it is running on 2 See http://msdn.microsoft.com/en-us/library/aa374377(VS.85).aspx Page 18 2. CSE the reads the value of attribute “ms-MCS-AdmPwdExpirationTime”. This attribute stores the expiration time of current password o When the attribute is empty, password was never changed, so CSE knows it is the time to reset the password o When the timestamp is not older that current time, password has not expired yet, and CSE does not perform any other operation and finishes processing o When the timestamp is older than current time, CSE knows it is the time to reset the password o When the timestamp is too far in the future than password age specified in GPO, and respective protection is enabled in GPO, CSE knows it needs to reset the password o When CSE finds out that password of managed administrator account was manipulated with, and respective protection is enabled in GPO, it knows it needs to reset password 3. When configuration requires password to comply with maximum age restriction, CSE compares expiration time with maximum age of password specified in GPO. When expiration is longer than maximum age, CSE knows that it’s time to change the password and reset the password age 4. When configuration requires protection against password changes outside of solution, CSE reads age of managed local administrator account and compares it with expected age, given by last password change performed by CSE. When age is different than expected, password is considered invalid and CSE knows it’s time to reset it 5. When password needs to be reset, CSE detects the local Administrator account to manage (either via name configured using GPO or via well-known SID) and connects to it 6. Then CSE invents new password according to required criteria (length and complexity) 7. In case that solution is configured to store the password encrypted in AD, CSE loads encryption key from GPO and uses it to encrypt the password. CSE then converts encrypted blob to Base64 string 8. Then CSE reports new password (plain text or Base64 encoded encrypted blob) and timestamp to Active Directory, to the following attributes of computer account for machine it runs on: o ms-MCS-AdmPwd: password either plaintext password or Base64 string containing encrypted password, prefixed by ID of the key used for encryption3 3 Format: <keyID>:<space><Base64> Page 19 o ms-MCS-AdmPwdExpirationTime: timestamp of current time plus configured age of password, in FILETIME format (64-bit integer), in UTC o ms-MCS-AdmPwdHistory: in case that maintenance of password history is required, timestamp of current time (Directory string) plus password as reported to ms-MCS-AdmPwd attribute4 o Note: This communication is encrypted with Kerberos encryption 9. After password and expiration timestamp are successfully reported to AD, the password of managed Administrator account is reset to new value invented in step 6 o Reason for this sequence of steps is that we cannot report and reset password as a single transaction. So we consider the reporting of password to AD as more “risky” – more things can get wrong as there is network between workstation and domain controller, whereas password reset operation works against local computer. We try to perform the operation considered riskier first to be able to catch any errors prior resetting the password. This order of steps minimizes the risk that reported password will be different than actual password of managed Administrator account 10. After successfully resetting the password, CSE finishes execution reporting success to GPO framework that called it 11. In case that some error occurs during the execution, CSE logs the error to Application log and finishes execution, reporting the error to GPO framework that called it 6.1.2 Configuration CSE is configurable using registry values specified in the registry key: HKLM\Software\Policies\Microsoft Services\AdmPwd Currently the following configuration values are supported: Value Type Meaning AdmPwdEnabled REG_DWORD Setting to non-zero enables the solution. Resulting policy must have this value set to non-zero so as the solution is Example: 1: ZmwKf34lH1/+NsjIWSfKQSb4H… Format: <timestamp>:<space><value of ms-MCS-AdmPwd> Example: 20140929233650.0Z: 1: ZmwKf34lH1/+NsjIWSfKQSb4H… 4 Page 20 Value Type Meaning enabled to work on managed machine Managed by policy “Enable local admin password management” AdminAccountName REG_SZ Name of local account to manage password for. If not configured, CSE manages builtin Administrator password regardless of its name (detects it via well-known SID) Managed by policy “Customize administrator account name” ManualPasswordChangeProtectionEnabled REG_DWORD Setting to zero disables protection against manual changes of managed local administrator account. If not configured or set to non-zero, protection is active Managed by policy “Protect against manual changes of password” PasswordLength REG_DWORD Length of password generated Minimum: 8 Maximum: 64 Default: 12 Managed by policy “Password Settings” PasswordComplexity REG_DWORD Complexity of generated password Minimum: 1 Maximum: 4 Default: 4 (see paragraph 3.3 for details) Meaning of values: 1 ... large letters 2 ... large letters + small letters Page 21 Value Type Meaning 3 ... large letters + small letters + numbers 4 ... large letters + small letters + numbers + spec chars Managed by policy “Password Settings” PasswordAge REG_DWORG Age of password in hours. Minimum: 1 Maximum: 9999 Default: 720 (30 days) Managed by policy “Password Settings” PwdExpirationProtectionEnabled REG_DWORD Whether CSE shall enforce password age to be aligned with PasswordAge parameter If set to non-zero, when password expiration time set on computer exceeds PasswordAge policy, password is reset upon next GPO refresh and expiration is set according to policy Managed by policy “Do not allow password expiration time longer than required by policy” PwdEncryptionEnabled REG_DWORD Whether or not password encryption is enabled Default: No Managed by policy „Password encryption“ PublicKey REG_SZ Base64-encoded public key for password encryption Managed by policy „Password encryption“ PwdHistoryEnabled REG_DWORD Whether or not to maintain password history for computer Page 22 Value Type Meaning Managed by policy „Maintain history of passwords“ Note: In GPO UI, all configuration settings related to configuration of CSE ale located under Computer configuration/Administrative Templates/LAPS Enterprise/Managed Clients path 6.1.3 Logging CSE logs all events in Application Event Log of local computer. Log messages are English only, but can be localized or additional language can be added, if necessary. Type of events that are logged is configurable via the following registry REG_DWORD value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-32884f75-942D-087DE603E3EA}\ExtensionDebugLevel Semantic of possible values is as follows: Value Meaning 0 Silent mode; log errors only When no error occurs, no information is logged about CSE activity This is a default value 1 Log Errors and warnings 2 Verbose mode, log everything Event source for all events reported by CSE is always “AdmPwd”. The following table summarizes the events that can occur in the Event Log: ID Severity Description Comment 2 Error Could not get computer object from AD. Error %1 This event is logged in case that CSE is not able to connect to computer account for local computer in AD. %1 is a placeholder for error code returned by function that retrieves local computer name, converts it to Page 23 ID Severity Description Comment DN and connects to object, specified by the DN 3 Error Could not get local Administrator account. Error %1 This event is logged in case that CSE is not able to connect to built-in Administrator account. %1 is a placeholder to error code returned by function that detects the name of local administrator’s account and connects to the account 4 Error Could not get password expiration timestamp from computer account in AD. Error %1. This event is logged in case that CSE is not able to read the value of msMCS-AdmPwdExpirationTime of computer account in AD %1 is a placeholder for error code returned by function that reads the value of the attribute and converts the value to unsigned __int64 type 6 Error Could not create new password. Error %1. This event is logged when CSE for any reason (typically because of failure to initialize/use random number generator) cannot create new password for local admin account 7 Error Could not encrypt password. Error %1. This event is logged in any of the following situations: - 8 Error Could not write changed password to AD. Error %1. CSE cannot locate public key in registry Public key blob stored in GPO is invalid RSA CSP is not able to encrypt the password This event is logged in case that CSE is not able to report new password and timestamp to AD. %1 is a placeholder for error code returned by LDAP search request Page 24 ID Severity 9 Description Error Comment Could not reset local Administrator's password. Error %1 This event is logged in case that CSE is not able to reset the password of built-in Administrator account. %1 is a placeholder for error returned by NetUserSetInfo() API call 10 Warning Password expiration too long for computer (%1 days, %2 hours). Resetting password now. This event is logged in case that CSE detects that password expiration for computer is longer than allowed by policy in place while protection against excessive password age is turned on 11 Warning Password was manipulated with since last check (%1 seconds after regular password change). Resetting password now. This event is logged when CSE detect that password of managed local administrator account was changed manually. 12 Error Could not check if password is in sync with AD. Error %1. This error is logged when CSE is not able to detect password age of managed local administrator account. %1 is placeholder for error returned by NetUserGetInfo() API call 1 Information Beginning processing with flags %1. This event is logged when CSE starts processing GPO update event %1 is placeholder for value of flag passed to ProcessGroupPolicy() entry point 2 Information It is not necessary to change password yet. Will be changed in %1 days, %2 hours. This event is logged in case that CSE detects that it is not yet the time to reset the password of managed admin account 7 Information Local Administrator's password has been successfully encrypted This event is logged when password is successfully encrypted 8 Information Local Administrator's password has been reported to AD. This event is logged when password is successfully reported to AD Page 25 ID Severity Description Comment 9 Information Local Administrator's password has been changed This event is logged after CSE resets the password of managed admin account 11 Information Admin password was not manipulated with (%1) This event is logged when CSE detects that password of managed local administrator account was not manipulated with. %1 is placeholder for difference between expected and real password age, in seconds. Accepted difference is up to 3 seconds 100 Information Finished successfully This event is logged after CSE performed all required tasks and is about to finish 101 Information Admin account management not enabled, exiting This event is logged when admin account management is not enabled and CSE is not allowed to work Notes: - Generally, all events with severity “Error” are blocking, so in case that any error occurs, no other tasks are performed and CSE terminates processing - Event source for the Event Log is embedded in the same DLL as main GPO executive. Reason for this decision was to make the deployment simple 6.2 Information security 6.2.1 Active Directory Solution maintains 3 pieces of information for managed Administrator account in Active Directory: - Current password - Timestamp of expiration of current password - Password history Page 26 Permission model around this information is as follows: Information Who needs to read Who needs to write Password PDS identity Computer that owns the computer account (so every computer can write password of own admin account to AD) Password Expiration Timestamp PDS identity Computer that owns the computer account (so every computer can write only password expiration timestamp to AD) Password history Computer that owns the computer account (so every computer can know whether it is the time to change the password of own admin account) PDS identity PDS identity Computer that owns the computer account (so every computer can write password history of own admin account to AD) AD administrator – to maintain password history Note: Domain administrators can obviously read and write all attributes, but – in case that password is stored encrypted in AD – still are not able to get decrypted password unless given explicit permission. Only PDS can decrypt the password stored in AD. 6.2.2 Network communication Network transmission protection include the following communication: - Between managed machine and AD - Between AD and PDS - Between PDS and client tools In all above scenarios, all transferred information is encrypted by Kerberos encryption, protecting transmitted data from eavesdropping 6.2.3 PDS Solution implements 2 new extended rights in Active Directory: - Read Local Admin Password Page 27 - Reset Local Admin Password Rights are imported to AD as a part of AD preparation procedure (PowerShell cmdlet UpdateAdmPwdADSchema). Those rights are not used by AD itself – they are used by PDS to perform authorization checks. Permissions apply to computer objects; use PowerShell cmdlets SetAdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission to grant respective permissions to security principals who need them. By default, no one is granted the permission to read and reset admin passwords. 6.2.4 Protection against deletion of computer account Computer accounts might be subject of accidental deletion. In such case (especially when AD Recycle Bin feature of Windows 2008 R2 is not implemented) password of built-in Administrator account would be lost and there would not be an easy way for support staff to read it: it would require using the SystemState backup to read the password – unless the Forest Functional Level (FFL) is Windows 2008 R2 and AD Recycle Bin feature is turned on. Approach for protection against accidental deletion of computer account is implemented as follows: - ms-MCS-AdmPwd and ms-MCS-AdmPwdHistory attributes are added to the set of attributes that will not be stripped off the object during the deletion - This means that password will still be available on tombstone of computer account for the lifetime of tombstone – which is 180 days by default - So when accidental deletion of computer account occurs, Domain admin role will be able to quickly recover the password from the tombstone object - Only after tombstone expires, the password is definitely lost. Tombstone lifetime is long enough for the purpose of password recovery Main benefit of this approach is that it allows not exporting passwords from AD infrastructure to independent location where it would need to be specially protected – just for the sake of protection against the special case of accidentally deleted computer account. 6.3 Active Directory infrastructure Active Directory infrastructure supports the solution by: - Implementing the shared storage of information maintained by the solution - Implementing GPO framework that is used to trigger CSE activity Page 28 - Maintaining security model in ACLs applying to computer objects The following paragraphs summarize changes that are required on the Active Directory level when implementing the solution. 6.3.1 AD Schema Solution relies on 3 new attributes added to AD schema. Attributes store password of managed local administrator account for each workstation, password history and timestamp of password expiration. All attributes are added to may-contain attribute set of computer class. Specification of new attributes is in the table below. Attribute Parameter Value ms-MCS-AdmPwd Syntax 2.5.5.5 (Printable case-sensitive string) omSyntax 19 isSingleValued True searchFlags 904 (fCONFIDENTIAL | fPRESERVEONDELETE | fRODCFilteredAttribute | fNeverAuditValue) ms-MCSAdmPwdExpirationTime isMemberOfPartialAttributeSet False OID 1.2.840.113556.1.8000.2554.50051.4 5980.28112.18903.35903.6685103.1 224907.2.1 Syntax 2.5.5.16 (Large integer) omSyntax 65 isSingleValued True searchFlags 0 isMemberOfPartialAttributeSet False Page 29 Attribute ms-MCS-AdmPwdHistory Parameter Value OID 1.2.840.113556.1.8000.2554.50051.4 5980.28112.18903.35903.6685103.1 224907.2.2 Syntax 2.5.5.5 (Printable case-sensitive string) omSyntax 19 isSingleValued False searchFlags 904 (fCONFIDENTIAL | fPRESERVEONDELETE | fRODCFilteredAttribute | fNeverAuditValue) isMemberOfPartialAttributeSet False OID 1.2.840.113556.1.8000.2554.50051.4 5980.28112.18903.35903.6685103.1 224907.2.3 Attributes that contain password are flagged as: - Confidential: CONTROL_ACCESS permission is required to read the value of attribute, so password is better protected - Preserved on delete: value is not stripped of the tombstone, so it is possible to recover password from deleted object - RODC filtered: value is not replicated to RODC - Excluded from audit: Domain controller does not write value of attribute to Security log when detailed auditing is enabled 6.3.2 Extended rights Solution defines 2 new extended rights in AD Configuration partition. Specification is in table below. Page 30 Right Parameter Value ms-McsAdmPwdReadPassword objectClass controlAccessRight displayName Read Local Administrator Password appliesTo bf967a86-0de6-11d0-a28500aa003049e2 (computer objects) ms-McsAdmPwdResetPassword rightsGuid 2a72352f-f5f8-40a3-83b2-1d8562fa90c4 validAccesses 2565 showInAdvancedViewOnly FALSE objectClass controlAccessRight displayName Reset Local Administrator Password appliesTo bf967a86-0de6-11d0-a28500aa003049e2 (computer objects) rightsGuid 5E4DF2BA-49FB-4703-87D9B69F00C4C039 validAccesses 256 showInAdvancedViewOnly FALSE 6.4 Password Decryption Service Password Decryption Service (PDS) plays the following key roles: - Handling password retrieval and password reset requests from users - Maintenance of key pairs - Recording of audit trail See http://blogs.msdn.com/b/openspecification/archive/2009/08/19/active-directory-technicalspecification-control-access-rights-concordance.aspx for details 5 Page 31 PDS is designed to operate in multiple AD forests. This means that AD forest can be covered by instance of PDS running in different AD forest, provide that the following prerequisites are met: - There is at least one-way trust relationship between forest where PDS is installed (PDS forest) and other forest, so as permissions can be granted to security principals from PDS forest in the other forest - Permissions to read password, reset password and for PDS itself are granted using objects resolvable from PDS forest, such as global groups from PDS forest - PDS is allowed to perform authenticated LDAP operations against domain controllers of the other forest - Any AD domain where users of PDS service have user accounts, has SRV records for PDS created in its DNS zone pointing to instance of PDS server(s) PDS logs all activities into dedicated Windows log. PDS is implemented as Win32 service with name “AdmPwd.PDS” and display name “AdmPwd PDS”. Service executable and all related files are installed to %ProgramFiles%\Svc, and is installed to run under NETWORK SERVICE account. Configuration of service is managed by config file AdmPwd.Service.exe.config, located in service install folder. PDS keeps key pairs in CryptoKeyStorage subfolder. Setup program sets ACL on this subfolder so as only SYSTEM, Administrators and NETWORK SERVICE have access to it. PDS registers and maintains DNS SRV record that is used by service clients to find the service. Paragraphs below describe implementation details of service components. 6.4.1 API PDS exposes API as specified in paragraphs below 6.4.1.1 General 6.4.1.1.1 Error signalization Upon error, service throws FaultException with ServiceFault instance and informative message about the error. Page 32 Example: ServiceFault f = new ServiceFault(); f.IssueCode = IssueType.KeyAdminRoleNotFound; f.Issue = "Cannot get key admins role name"; f.Details = ex.Message; throw new FaultException<ServiceFault>(f, new FaultReason(ex.Message)); Definition of structures: public class ServiceFault { public IssueType IssueCode; public string Issue; public string Details; public List<string> AdditionalInfo; } public enum IssueType { ComputerNotFound, ComputerAmbiguous, AccessDenied, KeyAdminRoleNotFound, SupportedKeySizesNotFound, PublicKeyNotFound, CannotValidateAdminPrivilege, CannotGenerateKeyPair, CannotRetrievePassword, CannotResetPassword } 6.4.1.2 Common classes 6.4.1.2.1 Service response base class ServiceResponse is placeholder base class reserved for future use in case of need to have common data in every service response public class ServiceResponse { } 6.4.2 Interface 6.4.2.1 Local admin password retrieval Clients call this method to retrieve local admin password for given computer, optionally with password history. Page 33 ComputerName parameter in request accepts either computer name or DN of computer object in AD. ForestDnsName parameter specifies name of forest, domain, or DC to contact when looking for computer account Call to this method is audited. GetAdminPasswordResponse GetAdminPassword(GetAdminPasswordRequest); public class GetAdminPasswordRequest { public string ComputerName; public bool IncludePasswordHistory = false; public string ForestDnsName = string.Empty; } public class GetAdminPasswordResponse : ServiceResponse { public string ComputerDN; public string ComputerName; public string Password; public DateTime ExpirationTime; public uint KeyId; public List<PwdInfo> PasswordHistory = new List<PwdInfo>(); } public class PwdInfo { public DateTime ValidSince; public DateTime ValidUntil; public string Password; public uint KeyId; } 6.4.2.2 Local admin password reset Upon successful password reset, PDS returns DN of computer on which the reset was performed. ComputerName parameter in request accepts either computer name or DN of computer object in AD. ForestDnsName parameter specifies name of forest, domain or DC to contact when looking for computer account Call to this method is audited. Page 34 ResetAdminPasswordResponse ResetAdminPassword(ResetAdminPasswordRequest); public class ResetAdminPasswordRequest { public string ComputerName; public DateTime WhenEffective; public string ForestDnsName = string.Empty; } public class ResetAdminPasswordResponse : ServiceResponse { public string ComputerDN; } 6.4.2.3 Key pair creation Service accepts GenerateKeyPair() calls only from user in KeyAdmin role (see 6.4.3 for details). Upon successful completion, service returns ID of new key pair and public key part of newly created key pair KeySize parameter in request accepts only values allowed by service config file (see 6.4.3 for details). Call to this method is audited. GenerateKeyPairResponse GenerateKeyPair(GenerateKeyPairRequest); public class GenerateKeyPairRequest { public int KeySize; } public class GenerateKeyPairResponse : ServiceResponse { public UInt32 KeyId; public string PublicKey; } 6.4.2.4 Key admin role detection This is helper method that allows caller to know whether or not he’s granted KeyAdmin role in PDS. Used by Web UI to decide whether or not to render Key Admin UI to user. Call to this method is not audited. Page 35 IsKeyAdminResponse IsKeyAdmin(); public class IsKeyAdminResponse : ServiceResponse { public bool IsKeyAdmin; } 6.4.2.5 Retrieval of public key Used to retrieve public key part of existing key pair. Returned public key is Base64 encoded, ready to be put into GPO and distributed to clients. Call to this method is not audited. GetPublicKeyResponse GetPublicKey(GetPublicKeyRequest); public class GetPublicKeyRequest { public UInt32 KeyId; } public class GetPublicKeyResponse : ServiceResponse { public UInt32 KeyId; public string PublicKey; } 6.4.2.6 Retrieval of all available public keys Used to retrieve public key part of all existing key pairs. Returned public keys ae Base64 encoded, ready to be put into GPO and distributed to clients. Used by Web UI. Call to this method is not audited. GetPublicKeysResponse GetPublicKeys(GetPublicKeysRequest); public class GetPublicKeysRequest { } public class GetPublicKeysResponse : ServiceResponse { public Dictionary<UInt32, string> PublicKeys; } Page 36 6.4.2.7 Supported key sizes Used to retrieve list of key sizes supported by PDS. Call to this method is not audited. GetSupportedKeySizesResponse GetSupportedKeySizes(); public class GetSupportedKeySizesResponse : ServiceResponse { public int[] KeySize; } 6.4.2.8 Key Admin role name Used to retrieve name of AD group that implements Key Admin role. Call to this method is not audited. GetKeyAdminsRoleNameResponse GetKeyAdminsRoleName(); public class GetKeyAdminsRoleNameResponse : ServiceResponse { public string KeyAdminRoleName; } 6.4.3 Configuration Configuration of service is maintained in AdmPwd.Service.exe.config file. Service recognizes 2 configuration sections in configuration file: <section name="PDS" type="AdmPwd.Service.Config.PDS, AdmPwd.Service" /> <section name="KeyStore" type="AdmPwd.Service.KeyStore.Config.KeyStoreConfig, AdmPwd.Service" /> Details for format and configuration parameters for each configuration section are specified in paragraphs below. 6.4.3.1 PDS PDS parameters are configured by configuration section as shown in sample below: <PDS> <Dns> <Autodiscovery UnregisterOnShutdown="true" RegistrationInterval="86400" Priority="100" Weight="100" TTL="1200"> <DomainsToPublish> <add domain="root.mydomain.com"/> <add domain="root.mydomain2.com"/> </DomainsToPublish> Page 37 </Autodiscovery> </Dns> <KeyStore assembly="AdmPwd.Service" typeName="AdmPwd.Service.KeyStore.FileSystemKeyStore"/> <AccessControl DontHonorFullControlPermission="true"/> <KeyAdmin role="Enterprise Admins"/> </PDS> Parameters: Parameter Meaning Note Dns – Autodiscovery UnregisterOnShutdown Whether or not PDS unregisters its own DNS SRV record during service shutdown Optional parameter Dns – Autodiscovery RegistrationInterval Interval for DNS SRV record refresh, in seconds. PDS automatically refreshes its own SRV record to prevent expiration Optional parameter Priority6 of SRV record being created by instance of PDS Optional parameter Weight of SRV record being created by instance of PDS Optional parameter Dns – Autodiscovery – Priority Dns – Autodiscovery – Weight Default: true Default: 86400 (1 day) Setting to 0 disables SRV record refresh Default: 100 Default: 100 Note: Client tools delivered as part of solution ignore weight of SRV records – thus do not perform load balancing Dns – Autodiscovery - TTL Dns – Autodiscovery – DomainsToPublish TTL of registered SRV record, in seconds Optional parameter List of domains PDS registers its SRV records in Optional parameter Each domain specified by own <add domain=[domainName] /> record Keystore – Assembly 6 Name of assembly containing implementation of KeyStore Default: 1200 (20 minutes) If missing or no domain specified, PDS registers SRV record in own domain only Solution supports implementation of own See http://www.ietf.org/rfc/rfc2782.txt for more info Page 38 Parameter Meaning typeName Full name of type exported from assembly implementing KeyStore Note KeyStore. Registration of assembly implementing KeyStore is provided in this part of configuration. Solution comes with implementation of default KeyStore that stores keys in filesystem of PDS server AccessControl – DontHonorFullControlPermission Whether or not to honor Full Control permission on computer object when performing authorization checks for password reads and reset. When set to FALSE, users who have Full control permission on computer objects can read and reset local admin password even when they are not given explicit permissions as specified in 6.3.2 KeyAdmin – role Name of AD group implementing Key Admin role Optional parameter Default: true (Full control right does NOT give permission to read/reset local admin password) Optional parameter Default: Enterprise Admins Note: Best practice is to enter role name in Domain\Group format 6.4.3.2 KeyStore Keystore parameters are configured by configuration section below: <KeyStore path="CryptoKeyStorage" pathType="Relative" FavorOAEP="true"> <SupportedKeySizes> <add value="1024"/> <add value="2048"/> <add value="3072"/> <add value="4096"/> </SupportedKeySizes> </KeyStore> Page 39 Parameter Meaning Note path Location of folder that contains files with RSA key pairs Optional parameter Default: CryptoKeyStorage Shall not contain trailing backslash pathType Descriptor of meaning of path value Optional parameter Default: Relative Possible values are: - Absolute: contains absolute path Relative: path contains relative path to installation folder of PDS favorOAEP Whether PDS shall consider PKCS or OAEP padding when decrypting password This is for compatibility with older versions. Since version 7.1.0.0, client side has been using OAEP padding for password encryption; earlier versions used PKCS padding SupportedKeySizes List of key sizes offered by PDS for new keys Accepts values as specified for CALG_RSA_KEYX7 Each domain specified by own <add value=[value] /> record Default: 1024, 2048, 3072 and 4096 bits 6.4.4 Logging PDS records its activity into dedicated Windows log: Application and Service logs\LAPS Password Decryption Service. Events logged by PDS fall into 2 categories: - Operational - Audit See here http://msdn.microsoft.com/en-us/library/windows/desktop/aa387690(v=vs.85).aspx for more info 7 Page 40 Below is specification of events for each category 6.4.4.1 Operational ID Severity Description 100 Success Service started 101 Success Service stopped 102 Success Autodiscover record updated Logged every time PDS successfully updates its DNS SRV record 102 Error Failed to update Autodiscover record. Logged in case that PDS fails to update its DNS SRV record. Error: %1 Contains error data from lowlevel DNS API Autodiscover record removed Logged when PDS removes its DNS SRV record. 103 Success Comment Only happens when SrvRecordUnregisterOnShutdown parameter is set to TRUE 103 Error Failed to remove Autodiscover record. Logged in case that PDS fails to remove its DNS SRV record Error: %1 104 Information Registering autodiscover SRV record with following: Domain: %1 Host: %2 Port: %3 Priority: %4 Weight: %5 TTL: %6 105 Warning Expiration time exists but password empty. This typically happens when service does not have properly configured permissions in AD. Please verify configuration and if needed, fix permissions via SetAdmPwdServiceAccountPermission cmdlet. Logged before registration of DNS SRV record. Shows parameters of SRV record being registered. Logged in case that service detects that response for local admin password retrieval contains timestamp of password expiration, but not a password itself. This is to notify administrator of solution that PDS may not have enough permissions to read password from AD Computer: %1 Page 41 ID Severity Description Comment User: %2 106 Success Key pair loaded Logged when PDS loads key pair Id: %1 106 Warning Public key not found for private key. Server will still be able to decrypt passwords encrypted by public key, however you should consider key replacement. Logged when PDS finds private key without corresponding public key in key store Id: %1 107 Warning File based keystore does not exist. No keys will be loaded. Keystore folder: %1 108 Error Error during Autodiscover registration/unregistration. Error: %1 Logged when configuration of PDS points to non-existing folder for file system based keystore Logged when PDS fails to register or unregister SRV record due to invalid configuration (such as when TTL of record in config file is not a number) 6.4.4.2 Audit ID Severity Description 1000 Informational Admin password retrieved. Comment Forest: %1 Computer: %2 User: %3 1000 Warning Failed to retrieve admin password. Forest: %1 Computer: %2 User: %3 Error: %4 1001 Informational Admin password reset. Forest: %1 Computer: %2 User: %3 Expiration time: %4 Including scenario when user requesting the password retrieval does not have permission granted Expiration time contains expiration time specified by user in request. For immediate expiration, current time is sent. Page 42 ID Severity Description Comment 1001 Warning Failed to reset admin password. Including scenario when user requesting the password reset does not have permission granted Forest: %1 Computer: %2 User: %3 Error: %4 1002 Informational Key pair generated. KeyID: %2 User: %1 1002 Warning Failed to generate key pair. User: %1 Error: %2 Including scenario when user requesting key pair generation is not member of Key Admin role 6.4.5 Autodiscovery PDS registers autodiscover SRV record in DNS. Record helps client tools to locate instance of PDS service. Service is supported to be running in multiple instances; each instance maintains own SRV record. Clients use SRV record to discover instances of PDS as follows: - At startup, client performs query for SRV record _admpwd._tcp.<domain> o - <domain> is client‘s domain Client orders SRV records from DNS server response in ascending order by Priority to get o For each request for PDS, client gets the connection to the instance of PDS o Before connection is used, it is verified that instance of PDS behind the connection is responding o If PDS instance is not responding, connection is marked as unavailable and client tries to use next connection in the list. If not responding, client marks it as unavailable and tries to connect to next service in the list, etc… o As long as there is at least 1 service connection marked as available in the list, client uses it. o When there are no services in the list marked as available, client performs full discovery of available services (via DNS query for PDS SRV records) and throws exception informing upper layers of application logic that there were no services available Page 43 o After receiving the exception, upper layers of application logic will decide how to continue. When decision is to retry the request, fresh list of discovered instances is used Decision flow is depicted on flowchart below: Application startup Discover PDS instances from DNS Order instances by priority Request to PDS Get first available instance from the list Is instance alive? Wait for next request for PDS Yes Use the instance to fulfill the request No Mark instance as unavailable Get next available instance No Was it last available instance? Yes Instance of PD service maintains SRV record in own AD domain only. This means that autodiscover record needs to be created in every domain that hosts machines with clients tools installed (not managed computers). This can be achieved by one of the following: - Host PDS service in every domain that contains machines with client tools - In domain that does not have instance of PDS and contains machines with client tools, create SRV record manually and point it to instance of PDS in different domain Page 44 6.4.6 Service account Default service account for PDS is NETWORK SERVICE. In this configuration service uses SPN HOST/<hostDnsName>. It is however supported to run the service under domain account. To do so service SPN must be changed and registered with domain account. Change must be performed on both service side (all running instances) and client side. To change service identity on server side, change <identity> in AdmPwd.Service.exe.config from <dns> to <servicePrincipalName> as shown below: <service behaviorConfiguration="AdmPwdService.ServiceBehavior" name="AdmPwd.Service.AdmPwdSvc"> <endpoint address="" binding="netTcpBinding" name="NetTcpEndpoint" contract="AdmPwd.Service.IAdmPwdSvc"> <identity> <servicePrincipalName value = "SVC/AdmPwd" /> </identity> </endpoint> <endpoint address="mex" binding="mexTcpBinding" bindingConfiguration="" name="MexTcpEndpoint" contract="IMetadataExchange" /> <host> <baseAddresses> <add baseAddress="net.tcp://localhost:61184/AdmPwdService" /> </baseAddresses> </host> </service> Important: content of the config file is case sensitive. Please make sure you use the case as shown in sample above when making changes Change of service account on server side must be supported by configuration of management tools side as well. In default configuration, management tools expect that service uses SPN HOST/<hostDnsName>. In configuration with domain account, management tools need to use service specific SPN SVC/AdmPwd when calling PDS. This change of configuration of management tools can be done via registry using GPO as specified in paragraph 6.6.1 Checklist for changing from NETWORK SERVICE account to domain account ⃣ Create account for service (service account) in domain ⃣ Register SPN SVC/AdmPwd on service account ⃣ Grant service account Modify permission to CryptoKeyStorage folder Page 45 ⃣ Grant service account PDS permission on AD via Set-AdmPwdServiceAccountPermission PowerShell cmdlet ⃣ Grant service account permission to read/write SRV record in DNS ⃣ Configure Group Policy “PDS service runs using domain account” to Enabled and pply it to machines that are running management tools. This includes all machines that are running at least one of following: ⃣ o PowerShell module o Fat client UI o Web UI Set domain account as logon identity of PDS Win32 service and restart the service Important: All installed PDS instances must use the same identity Note: If using Web Portal, changes are needed in configuration of KCD, when identitz of PDS service account is changed 6.5 Installer MSI installer is designed to install the following components: - CSE (installed by default) - PDS - Management tools: o PowerShell module o Fat client UI o ADMX templates for GPO editor Specifics are described in paragraphs below. 6.5.1 CSE Installs client side GPO extension that maintains password of local admin account. CSE is installed to %ProgramFiles%\AdmPwd\CSE folder In addition, during CSE installation, the following actions can be performed: - Creation of custom local admin account o Account receives cryptographically random, complex password 16 characters long, and is made member of local Administrators group o Installer performs this action when value of property CUSTOMADMINNAME is set to value other than “__null__” Page 46 o Value can be passed from command line, or via MST file created by tool of choice (such as Orca8) o Example of command line that installs CSE and creates custom local admin account: msiexec /i /q AdmPwd.Setup.Adv.x64.msi CUSTOMADMINNAME=CustomAdmin - Reset password of built-in local admin account o Account receives cryptographically random, 16 characters long, complex password o Installer performs this action when value of property PROTECTBUILTINADMIN is set to “true” 6.5.2 PDS Installs Password Decryption service. Service is installed to %ProgramFiles%\AdmPwd\Svc folder. When installing PDS, the following actions are performed: - Windows Firewall exception is created, allowing AdmPwd.Service.exe to open endpoint - Subfolder CryptoKeyStorage is created under %ProgramFiles%\AdmPwd\Svc folder, and PDS service account (NETWORK SERVICE) receives read/write permission to this folder o - This is necessary so as PDS could maintain key pairs in this folder Registration of event message file for service with EventLog service Unattended setup of PDS can be achieved by the following command line: Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=Svc Note: When you want to install PDS and CSE, use the following command line. Above command line uninstalls CSE, if it’s installed: Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=CSE,Svc Note: During uninstallation, installer does NOT remove any key pairs contained in CryptoKeyStorage folder 6.5.3 PowerShell module PowerShell module name is AdmPwd.PS. It’s installed to $pshome\Modules\AdmPwd.PS folder. Module is compiled for use with .NET Framework 4.0. Module is however compatible with .NET Framework 2.0 as well. In case that it needs to be run on machine with only .NET Framework 2.0 8 See http://msdn.microsoft.com/en-us/library/aa370557(v=vs.85).aspx for details Page 47 installed, custom powershell.exe.config needs to be created if necessary and needs to create the following config section: <?xml version="1.0"?> <configuration> <startup useLegacyV2RuntimeActivationPolicy="true"> <supportedRuntime version="v4.0.30319"/> <supportedRuntime version="v2.0.50727"/> </startup> </configuration> Unattended setup of PowerShell module can be achieved by the following command line: Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=Management.PS 6.5.4 Fat client UI Fat client UI is installed to %ProgramFiles%\AdmPwd. Unattended setup of Fat client can be achieved by the following command line: Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=Management.UI Fat client supports running from network share; to do so, all files contained in install folder (without subfolders) need to be copied to network share. 6.5.5 ADMX templates ADMX templates are installed to %SystemRoot%\PolicyDefinitions folder. Only English US language version of template is delivered as a part of the solution. In case that organization uses Centralized ADMX template store9, templates need to be copied to the central store manually – the following files: - LAPS.E.admx - En-us\LAPS.E.adml AMX templates deliver the following new UI to Computer part configuration of Administrative Templates GPO: - 9 AdmPwd: root container for configuration settings o Managed clients: configuration settings for managed clients o Administrative tools: Configuration settings for management tools See https://support.microsoft.com/kb/929841 for details Page 48 Unattended setup of PowerShell module can be achieved by the following command line: Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=Management.ADMX 6.6 Management tools 6.6.1 Configuration Management tools do not require specific configuration to be able to communicate with PDS – PDS is automatically discovered using discovery process as described in 6.4.5. However, there may be deployment scenarios that require configuration of management tools. Management tools are configurable via configuration values stored in the following registry path: HKLM\Software\Policies\Microsoft Services\AdmPwd Currently the following configuration values are supported: Value Type Meaning UseSharedSPN REG_DWORD Setting to non-zero causes management tools to use SPN SVC/AdmPwd when communicating with PDS When set to zero or not present at all, management tools use SPN HOST/<ComputerDnsName> when communicating with the service. Managed by policy “PDS service runs using domain account” SupportedForests REG_MULTI_SZ List of forests shown in Fat client UI and Web UI. Managed by policy “AD forests shown in management tools” Note: In GPO UI, all configuration settings related to configuration of CSE ale located under Computer configuration/Administrative Templates/LAPS Enterprise/Administrative Tools path Page 49 6.6.2 PowerShell module PowerShell module implements cmdlets as specified in table below: Cmdlet Description Communicates with Update-AdmPwdADSchema Creates new attributes in AD schema and adds them in maycontain set of computer class Active Directory Needs Enterprise admin and Schema Admin permission Creates extended rights in configuration partition and makes them applied to computer class Get-AdmPwdPassword Retrieves password of local admin account for given computer, optionally with password history Communicates with PDS. Needs Read Local Admin Password permission Audited by PDS Reset-AdmPwdPasword Requests reset of password of local admin account for given computer Communicates with PDS. Needs Reset Local Admin Password permission Audited by PDS Set-AdmPwdSelfPermission Set-AdmPwdServiceAccountPermission Delegates permission to manage password of own local admin account to managed computers Communicates with Active Directory Delegates permission to interact with AD to service account of PDS Communicates with Active Directory Needs Write Permissions permission on target container Needs Write Permissions permission on target container Set-AdmPwdReadPasswordPermission Delegates permission to read local admin password Communicates with Active Directory Needs Write Permissions permission on target container Set-AdmPwdResetdPasswordPermission Delegates permission to reset local admin password Communicates with Active Directory Needs Write Permissions permission on target container Update-AdmPwdPasswordHistory Maintains (trims) password history record for given computer based on given criteria Communicates with Active Directory Page 50 Cmdlet Description Communicates with Needs Read/Write + CONTROL_ACCESS permission on computer object New-AdmPwdKeyPair Generates new key pair in PDS Communicates by PDS. Needs Key Admin role in PDS. Audited in PDS Get-AdmPwdPublicKey Retrieves public part of key pair with given ID from PDS Communicates with PDS. No special permission needed. Not audited Get-AdmPwdKeySize Gets list of supported key sizes from PDS Communicates with PDS. No special permission needed. Not audited Get-AdmPwdKeyAdminRoleName Gets the name of AD group implementing Key Admin role Communicates with PDS. No special permission needed. Not audited Note: For usage of PowerShell commands, refer to cmdlet help help that comes with PowerShell module (Get-Help <name of cmdlet>) 7 Delivery Delivery consists of the following components - MSI installer for x86 and amd64 platform - CSE binary compiled in Visual C++ 2013, for x86 and amd64 platforms o CSE is embedded in MSI installer o Linked with static runtime library, so it’s not necessary to distribute Visual C++ Redistributable to managed machines - ADMX template for GPO configuration o - Binary for PowerShell module AdmPwd.PS for management of solution, and related files o - Module and related files are embedded in MSI installer Binary for PDS o - Embedded in MSI installer Module and related files are embedded in MSI installer Web portal ready for deployment, with related files Page 51 o Delivered as separate ZIP archive o Ready for copy/paste deployment to IIS Page 52