Local admin password solution - Enterprise Detailed functional

advertisement
Local admin password solution - Enterprise
Detailed functional specification
Version 7.2.0.1
Jiri Formacek
Change log and Approvals
Change log
Date
Author
Version
Summary of changes
14.8.2014
Jiri Formacek
5.0
Description of features in version 5.0 of the solution
6.1.2015
Jiri Formacek
5.5.5
Description of features in version 5.5.5 of the solution
1.2.2015
Jiri Formacek
5.5.5.1
Corrected typos
10.4.2015
Jiri Formacek
5.5.7
Updated based on feedback from deployments
-
Mentioned case sensitivity of config file
Added description of PowerShell modules
interactions and permissions needed
Added description of autodiscovery process
22.4.2015
Jiri Formacek
5.5.8
Added description of RODC support
25.8.2015
Jiri Formacek
7.1.1
Added description of features added in version 7.1.1
of the solution
1.12.2015
Jiri Formacek
7.2.0
Added description of features added in version 7.2.0
of the solution
4.1.2016
Jiri Formacek
7.2.0.1
Fixed typos
Approvals
Name
Approved version
Position
Date
Page 2
Content
1
Management summary ......................................................................................................... 5
2
Project Vision/Scope Summary ............................................................................................ 6
3
Requirements and design Goals ........................................................................................... 7
3.1
Business Requirements Summary ................................................................................................................. 7
3.2
User Requirements Summary ......................................................................................................................... 8
3.3
Security Requirements Summary .................................................................................................................. 8
3.4
Installation requirements.................................................................................................................................. 9
4
Solution architecture ........................................................................................................... 10
4.1
CSE on managed machines .......................................................................................................................... 11
4.2
Active Directory................................................................................................................................................. 11
4.3
Group Policy ....................................................................................................................................................... 13
4.4
Password Decryption Service ....................................................................................................................... 13
4.5
Client UI ............................................................................................................................................................... 14
4.5.1
Fat client ............................................................................................................................ 14
4.5.2
PowerShell module .......................................................................................................... 14
4.5.3
Web UI ................................................................................................................................ 14
5
Implementation of requirements ....................................................................................... 15
5.1
Business requirements ................................................................................................................................... 15
5.2
User requirements............................................................................................................................................ 16
5.3
Security requirements..................................................................................................................................... 17
5.4
Installation requirements............................................................................................................................... 17
6
Solution Design .................................................................................................................... 18
6.1
Client Side Group Policy Extension............................................................................................................ 18
6.1.1
Implementation ................................................................................................................ 18
6.1.2
Configuration .................................................................................................................... 20
6.1.3
Logging .............................................................................................................................. 23
Page 3
6.2
Information security ........................................................................................................................................ 26
6.2.1
Active Directory ................................................................................................................ 26
6.2.2
Network communication ................................................................................................ 27
6.2.3
PDS ...................................................................................................................................... 27
6.2.4
Protection against deletion of computer account ................................................... 28
6.3
Active Directory infrastructure .................................................................................................................... 28
6.3.1
AD Schema ........................................................................................................................ 29
6.3.2
Extended rights ................................................................................................................ 30
6.4
Password Decryption Service ....................................................................................................................... 31
6.4.1
API ....................................................................................................................................... 32
6.4.2
Interface ............................................................................................................................. 33
6.4.3
Configuration .................................................................................................................... 37
6.4.4
Logging .............................................................................................................................. 40
6.4.5
Autodiscovery ................................................................................................................... 43
6.4.6
Service account ................................................................................................................ 45
6.5
Installer ................................................................................................................................................................. 46
6.5.1
CSE ...................................................................................................................................... 46
6.5.2
PDS ...................................................................................................................................... 47
6.5.3
PowerShell module .......................................................................................................... 47
6.5.4
Fat client UI ....................................................................................................................... 48
6.5.5
ADMX templates .............................................................................................................. 48
6.6
Management tools........................................................................................................................................... 49
6.6.1
Configuration .................................................................................................................... 49
6.6.2
PowerShell module .......................................................................................................... 50
7
Delivery ................................................................................................................................. 51
Page 4
1 Management summary
This document provides technical specification of features available in Enterprise version of “Local
Administrator Password Solution” (“LAPS.E”).
There is also Basic version of Solution, freely available on MS Download Center here:
http://www.microsoft.com/en-us/download/details.aspx?id=46899 . Enterprise version brings
additional functionality, namely:
-
Encryption of admin password stored in AD
-
Password history
-
Simplified security model and auditing
-
Detection of change of password of managed local administrator account
-
Multi-forest deployment support
Technical specification covers the following areas:
-
Summary of requirements for the solution
-
Architecture of the solution
-
Functional specification of particular components of solution
-
Summary of deliverables
Solution implements framework for management of local administrator account (built-in or
custom) on domain joined computers. Password of administrator account is stored in Active
Directory with computer account.
Client side component (“CSE”) – part of Group Policy Framework (“GPO”) – automatically checks
for expiration of password on managed administrator account on local computer based on
criteria configured in GPO (maximum age) and if the password is older than allowed by
configured maximum age, it generates new password according parameters configured in GPO
(length, complexity), optionally encrypts the password, reports the new password to Active
Directory (“AD”) along with timestamp of next password expiration and sets the password of
managed administrator account.
In AD, password is protected by Access Control List (ACL) associated with computer account, so
AD administrator can decide who is allowed to read password for given computer. In addition,
password can be stored encrypted in AD to achieve cryptographically strong protection.
CSE is configured via GPO, the following parameters are configurable:
-
Name of administrator account (when not configured, built-in local administrator account
is managed)
Page 5
-
Complexity of password
-
Length of password
-
Maximum age of password (password is automatically changed when password is older
than maximum age)
-
Whether or not to allow manually set password expiration that is longer than configured
maximum password age
-
Whether or not to encrypt password stored in AD
o
And encryption key in case that encryption is required
-
Whether or not to maintain password history
-
Whether or not to check if password of managed local admin account was manipulated
with
Users read password of managed admin account from AD via Password Decryption Service
(“PDS”) that works as Trusted subsystem, performing authorization checks and auditing. PDS uses
its own identity to read from/write to AD.
All data transfers are protected by Kerberos encryption, so it is not possible to know the
password by sniffing the network traffic, even when password encryption is not used.
2 Project Vision/Scope Summary
Support scenarios for servers and workstations include scenarios when it is not possible to use
domain account to log on to server and perform administrative tasks. Such scenarios include:
-
Machine loses connection to corporate network and there is not cached credential with
administrative privileges
-
Machine loses connection with domain or is accidentally disjoined from domain, so
domain credentials cannot be used to log on to the server and repair it
-
It is required not to use domain accounts for machine administration to prevent caching
of credentials and lateral movement using stolen cached credentials (Pass-the-Hash
Attack)
-
Machine is reverted to backup, or snapshot (in case of VM) and current local admin
password is reverted to password that was valid in time when backup/snapshot was
created. Previous password of local admin account is required
For this type of support scenarios, support staff needs to know current password of built-in
Administrator account to be able to log on to computer and perform necessary administrative
tasks.
Page 6
Additionally, there are security aspects of managing built-in administrative account’s password in
distributed environment:
-
In many environments, password is the same on many machines and is changed
infrequently, which opens the space for Pass-the-hash (PTH) attack
-
It is difficult to maintain strong, unique local admin account passwords and provide
access to them on need to know basis.
-
It is difficult to regularly change such passwords, force the password change or plan
password expiration on certain machine(s)
3 Requirements and design Goals
The following paragraphs summarize requirements that solution must fulfil.
3.1 Business Requirements Summary
There are the following business requirements for the solution:
[B01]
Solution is required to be resistant against tampering with by user of the computer it is
implemented on, even if the user of the computer is member of local Administrators
group
[B02]
Solution must be centrally manageable. This includes:
o
Ability to know the password for certain computer without the need to directly
touch it, either locally, or remotely
o
Ability to install, update and uninstall the solution in unattended way and on many
computers at the same time
[B03]
Solution must support built-in or custom (other than built-in) local administrator
account
[B04]
Solution must be able to handle the scenario when built-in Administrator account is
renamed, without the knowledge of the new name
[B05]
Solution must be able to correctly handle the situation when computer is disconnected
from corporate network, i.e. not to change the password when it is not possible to
report it to the password repository
[B06]
Solution must support OS Windows XP/2003 and above
[B07]
Solution must support x86 and amd64 hardware platforms
[B08]
Solution must support encryption of stored data using industry standard asymmetric
algorithm
Page 7
[B09]
Solution must be able to maintain history of passwords, along with information about
time of validity of those passwords
[B10]
[B11]
Solution must support deployment in environments with RODC:
o
Not to allow sensitive data replication to RODC
o
To work in sites where RODC is installed
Solution must be able to detect scenario when password of managed local administrator
account was changed manually, making password reported in password storage
outdated
3.2 User Requirements Summary
There are the following requirements in the area of end user experience:
[U01]
Solution must contain simple to use tool for retrieval of password for administrator
account on given computer
[U02]
In default configuration, solution must not show any traces of activity on the computer
it is installed on – it must be hidden from user as much as possible
[U03]
When configured by an administrator, solution must provide with logging of its activity
[U04]
Solution must offer easy to use configuration tools integrated with PowerShell
configuration tools framework
[U05]
Solution must offer password retrieval and reset from single place in multiple AD
forests, provided there is AD trust relationship among forests
3.3 Security Requirements Summary
There are the following security requirements for the solution:
[S01]
Solution must generate unique random password of managed local Administrator
account for every managed computer
[S02]
Generated passwords must fulfil the following complexity requirements:
o
Password length must be configurable by the administrator of the solution, with
default of 12 characters
o
Password complexity must be configurable. Most complex password must contain
at least 1 character from each of the following character groups:

Capital letters

Small letters

Numbers

Special characters
Page 8
Characters belonging to each category are specified in table below:
Category
Characters
Capital letters
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Small letters
abcdefghijklmnopqrstuvwxyz
Numbers
0123456789
Special characters
,.-+;!#&@{}[]+$/()%
[S03]
Maximum age of password must be configurable with default of 30 days. After this
time, solution must automatically change the password to new value
o
[S04]
Granularity of configuration value needs to be 1 hour
Solution must allow only authorized personnel to know the password of built-in
Administrator account for particular computer
[S05]
Solution must support changing the password of built-in Administrator account on
demand, without the need to directly touch the workstation either locally or remotely,
so it is possible to force password change when necessary, before password gets
automatically changed because of its age
o
It must be possible to plan the password expiration on per-workstation basis, to
support scenarios such as “Password is set to expire today at midnight”
[S06]
Solution must allow for auditing of password reads from password repository and
password resets
3.4 Installation requirements
Requirements for the installer are:
[I01]
Installer must support unattended installation
[I02]
Installer is expected to be a single file performing all tasks related to installation
[I03]
Installer must run on Windows XP/2003 and above
[I04]
Installer must support creation of custom admin account during installation
o
Password of this custom account needs to be complex and random after installer
finishes its creation
Page 9
o
This password is not required to be logged or reported anywhere: it is expected
that regular password management will change the password shortly after the
installation and report changed password to AD
o
Newly created custom admin account needs to be made a member of local
Administrators group as a part of its creation process
[I05]
Installer must be able to set random complex password on existing built-in
administrator account.
o
This password is not required to be logged or reported anywhere: it is expected
that regular password management will change the password shortly after the
installation and report changed password to AD
4 Solution architecture
Solution architecture is depicted on schema below:
Legend
Green = solution specific
Blue = Windows platform features
Bold lines = encrypted connection
Password Decryption Service
Active Directory
Audit
GPO
Audit log
Computer
account
Read password
Reset password
Public
Private
Encryption keys
Password
+
Expiration
+
(History)
CSE
Password
+
Expiration
+
GP Update
GP Update
(History)
Parameters
Parameters
Encryption key Encryption key
Admin
Admin
Configuration of
solution
DNS
SRV
record
Maintain
keys
Get
password
Reset
password
Computer
account
Autodiscovery
API
Service
discovery
Read password Read password Read password
Reset password Reset password Reset password
Key management
Key management
Powershell module
Fat client
Web
CSE
Managed machines
Client tools
Roles of particular solution components are specified below.
Page 10
4.1 CSE on managed machines
Core of the functionality of solution is implemented as Client Side Group Policy Extension (CSE),
installed on every managed machine.
CSE works as part of Group Policy framework and is responsible for maintenance of password of
managed local admin account based on parameters specified in GPO. It is also responsible for
processing of password reset requests.
This implementation model will bring the following benefits:
-
Resistance against tampering with from the side of user of the computer: security of
CSE will be basically the same as security of GPO framework itself
-
Provide privileged security context for local execution: all local operations will be
performed under LOCAL SYSTEM security. This will ensure high enough privileges for local
operations (especially password reset of managed admin account).
-
Provide security context for network operations: Network operations (especially
interaction with password repository) will use identity of computer account of managed
computer.
-
Automatic timing of operations: password management (check of password age and
change of password if necessary) will be performed every time GPO refresh event occurs
on the computer
-
Automatic detection of offline state: when managed workstation is offline, GPO refresh
event will not occur and CSE execution is not triggered
-
Scalability: locally installed solution is more independent, reliable and scalable than any
central solution that touches every managed computer across the network.
4.2 Active Directory
Another important component of the solution is Active Directory. Active Directory (AD) is used as
authentication and authorization provider for the solution, and is also used as repository for:
-
passwords of managed admin accounts
-
password reset requests
Password repository is implemented using newly defined attributes in AD schema, added to maycontain property set of computer accounts. Usage of AD as repository brings the following
benefits:
-
Availability: Design goal is to manage passwords on domain-joined computers, so for
every managed computer, AD infrastructure is reachable by design
Page 11
-
Security: AD infrastructure offers advanced tools for implementation of security model
for the solution by allowing for per-attribute Access Lists (ACLs) and implementing
confidential attributes for password storage
-
Independence: Solution is highly self-contained. It depends mostly just on AD
infrastructure, which makes it more secure and robust and makes implementation of
desired security model easier. Also, management of the solution is easier because set of
components to maintain is minimized.
-
Simplicity of implementation of transport encryption: When transferring passwords
from managed workstations to the AD, and from AD to users requesting it, it is necessary
to protect it from eavesdropping on the wire. AD client on managed workstation supports
Kerberos-based encryption for LDAP protocol operations. Encryption relies only on
Kerberos authentication protocol that is available to any domain-joined workstation by
default. That means that there is no need to implement other encryption means (such as
SSL or IPsec) that require additional planning and implementation of prerequisites (such
as deployment of server certificates to domain controllers and PKI infrastructure in place)
-
Scalability: Using AD infrastructure as password repository will allow reporting the
password to any writable DC, typically the one that is closest to the workstation; thus
password repository is not a single point of failure and solution scales to the same extent
as AD infrastructure itself
-
Firewall friendliness: Usage of AD as repository for password reset requests eliminates
the need to touch managed machine when password reset is requested, simplifying
overall management by eliminating the need to open firewall holes for inbound
communication.
In addition, managed machines communicate using existing protocols that are used by
every machine joined to AD domain. This makes implementation in environment with
hardened network security straightforward
-
Protection against attacks: AD database is one of most important assets for each
company, as it contains user identities including their passwords. That means that it is
usually accordingly protected, including backup media. This solution just reuses current
protection model of AD database for its sensitive data – passwords of built-in
Administrator account of managed computers. Additionally, AD infrastructure supports
Read-Only Domain Controllers (RODCs) that are designed for environments with
insufficient physical security. This solution is not blocker for RODC implementation:
passwords of managed admin accounts are by default prevented from replication to
RODC.
Page 12
4.3 Group Policy
Group Policy is used as configuration repository and transport mechanism of chosen
configuration to managed machines. Solution contains ADMX template that defines
configuration values and allows their management via GPO Editor.
Usage of GPO allows easy integration of configuration of solution into existing configuration
management processes
4.4 Password Decryption Service
PDS is responsible for the following tasks:
-
Creation and maintenance of key pairs used for password encryption and decryption
-
Processing of requests to password reads and resets and authorization of this requests,
based on security model implemented in AD
-
Communication with Active Directory – password reads and decrypts, password resets
-
Auditing of requests of users for password reads and resets
-
Registration and maintenance of DNS SRV record used for discovery of service by clients
PDS uses own security context when communicating with AD – it does not perform delegation.
PDS runs under NETWORK SERVICE account by default, so it accesses AD authenticated as
computer account of machine PDS is running on.
Note: When PDS is hosted on DC and running under default account, which is NETWORK
SERVICE, it accesses DC as NETWORK SERVICE rather than computer account.
Running of PDS under domain account is fully supported.
PDS registers and maintains SRV record in DNS: _admpwd._tcp.<domain>, so clients are able to
find service without any specific configuration.
PDS supports more than one encryption key pair, so different managed machines can use
different keys to encrypt the password reported to AD. Also key rollover is fully supported, so
solution is ready to change encryption key without disruption of the service.
PDS protects transport channel when reading data from AD, and when sending data to clients
using Kerberos Encryption, that is available to all domain joined machines out of the box. So clear
text password is never revealed on wire.
Page 13
4.5 Client UI
Solution comes with the following client UIs:
-
Fat client
-
PowerShell module
-
Web UI
4.5.1 Fat client
Allows easy access to password read and reset functionality for a computer.
Can also be run from network (so installation to every machine that needs to run it is not
necessary), and allows to be registered as context menu extension for Active Directory Users and
Computers tool1
4.5.2 PowerShell module
Cmdlets provided by PowerShell module allow complete usage and configuration of the solution.
Module allows:
-
Read and reset local admin password for given computer
-
Prepare AD schema for the solution
-
Implement security model for the solution
-
Manage key pairs in PDS
4.5.3 Web UI
Web UI offers the following functionality:
-
Read and reset local admin password for given computer
-
Manage key pairs in PDS
Web UI calls into PDS for its operation and uses Kerberos Constrained Delegation (KCD) for
passing caller’s identity into PDS for proper authorization of requests.
1
See http://msdn.microsoft.com/en-us/library/ms677915(v=vs.85).aspx for details
Page 14
5 Implementation of requirements
Following chapters summarize how requirements specified above are implemented by solution
architecture.
5.1 Business requirements
[B01] Client side of the solution is implemented as Group Policy Extension. This means that
protection level is the same as for built-in Group Policy Framework that is used for configuration
management of other components running on the machine
[B02] Solution stores data in Active Directory. Both password reads and password resets are
performed against AD, without the need to reach managed workstation.
Solution contains MSI installer that supports unattended installation with config management
solution of choice (such as SCCM)
Solution comes with ADMX template that defines parameters configurable via GPO.
Configuration on managed computers is completely manageable via GPO.
[B03] Solution automatically detects built-in admin account, even when renamed. Support of
custom admin account is implemented via GPO – it is possible to configure name of admin
custom account to be managed
[B04] Solution detects built-in admin account via well-known SID, so it does not depend on
specific name for built-in admin account
[B05] Solution is triggered on client side by GPO refresh events. When computer is
disconnected from domain, GPO refresh event does not occur, so password change does not
occur as well.
In addition, solution is implemented the way it requires connectivity to AD infrastructure in order
to reset local admin password – so when managed machine is offline, there is no AD connectivity
and thus no local admin password management event
[B06] Solution is developed using APIs that are available on Windows XP/2003 and newer OS’s.
Roadmap for development takes OS lifecycle into consideration, so solution is supported on all
supported Windows OS’s
[B07] Delivery contains installers for x86 and amd64 hardware platforms
[B08] Solution supports encryption of password stored in AD using RSA public key. Password is
then decrypted with corresponding RSA private key. Key pairs are maintained by PDS service;
PDS is only holder of private key.
Page 15
Password encryption is optional; requirements for encryption and public key are configured via
GPO.
[B09] Solution supports maintenance of password history. Password history is maintained along
with information about time when password was valid. Passwords in password history support
encryption the same way as current password
[B10] Default AD schema definition prevents replication of password and password history to
RODC, so sensitive data is not replicated to RODC
Both managed clients and management tools avoid connection to RODC and always connect to
writable domain controller to make sure that password can be reported to AD and read from AD
in all scenarios.
[B11] CSE remembers timestamp when it changed the password of managed local administrator
account, and compares it with age of password as reported by OS. When password age is
different than expected, it is considered as password was manipulated with outside of the
solution, and password is reset immediately.
5.2 User requirements
[U01] Solution contains simple fat client application that allows to enter computer name and:
o
Retrieve current local admin password
o
Optionally retrieve complete password history
o
Request local admin password reset (both immediate and planned)
Fat client application allows to be registered as context menu extension for Active
Directory Users and Computers tool and to be run from network location for even easier
integration with existing support processes.
In addition, solution contains web UI that offers the same functionality as fat client
application.
[U02] Solution only logs error messages on managed machines by default. Warning and
information messages are logged only when requested by administrator.
[U03] Solution provides with the following logging capabilities:
o
On managed machines: Operational logging into Application log
o
On PDS: Operational and audit logging into dedicated log
[U04] Solution comes with PowerShell module that implements necessary cmdlets for
configuration of solution.
Page 16
[U05] Solution supports delegation of permissions cross forest, and administrative tools allows
specifying of forest DNS name where to look for computer account to retrieve password for and
reset password for
5.3 Security requirements
[S01] Solution generates cryptographically random password – RSA CSP is used to generate
random numbers used to construct the password.
[S02] Generated password has parameters as specified by requirements; password parameters
are configurable via GPO.
[S03] Password change is triggered by GPO update event on managed machines. This happens
by default every ~90 minutes (can be shortened if needed), so potentially, password can be
changed as often as every ~1 hours if needed.
Password age is configurable via GPO and default is 720 hours (30 days)
[S04] Solution relies on AD security model and allows to grant permission to read/reset
computer account on per-computer basis, or delegate those permissions on container level
[S05] Solution relies on AD security model to grant permission to reset local admin password
on per computer basis. Password reset request is written to AD to computer account of
computer. Computer then processes password reset request upon next GPO refresh. Password
reset request can be immediate or planned for the future.
Usage of AD as storage for password reset requests allows to manage workstation without
touching it directly
[S06] Password reads and resets are handled by PDS working as trusted subsystem. PDS
provides auditing of all operations into own log, so it is very easy to collect those audit events for
further analysis by tool of choice (such as ACS).
In addition, it is possible to setup auditing on AD level to audit actions performed by PDS and
administrators of AD service.
5.4 Installation requirements
[I01]
Part of the delivery is MSI installer that supports unattended installation via /q switch.
Running installer silently without parameters installs just CSE – the only component of solution
that is expected for bulk installation.
Page 17
[I02]
All components of solution (except Web UI) are contained in installer MSI package. Web
UI is installed separately because it is expected to be customized according to look and feel
requirements for environment where deployed
[I03]
MSI can be installed on all supported versions of Windows
[I04]
Installer supports creation of custom local admin account during installation of CSE.
Account name is specified via installer variable CUSTOMADMINNAME – variable can be set from
command line or via MST transform
[I05]
Installer supports protection of built-in local admin account by complex random
password during installation of CSE. This protection is turned on via installer variable
PROTECTBUILTINADMIN – variable can be set from command line or via MST transform
6 Solution Design
6.1 Client Side Group Policy Extension
6.1.1 Implementation
CSE is implemented as single DLL file, publishing the following entry points:
-
ProcessGroupPolicy
o
It is main entry point for Group Policy framework. This entry point implements
ProcessGroupPolicy() callback as described in MSDN2
-
DllRegisterServer
o
Can be used for manual registration of CSE with GPO framework and with Event
Log service during the CSE installation/upgrade in case that it is not possible to
use MSI installer for installation
-
DllUnregisterServer
o
Can be used for manual deregistration of CSE from GPO framework and Event Log
service during the uninstallation process of CSE in case that it is not possible to
use MSI installer for installation
Logic of the processing is as follows:
1. CSE connects to Active Directory; to the computer object managed machine it is running
on
2
See http://msdn.microsoft.com/en-us/library/aa374377(VS.85).aspx
Page 18
2. CSE the reads the value of attribute “ms-MCS-AdmPwdExpirationTime”. This attribute
stores the expiration time of current password
o
When the attribute is empty, password was never changed, so CSE knows it is the
time to reset the password
o
When the timestamp is not older that current time, password has not expired yet,
and CSE does not perform any other operation and finishes processing
o
When the timestamp is older than current time, CSE knows it is the time to reset
the password
o
When the timestamp is too far in the future than password age specified in GPO,
and respective protection is enabled in GPO, CSE knows it needs to reset the
password
o
When CSE finds out that password of managed administrator account was
manipulated with, and respective protection is enabled in GPO, it knows it needs
to reset password
3. When configuration requires password to comply with maximum age restriction, CSE
compares expiration time with maximum age of password specified in GPO. When
expiration is longer than maximum age, CSE knows that it’s time to change the password
and reset the password age
4. When configuration requires protection against password changes outside of solution,
CSE reads age of managed local administrator account and compares it with expected
age, given by last password change performed by CSE. When age is different than
expected, password is considered invalid and CSE knows it’s time to reset it
5. When password needs to be reset, CSE detects the local Administrator account to
manage (either via name configured using GPO or via well-known SID) and connects to it
6. Then CSE invents new password according to required criteria (length and complexity)
7. In case that solution is configured to store the password encrypted in AD, CSE loads
encryption key from GPO and uses it to encrypt the password. CSE then converts
encrypted blob to Base64 string
8. Then CSE reports new password (plain text or Base64 encoded encrypted blob) and
timestamp to Active Directory, to the following attributes of computer account for
machine it runs on:
o
ms-MCS-AdmPwd: password

either plaintext password

or Base64 string containing encrypted password, prefixed by ID of the key
used for encryption3
3
Format: <keyID>:<space><Base64>
Page 19
o
ms-MCS-AdmPwdExpirationTime: timestamp of current time plus configured age
of password, in FILETIME format (64-bit integer), in UTC
o
ms-MCS-AdmPwdHistory: in case that maintenance of password history is
required, timestamp of current time (Directory string) plus password as reported
to ms-MCS-AdmPwd attribute4
o
Note: This communication is encrypted with Kerberos encryption
9. After password and expiration timestamp are successfully reported to AD, the password
of managed Administrator account is reset to new value invented in step 6
o
Reason for this sequence of steps is that we cannot report and reset password as a
single transaction. So we consider the reporting of password to AD as more “risky”
– more things can get wrong as there is network between workstation and domain
controller, whereas password reset operation works against local computer. We try
to perform the operation considered riskier first to be able to catch any errors
prior resetting the password. This order of steps minimizes the risk that reported
password will be different than actual password of managed Administrator
account
10. After successfully resetting the password, CSE finishes execution reporting success to GPO
framework that called it
11. In case that some error occurs during the execution, CSE logs the error to Application log
and finishes execution, reporting the error to GPO framework that called it
6.1.2 Configuration
CSE is configurable using registry values specified in the registry key:
HKLM\Software\Policies\Microsoft Services\AdmPwd
Currently the following configuration values are supported:
Value
Type
Meaning
AdmPwdEnabled
REG_DWORD
Setting to non-zero enables the
solution.
Resulting policy must have this value
set to non-zero so as the solution is
Example:
1: ZmwKf34lH1/+NsjIWSfKQSb4H…
Format: <timestamp>:<space><value of ms-MCS-AdmPwd>
Example:
20140929233650.0Z: 1: ZmwKf34lH1/+NsjIWSfKQSb4H…
4
Page 20
Value
Type
Meaning
enabled to work on managed
machine
Managed by policy “Enable local
admin password management”
AdminAccountName
REG_SZ
Name of local account to manage
password for.
If not configured, CSE manages builtin Administrator password regardless
of its name (detects it via well-known
SID)
Managed by policy “Customize
administrator account name”
ManualPasswordChangeProtectionEnabled
REG_DWORD
Setting to zero disables protection
against manual changes of managed
local administrator account.
If not configured or set to non-zero,
protection is active
Managed by policy “Protect against
manual changes of password”
PasswordLength
REG_DWORD
Length of password generated
Minimum: 8
Maximum: 64
Default: 12
Managed by policy “Password
Settings”
PasswordComplexity
REG_DWORD
Complexity of generated password
Minimum: 1
Maximum: 4
Default: 4
(see paragraph 3.3 for details)
Meaning of values:
1 ... large letters
2 ... large letters + small letters
Page 21
Value
Type
Meaning
3 ... large letters + small letters +
numbers
4 ... large letters + small letters +
numbers + spec chars
Managed by policy “Password
Settings”
PasswordAge
REG_DWORG
Age of password in hours.
Minimum: 1
Maximum: 9999
Default: 720 (30 days)
Managed by policy “Password
Settings”
PwdExpirationProtectionEnabled
REG_DWORD
Whether CSE shall enforce password
age to be aligned with PasswordAge
parameter
If set to non-zero, when password
expiration time set on computer
exceeds PasswordAge policy,
password is reset upon next GPO
refresh and expiration is set according
to policy
Managed by policy “Do not allow
password expiration time longer than
required by policy”
PwdEncryptionEnabled
REG_DWORD
Whether or not password encryption
is enabled
Default: No
Managed by policy „Password
encryption“
PublicKey
REG_SZ
Base64-encoded public key for
password encryption
Managed by policy „Password
encryption“
PwdHistoryEnabled
REG_DWORD
Whether or not to maintain password
history for computer
Page 22
Value
Type
Meaning
Managed by policy „Maintain history
of passwords“
Note: In GPO UI, all configuration settings related to configuration of CSE ale located under
Computer configuration/Administrative Templates/LAPS Enterprise/Managed Clients path
6.1.3 Logging
CSE logs all events in Application Event Log of local computer. Log messages are English only,
but can be localized or additional language can be added, if necessary.
Type of events that are logged is configurable via the following registry REG_DWORD value:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-32884f75-942D-087DE603E3EA}\ExtensionDebugLevel
Semantic of possible values is as follows:
Value
Meaning
0
Silent mode; log errors only
When no error occurs, no information is logged about CSE activity
This is a default value
1
Log Errors and warnings
2
Verbose mode, log everything
Event source for all events reported by CSE is always “AdmPwd”. The following table summarizes
the events that can occur in the Event Log:
ID
Severity
Description
Comment
2
Error
Could not get computer object from
AD. Error %1
This event is logged in case that CSE
is not able to connect to computer
account for local computer in AD.
%1 is a placeholder for error code
returned by function that retrieves
local computer name, converts it to
Page 23
ID
Severity
Description
Comment
DN and connects to object, specified
by the DN
3
Error
Could not get local Administrator
account. Error %1
This event is logged in case that CSE
is not able to connect to built-in
Administrator account.
%1 is a placeholder to error code
returned by function that detects the
name of local administrator’s
account and connects to the account
4
Error
Could not get password expiration
timestamp from computer account in
AD. Error %1.
This event is logged in case that CSE
is not able to read the value of msMCS-AdmPwdExpirationTime of
computer account in AD
%1 is a placeholder for error code
returned by function that reads the
value of the attribute and converts
the value to unsigned __int64
type
6
Error
Could not
create new
password.
Error %1.
This event is logged when CSE for
any reason (typically because of
failure to initialize/use random
number generator) cannot create
new password for local admin
account
7
Error
Could not
encrypt
password.
Error %1.
This event is logged in any of the
following situations:
-
8
Error
Could not
write changed
password to
AD. Error %1.
CSE cannot locate public key
in registry
Public key blob stored in
GPO is invalid
RSA CSP is not able to
encrypt the password
This event is logged in case that CSE
is not able to report new password
and timestamp to AD.
%1 is a placeholder for error code
returned by LDAP search request
Page 24
ID
Severity
9
Description
Error
Comment
Could not
reset local
Administrator's
password.
Error %1
This event is logged in case that CSE
is not able to reset the password of
built-in Administrator account.
%1 is a placeholder for error
returned by NetUserSetInfo()
API call
10
Warning
Password expiration too long for
computer (%1 days, %2 hours).
Resetting password now.
This event is logged in case that CSE
detects that password expiration for
computer is longer than allowed by
policy in place while protection
against excessive password age is
turned on
11
Warning
Password was manipulated with since
last check (%1 seconds after regular
password change). Resetting password
now.
This event is logged when CSE
detect that password of managed
local administrator account was
changed manually.
12
Error
Could not check if password is in sync
with AD. Error %1.
This error is logged when CSE is not
able to detect password age of
managed local administrator
account.
%1 is placeholder for error returned
by NetUserGetInfo() API call
1
Information
Beginning processing with flags %1.
This event is logged when CSE starts
processing GPO update event
%1 is placeholder for value of flag
passed to ProcessGroupPolicy() entry
point
2
Information
It is not necessary to change password
yet. Will be changed in %1 days, %2
hours.
This event is logged in case that CSE
detects that it is not yet the time to
reset the password of managed
admin account
7
Information
Local Administrator's password has
been successfully encrypted
This event is logged when password
is successfully encrypted
8
Information
Local Administrator's password has
been reported to AD.
This event is logged when password
is successfully reported to AD
Page 25
ID
Severity
Description
Comment
9
Information
Local Administrator's password has
been changed
This event is logged after CSE resets
the password of managed admin
account
11
Information
Admin password was not manipulated
with (%1)
This event is logged when CSE
detects that password of managed
local administrator account was not
manipulated with.
%1 is placeholder for difference
between expected and real password
age, in seconds. Accepted difference
is up to 3 seconds
100
Information
Finished successfully
This event is logged after CSE
performed all required tasks and is
about to finish
101
Information
Admin account management not
enabled, exiting
This event is logged when admin
account management is not enabled
and CSE is not allowed to work
Notes:
-
Generally, all events with severity “Error” are blocking, so in case that any error occurs, no
other tasks are performed and CSE terminates processing
-
Event source for the Event Log is embedded in the same DLL as main GPO executive.
Reason for this decision was to make the deployment simple
6.2 Information security
6.2.1 Active Directory
Solution maintains 3 pieces of information for managed Administrator account in Active
Directory:
-
Current password
-
Timestamp of expiration of current password
-
Password history
Page 26
Permission model around this information is as follows:
Information
Who needs to read
Who needs to write
Password
PDS identity
Computer that owns the computer
account (so every computer can write
password of own admin account to
AD)
Password
Expiration
Timestamp
PDS identity
Computer that owns the computer
account (so every computer can write
only password expiration timestamp to
AD)
Password history
Computer that owns the computer
account (so every computer can
know whether it is the time to
change the password of own admin
account)
PDS identity
PDS identity
Computer that owns the computer
account (so every computer can write
password history of own admin
account to AD)
AD administrator – to maintain
password history
Note: Domain administrators can obviously read and write all attributes, but – in case that
password is stored encrypted in AD – still are not able to get decrypted password unless given
explicit permission. Only PDS can decrypt the password stored in AD.
6.2.2 Network communication
Network transmission protection include the following communication:
-
Between managed machine and AD
-
Between AD and PDS
-
Between PDS and client tools
In all above scenarios, all transferred information is encrypted by Kerberos encryption, protecting
transmitted data from eavesdropping
6.2.3 PDS
Solution implements 2 new extended rights in Active Directory:
-
Read Local Admin Password
Page 27
-
Reset Local Admin Password
Rights are imported to AD as a part of AD preparation procedure (PowerShell cmdlet UpdateAdmPwdADSchema).
Those rights are not used by AD itself – they are used by PDS to perform authorization checks.
Permissions apply to computer objects; use PowerShell cmdlets SetAdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission to grant
respective permissions to security principals who need them.
By default, no one is granted the permission to read and reset admin passwords.
6.2.4 Protection against deletion of computer account
Computer accounts might be subject of accidental deletion. In such case (especially when AD
Recycle Bin feature of Windows 2008 R2 is not implemented) password of built-in Administrator
account would be lost and there would not be an easy way for support staff to read it: it would
require using the SystemState backup to read the password – unless the Forest Functional Level
(FFL) is Windows 2008 R2 and AD Recycle Bin feature is turned on.
Approach for protection against accidental deletion of computer account is implemented as
follows:
-
ms-MCS-AdmPwd and ms-MCS-AdmPwdHistory attributes are added to the set of attributes
that will not be stripped off the object during the deletion
-
This means that password will still be available on tombstone of computer account for the
lifetime of tombstone – which is 180 days by default
-
So when accidental deletion of computer account occurs, Domain admin role will be able
to quickly recover the password from the tombstone object
-
Only after tombstone expires, the password is definitely lost. Tombstone lifetime is long
enough for the purpose of password recovery
Main benefit of this approach is that it allows not exporting passwords from AD infrastructure to
independent location where it would need to be specially protected – just for the sake of
protection against the special case of accidentally deleted computer account.
6.3 Active Directory infrastructure
Active Directory infrastructure supports the solution by:
-
Implementing the shared storage of information maintained by the solution
-
Implementing GPO framework that is used to trigger CSE activity
Page 28
-
Maintaining security model in ACLs applying to computer objects
The following paragraphs summarize changes that are required on the Active Directory level
when implementing the solution.
6.3.1 AD Schema
Solution relies on 3 new attributes added to AD schema. Attributes store password of managed
local administrator account for each workstation, password history and timestamp of password
expiration. All attributes are added to may-contain attribute set of computer class.
Specification of new attributes is in the table below.
Attribute
Parameter
Value
ms-MCS-AdmPwd
Syntax
2.5.5.5
(Printable case-sensitive string)
omSyntax
19
isSingleValued
True
searchFlags
904
(fCONFIDENTIAL |
fPRESERVEONDELETE |
fRODCFilteredAttribute |
fNeverAuditValue)
ms-MCSAdmPwdExpirationTime
isMemberOfPartialAttributeSet
False
OID
1.2.840.113556.1.8000.2554.50051.4
5980.28112.18903.35903.6685103.1
224907.2.1
Syntax
2.5.5.16
(Large integer)
omSyntax
65
isSingleValued
True
searchFlags
0
isMemberOfPartialAttributeSet
False
Page 29
Attribute
ms-MCS-AdmPwdHistory
Parameter
Value
OID
1.2.840.113556.1.8000.2554.50051.4
5980.28112.18903.35903.6685103.1
224907.2.2
Syntax
2.5.5.5
(Printable case-sensitive string)
omSyntax
19
isSingleValued
False
searchFlags
904
(fCONFIDENTIAL |
fPRESERVEONDELETE |
fRODCFilteredAttribute |
fNeverAuditValue)
isMemberOfPartialAttributeSet
False
OID
1.2.840.113556.1.8000.2554.50051.4
5980.28112.18903.35903.6685103.1
224907.2.3
Attributes that contain password are flagged as:
-
Confidential: CONTROL_ACCESS permission is required to read the value of attribute, so
password is better protected
-
Preserved on delete: value is not stripped of the tombstone, so it is possible to recover
password from deleted object
-
RODC filtered: value is not replicated to RODC
-
Excluded from audit: Domain controller does not write value of attribute to Security log
when detailed auditing is enabled
6.3.2 Extended rights
Solution defines 2 new extended rights in AD Configuration partition. Specification is in table
below.
Page 30
Right
Parameter
Value
ms-McsAdmPwdReadPassword
objectClass
controlAccessRight
displayName
Read Local Administrator Password
appliesTo
bf967a86-0de6-11d0-a28500aa003049e2
(computer objects)
ms-McsAdmPwdResetPassword
rightsGuid
2a72352f-f5f8-40a3-83b2-1d8562fa90c4
validAccesses
2565
showInAdvancedViewOnly
FALSE
objectClass
controlAccessRight
displayName
Reset Local Administrator Password
appliesTo
bf967a86-0de6-11d0-a28500aa003049e2
(computer objects)
rightsGuid
5E4DF2BA-49FB-4703-87D9B69F00C4C039
validAccesses
256
showInAdvancedViewOnly
FALSE
6.4 Password Decryption Service
Password Decryption Service (PDS) plays the following key roles:
-
Handling password retrieval and password reset requests from users
-
Maintenance of key pairs
-
Recording of audit trail
See http://blogs.msdn.com/b/openspecification/archive/2009/08/19/active-directory-technicalspecification-control-access-rights-concordance.aspx for details
5
Page 31
PDS is designed to operate in multiple AD forests. This means that AD forest can be covered by
instance of PDS running in different AD forest, provide that the following prerequisites are met:
-
There is at least one-way trust relationship between forest where PDS is installed (PDS
forest) and other forest, so as permissions can be granted to security principals from PDS
forest in the other forest
-
Permissions to read password, reset password and for PDS itself are granted using objects
resolvable from PDS forest, such as global groups from PDS forest
-
PDS is allowed to perform authenticated LDAP operations against domain controllers of
the other forest
-
Any AD domain where users of PDS service have user accounts, has SRV records for PDS
created in its DNS zone pointing to instance of PDS server(s)
PDS logs all activities into dedicated Windows log.
PDS is implemented as Win32 service with name “AdmPwd.PDS” and display name “AdmPwd
PDS”. Service executable and all related files are installed to %ProgramFiles%\Svc, and is installed
to run under NETWORK SERVICE account.
Configuration of service is managed by config file AdmPwd.Service.exe.config, located in service
install folder.
PDS keeps key pairs in CryptoKeyStorage subfolder. Setup program sets ACL on this subfolder so
as only SYSTEM, Administrators and NETWORK SERVICE have access to it.
PDS registers and maintains DNS SRV record that is used by service clients to find the service.
Paragraphs below describe implementation details of service components.
6.4.1 API
PDS exposes API as specified in paragraphs below
6.4.1.1 General
6.4.1.1.1 Error signalization
Upon error, service throws FaultException with ServiceFault instance and informative message
about the error.
Page 32
Example:
ServiceFault f = new ServiceFault();
f.IssueCode = IssueType.KeyAdminRoleNotFound;
f.Issue = "Cannot get key admins role name";
f.Details = ex.Message;
throw new FaultException<ServiceFault>(f, new FaultReason(ex.Message));
Definition of structures:
public class ServiceFault
{
public IssueType IssueCode;
public string Issue;
public string Details;
public List<string> AdditionalInfo;
}
public enum IssueType
{
ComputerNotFound,
ComputerAmbiguous,
AccessDenied,
KeyAdminRoleNotFound,
SupportedKeySizesNotFound,
PublicKeyNotFound,
CannotValidateAdminPrivilege,
CannotGenerateKeyPair,
CannotRetrievePassword,
CannotResetPassword
}
6.4.1.2 Common classes
6.4.1.2.1 Service response base class
ServiceResponse is placeholder base class reserved for future use in case of need to have
common data in every service response
public class ServiceResponse
{
}
6.4.2 Interface
6.4.2.1 Local admin password retrieval
Clients call this method to retrieve local admin password for given computer, optionally with
password history.
Page 33
ComputerName parameter in request accepts either computer name or DN of computer object
in AD.
ForestDnsName parameter specifies name of forest, domain, or DC to contact when looking for
computer account
Call to this method is audited.
GetAdminPasswordResponse GetAdminPassword(GetAdminPasswordRequest);
public class GetAdminPasswordRequest
{
public string ComputerName;
public bool IncludePasswordHistory = false;
public string ForestDnsName = string.Empty;
}
public class GetAdminPasswordResponse : ServiceResponse
{
public string ComputerDN;
public string ComputerName;
public string Password;
public DateTime ExpirationTime;
public uint KeyId;
public List<PwdInfo> PasswordHistory = new List<PwdInfo>();
}
public class PwdInfo
{
public DateTime ValidSince;
public DateTime ValidUntil;
public string Password;
public uint KeyId;
}
6.4.2.2 Local admin password reset
Upon successful password reset, PDS returns DN of computer on which the reset was performed.
ComputerName parameter in request accepts either computer name or DN of computer object
in AD.
ForestDnsName parameter specifies name of forest, domain or DC to contact when looking for
computer account
Call to this method is audited.
Page 34
ResetAdminPasswordResponse ResetAdminPassword(ResetAdminPasswordRequest);
public class ResetAdminPasswordRequest
{
public string ComputerName;
public DateTime WhenEffective;
public string ForestDnsName = string.Empty;
}
public class ResetAdminPasswordResponse : ServiceResponse
{
public string ComputerDN;
}
6.4.2.3 Key pair creation
Service accepts GenerateKeyPair() calls only from user in KeyAdmin role (see 6.4.3 for details).
Upon successful completion, service returns ID of new key pair and public key part of newly
created key pair
KeySize parameter in request accepts only values allowed by service config file (see 6.4.3 for
details).
Call to this method is audited.
GenerateKeyPairResponse GenerateKeyPair(GenerateKeyPairRequest);
public class GenerateKeyPairRequest
{
public int KeySize;
}
public class GenerateKeyPairResponse : ServiceResponse
{
public UInt32 KeyId;
public string PublicKey;
}
6.4.2.4 Key admin role detection
This is helper method that allows caller to know whether or not he’s granted KeyAdmin role in
PDS. Used by Web UI to decide whether or not to render Key Admin UI to user.
Call to this method is not audited.
Page 35
IsKeyAdminResponse IsKeyAdmin();
public class IsKeyAdminResponse : ServiceResponse
{
public bool IsKeyAdmin;
}
6.4.2.5 Retrieval of public key
Used to retrieve public key part of existing key pair. Returned public key is Base64 encoded,
ready to be put into GPO and distributed to clients.
Call to this method is not audited.
GetPublicKeyResponse GetPublicKey(GetPublicKeyRequest);
public class GetPublicKeyRequest
{
public UInt32 KeyId;
}
public class GetPublicKeyResponse : ServiceResponse
{
public UInt32 KeyId;
public string PublicKey;
}
6.4.2.6 Retrieval of all available public keys
Used to retrieve public key part of all existing key pairs. Returned public keys ae Base64 encoded,
ready to be put into GPO and distributed to clients.
Used by Web UI.
Call to this method is not audited.
GetPublicKeysResponse GetPublicKeys(GetPublicKeysRequest);
public class GetPublicKeysRequest
{
}
public class GetPublicKeysResponse : ServiceResponse
{
public Dictionary<UInt32, string> PublicKeys;
}
Page 36
6.4.2.7 Supported key sizes
Used to retrieve list of key sizes supported by PDS.
Call to this method is not audited.
GetSupportedKeySizesResponse GetSupportedKeySizes();
public class GetSupportedKeySizesResponse : ServiceResponse
{
public int[] KeySize;
}
6.4.2.8 Key Admin role name
Used to retrieve name of AD group that implements Key Admin role.
Call to this method is not audited.
GetKeyAdminsRoleNameResponse GetKeyAdminsRoleName();
public class GetKeyAdminsRoleNameResponse : ServiceResponse
{
public string KeyAdminRoleName;
}
6.4.3 Configuration
Configuration of service is maintained in AdmPwd.Service.exe.config file.
Service recognizes 2 configuration sections in configuration file:
<section name="PDS" type="AdmPwd.Service.Config.PDS, AdmPwd.Service" />
<section name="KeyStore" type="AdmPwd.Service.KeyStore.Config.KeyStoreConfig,
AdmPwd.Service" />
Details for format and configuration parameters for each configuration section are specified in
paragraphs below.
6.4.3.1 PDS
PDS parameters are configured by configuration section as shown in sample below:
<PDS>
<Dns>
<Autodiscovery UnregisterOnShutdown="true" RegistrationInterval="86400"
Priority="100" Weight="100" TTL="1200">
<DomainsToPublish>
<add domain="root.mydomain.com"/>
<add domain="root.mydomain2.com"/>
</DomainsToPublish>
Page 37
</Autodiscovery>
</Dns>
<KeyStore assembly="AdmPwd.Service"
typeName="AdmPwd.Service.KeyStore.FileSystemKeyStore"/>
<AccessControl DontHonorFullControlPermission="true"/>
<KeyAdmin role="Enterprise Admins"/>
</PDS>
Parameters:
Parameter
Meaning
Note
Dns – Autodiscovery UnregisterOnShutdown
Whether or not PDS unregisters
its own DNS SRV record during
service shutdown
Optional parameter
Dns – Autodiscovery RegistrationInterval
Interval for DNS SRV record
refresh, in seconds. PDS
automatically refreshes its own
SRV record to prevent expiration
Optional parameter
Priority6 of SRV record being
created by instance of PDS
Optional parameter
Weight of SRV record being
created by instance of PDS
Optional parameter
Dns – Autodiscovery – Priority
Dns – Autodiscovery – Weight
Default: true
Default: 86400 (1 day)
Setting to 0 disables SRV record
refresh
Default: 100
Default: 100
Note: Client tools delivered as
part of solution ignore weight of
SRV records – thus do not
perform load balancing
Dns – Autodiscovery - TTL
Dns – Autodiscovery –
DomainsToPublish
TTL of registered SRV record, in
seconds
Optional parameter
List of domains PDS registers its
SRV records in
Optional parameter
Each domain specified by own
<add domain=[domainName] />
record
Keystore – Assembly
6
Name of assembly containing
implementation of KeyStore
Default: 1200 (20 minutes)
If missing or no domain
specified, PDS registers SRV
record in own domain only
Solution supports
implementation of own
See http://www.ietf.org/rfc/rfc2782.txt for more info
Page 38
Parameter
Meaning
typeName
Full name of type exported from
assembly implementing KeyStore
Note
KeyStore. Registration of
assembly implementing
KeyStore is provided in this part
of configuration.
Solution comes with
implementation of default
KeyStore that stores keys in
filesystem of PDS server
AccessControl –
DontHonorFullControlPermission
Whether or not to honor Full
Control permission on computer
object when performing
authorization checks for
password reads and reset.
When set to FALSE, users who
have Full control permission on
computer objects can read and
reset local admin password even
when they are not given explicit
permissions as specified in 6.3.2
KeyAdmin – role
Name of AD group implementing
Key Admin role
Optional parameter
Default: true
(Full control right does NOT give
permission to read/reset local
admin password)
Optional parameter
Default: Enterprise Admins
Note: Best practice is to enter
role name in Domain\Group
format
6.4.3.2 KeyStore
Keystore parameters are configured by configuration section below:
<KeyStore path="CryptoKeyStorage" pathType="Relative" FavorOAEP="true">
<SupportedKeySizes>
<add value="1024"/>
<add value="2048"/>
<add value="3072"/>
<add value="4096"/>
</SupportedKeySizes>
</KeyStore>
Page 39
Parameter
Meaning
Note
path
Location of folder that contains
files with RSA key pairs
Optional parameter
Default: CryptoKeyStorage
Shall not contain trailing
backslash
pathType
Descriptor of meaning of path
value
Optional parameter
Default: Relative
Possible values are:
-
Absolute: contains
absolute path
Relative: path contains
relative path to
installation folder of PDS
favorOAEP
Whether PDS shall consider
PKCS or OAEP padding when
decrypting password
This is for compatibility with older
versions. Since version 7.1.0.0,
client side has been using OAEP
padding for password encryption;
earlier versions used PKCS
padding
SupportedKeySizes
List of key sizes offered by PDS
for new keys
Accepts values as specified for
CALG_RSA_KEYX7
Each domain specified by own
<add value=[value] /> record
Default: 1024, 2048, 3072 and
4096 bits
6.4.4 Logging
PDS records its activity into dedicated Windows log: Application and Service logs\LAPS
Password Decryption Service.
Events logged by PDS fall into 2 categories:
-
Operational
-
Audit
See here http://msdn.microsoft.com/en-us/library/windows/desktop/aa387690(v=vs.85).aspx for more
info
7
Page 40
Below is specification of events for each category
6.4.4.1 Operational
ID
Severity
Description
100
Success
Service started
101
Success
Service stopped
102
Success
Autodiscover record updated
Logged every time PDS successfully updates
its DNS SRV record
102
Error
Failed to update Autodiscover
record.
Logged in case that PDS fails to update its
DNS SRV record.
Error: %1
Contains error data from lowlevel DNS API
Autodiscover record removed
Logged when PDS removes its DNS SRV
record.
103
Success
Comment
Only happens when
SrvRecordUnregisterOnShutdown parameter is
set to TRUE
103
Error
Failed to remove Autodiscover
record.
Logged in case that PDS fails to remove its
DNS SRV record
Error: %1
104
Information
Registering autodiscover SRV
record with following:
Domain: %1
Host: %2
Port: %3
Priority: %4
Weight: %5
TTL: %6
105
Warning
Expiration time exists but
password empty. This typically
happens when service does not
have properly configured
permissions in AD.
Please verify configuration and if
needed, fix permissions via SetAdmPwdServiceAccountPermission
cmdlet.
Logged before registration of DNS SRV record.
Shows parameters of SRV record being
registered.
Logged in case that service detects that
response for local admin password retrieval
contains timestamp of password expiration,
but not a password itself.
This is to notify administrator of solution that
PDS may not have enough permissions to
read password from AD
Computer: %1
Page 41
ID
Severity
Description
Comment
User: %2
106
Success
Key pair loaded
Logged when PDS loads key pair
Id: %1
106
Warning
Public key not found for private
key. Server will still be able to
decrypt passwords encrypted by
public key, however you should
consider key replacement.
Logged when PDS finds private key without
corresponding public key in key store
Id: %1
107
Warning
File based keystore does not exist.
No keys will be loaded.
Keystore folder: %1
108
Error
Error during Autodiscover
registration/unregistration.
Error: %1
Logged when configuration of PDS points to
non-existing folder for file system based
keystore
Logged when PDS fails to register or
unregister SRV record due to invalid
configuration (such as when TTL of record in
config file is not a number)
6.4.4.2 Audit
ID
Severity
Description
1000
Informational
Admin password retrieved.
Comment
Forest: %1
Computer: %2
User: %3
1000
Warning
Failed to retrieve admin
password.
Forest: %1
Computer: %2
User: %3
Error: %4
1001
Informational
Admin password reset.
Forest: %1
Computer: %2
User: %3
Expiration time: %4
Including scenario when user requesting the
password retrieval does not have permission
granted
Expiration time contains expiration time
specified by user in request. For immediate
expiration, current time is sent.
Page 42
ID
Severity
Description
Comment
1001
Warning
Failed to reset admin
password.
Including scenario when user requesting the
password reset does not have permission
granted
Forest: %1
Computer: %2
User: %3
Error: %4
1002
Informational
Key pair generated.
KeyID: %2
User: %1
1002
Warning
Failed to generate key pair.
User: %1
Error: %2
Including scenario when user requesting key pair
generation is not member of Key Admin role
6.4.5 Autodiscovery
PDS registers autodiscover SRV record in DNS. Record helps client tools to locate instance of PDS
service. Service is supported to be running in multiple instances; each instance maintains own
SRV record.
Clients use SRV record to discover instances of PDS as follows:
-
At startup, client performs query for SRV record _admpwd._tcp.<domain>
o
-
<domain> is client‘s domain
Client orders SRV records from DNS server response in ascending order by Priority to get
o
For each request for PDS, client gets the connection to the instance of PDS
o
Before connection is used, it is verified that instance of PDS behind the connection
is responding
o
If PDS instance is not responding, connection is marked as unavailable and client
tries to use next connection in the list. If not responding, client marks it as
unavailable and tries to connect to next service in the list, etc…
o
As long as there is at least 1 service connection marked as available in the list,
client uses it.
o
When there are no services in the list marked as available, client performs full
discovery of available services (via DNS query for PDS SRV records) and throws
exception informing upper layers of application logic that there were no services
available
Page 43
o
After receiving the exception, upper layers of application logic will decide how to
continue. When decision is to retry the request, fresh list of discovered instances is
used
Decision flow is depicted on flowchart below:
Application startup
Discover PDS instances from
DNS
Order instances by priority
Request to PDS
Get first available instance
from the list
Is instance alive?
Wait for next request for PDS
Yes
Use the instance to fulfill the
request
No
Mark instance as unavailable
Get next available instance
No
Was it last available
instance?
Yes
Instance of PD service maintains SRV record in own AD domain only. This means that
autodiscover record needs to be created in every domain that hosts machines with clients tools
installed (not managed computers). This can be achieved by one of the following:
-
Host PDS service in every domain that contains machines with client tools
-
In domain that does not have instance of PDS and contains machines with client tools,
create SRV record manually and point it to instance of PDS in different domain
Page 44
6.4.6 Service account
Default service account for PDS is NETWORK SERVICE. In this configuration service uses SPN
HOST/<hostDnsName>.
It is however supported to run the service under domain account. To do so service SPN must be
changed and registered with domain account. Change must be performed on both service side
(all running instances) and client side.
To change service identity on server side, change <identity> in AdmPwd.Service.exe.config
from <dns> to <servicePrincipalName> as shown below:
<service behaviorConfiguration="AdmPwdService.ServiceBehavior"
name="AdmPwd.Service.AdmPwdSvc">
<endpoint address="" binding="netTcpBinding"
name="NetTcpEndpoint" contract="AdmPwd.Service.IAdmPwdSvc">
<identity>
<servicePrincipalName value = "SVC/AdmPwd" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
name="MexTcpEndpoint" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:61184/AdmPwdService" />
</baseAddresses>
</host>
</service>
Important: content of the config file is case sensitive. Please make sure you use the case as
shown in sample above when making changes
Change of service account on server side must be supported by configuration of management
tools side as well. In default configuration, management tools expect that service uses SPN
HOST/<hostDnsName>. In configuration with domain account, management tools need to use
service specific SPN SVC/AdmPwd when calling PDS.
This change of configuration of management tools can be done via registry using GPO as
specified in paragraph 6.6.1
Checklist for changing from NETWORK SERVICE account to domain account
⃣
Create account for service (service account) in domain
⃣
Register SPN SVC/AdmPwd on service account
⃣
Grant service account Modify permission to CryptoKeyStorage folder
Page 45
⃣
Grant service account PDS permission on AD via Set-AdmPwdServiceAccountPermission
PowerShell cmdlet
⃣
Grant service account permission to read/write SRV record in DNS
⃣
Configure Group Policy “PDS service runs using domain account” to Enabled and pply it to
machines that are running management tools. This includes all machines that are running
at least one of following:
⃣
o
PowerShell module
o
Fat client UI
o
Web UI
Set domain account as logon identity of PDS Win32 service and restart the service
Important: All installed PDS instances must use the same identity
Note: If using Web Portal, changes are needed in configuration of KCD, when identitz of PDS
service account is changed
6.5 Installer
MSI installer is designed to install the following components:
-
CSE (installed by default)
-
PDS
-
Management tools:
o
PowerShell module
o
Fat client UI
o
ADMX templates for GPO editor
Specifics are described in paragraphs below.
6.5.1 CSE
Installs client side GPO extension that maintains password of local admin account. CSE is installed
to %ProgramFiles%\AdmPwd\CSE folder
In addition, during CSE installation, the following actions can be performed:
-
Creation of custom local admin account
o
Account receives cryptographically random, complex password 16 characters long,
and is made member of local Administrators group
o
Installer performs this action when value of property CUSTOMADMINNAME is set
to value other than “__null__”
Page 46
o
Value can be passed from command line, or via MST file created by tool of choice
(such as Orca8)
o
Example of command line that installs CSE and creates custom local admin
account:
msiexec /i /q AdmPwd.Setup.Adv.x64.msi CUSTOMADMINNAME=CustomAdmin
-
Reset password of built-in local admin account
o
Account receives cryptographically random, 16 characters long, complex password
o
Installer performs this action when value of property PROTECTBUILTINADMIN is
set to “true”
6.5.2 PDS
Installs Password Decryption service. Service is installed to %ProgramFiles%\AdmPwd\Svc folder.
When installing PDS, the following actions are performed:
-
Windows Firewall exception is created, allowing AdmPwd.Service.exe to open endpoint
-
Subfolder CryptoKeyStorage is created under %ProgramFiles%\AdmPwd\Svc folder, and
PDS service account (NETWORK SERVICE) receives read/write permission to this folder
o
-
This is necessary so as PDS could maintain key pairs in this folder
Registration of event message file for service with EventLog service
Unattended setup of PDS can be achieved by the following command line:
Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=Svc
Note: When you want to install PDS and CSE, use the following command line. Above command
line uninstalls CSE, if it’s installed:
Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=CSE,Svc
Note: During uninstallation, installer does NOT remove any key pairs contained in
CryptoKeyStorage folder
6.5.3 PowerShell module
PowerShell module name is AdmPwd.PS. It’s installed to $pshome\Modules\AdmPwd.PS folder.
Module is compiled for use with .NET Framework 4.0. Module is however compatible with .NET
Framework 2.0 as well. In case that it needs to be run on machine with only .NET Framework 2.0
8
See http://msdn.microsoft.com/en-us/library/aa370557(v=vs.85).aspx for details
Page 47
installed, custom powershell.exe.config needs to be created if necessary and needs to create the
following config section:
<?xml version="1.0"?>
<configuration>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v4.0.30319"/>
<supportedRuntime version="v2.0.50727"/>
</startup>
</configuration>
Unattended setup of PowerShell module can be achieved by the following command line:
Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=Management.PS
6.5.4 Fat client UI
Fat client UI is installed to %ProgramFiles%\AdmPwd.
Unattended setup of Fat client can be achieved by the following command line:
Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=Management.UI
Fat client supports running from network share; to do so, all files contained in install folder
(without subfolders) need to be copied to network share.
6.5.5 ADMX templates
ADMX templates are installed to %SystemRoot%\PolicyDefinitions folder. Only English US
language version of template is delivered as a part of the solution.
In case that organization uses Centralized ADMX template store9, templates need to be copied to
the central store manually – the following files:
-
LAPS.E.admx
-
En-us\LAPS.E.adml
AMX templates deliver the following new UI to Computer part configuration of Administrative
Templates GPO:
-
9
AdmPwd: root container for configuration settings
o
Managed clients: configuration settings for managed clients
o
Administrative tools: Configuration settings for management tools
See https://support.microsoft.com/kb/929841 for details
Page 48
Unattended setup of PowerShell module can be achieved by the following command line:
Msiexec /i /q AdmPwd.Setup.Adv.<platform>.msi ADDLOCAL=Management.ADMX
6.6 Management tools
6.6.1 Configuration
Management tools do not require specific configuration to be able to communicate with PDS –
PDS is automatically discovered using discovery process as described in 6.4.5.
However, there may be deployment scenarios that require configuration of management tools.
Management tools are configurable via configuration values stored in the following registry path:
HKLM\Software\Policies\Microsoft Services\AdmPwd
Currently the following configuration values are supported:
Value
Type
Meaning
UseSharedSPN
REG_DWORD
Setting to non-zero causes management tools to use
SPN SVC/AdmPwd when communicating with PDS
When set to zero or not present at all, management
tools use SPN HOST/<ComputerDnsName> when
communicating with the service.
Managed by policy “PDS service runs using domain
account”
SupportedForests
REG_MULTI_SZ
List of forests shown in Fat client UI and Web UI.
Managed by policy “AD forests shown in management
tools”
Note: In GPO UI, all configuration settings related to configuration of CSE ale located under
Computer configuration/Administrative Templates/LAPS Enterprise/Administrative Tools
path
Page 49
6.6.2 PowerShell module
PowerShell module implements cmdlets as specified in table below:
Cmdlet
Description
Communicates with
Update-AdmPwdADSchema
Creates new attributes in AD
schema and adds them in maycontain set of computer class
Active Directory
Needs Enterprise admin and
Schema Admin permission
Creates extended rights in
configuration partition and makes
them applied to computer class
Get-AdmPwdPassword
Retrieves password of local admin
account for given computer,
optionally with password history
Communicates with PDS.
Needs Read Local Admin
Password permission
Audited by PDS
Reset-AdmPwdPasword
Requests reset of password of local
admin account for given computer
Communicates with PDS.
Needs Reset Local Admin
Password permission
Audited by PDS
Set-AdmPwdSelfPermission
Set-AdmPwdServiceAccountPermission
Delegates permission to manage
password of own local admin
account to managed computers
Communicates with Active
Directory
Delegates permission to interact
with AD to service account of PDS
Communicates with Active
Directory
Needs Write Permissions
permission on target container
Needs Write Permissions
permission on target container
Set-AdmPwdReadPasswordPermission
Delegates permission to read local
admin password
Communicates with Active
Directory
Needs Write Permissions
permission on target container
Set-AdmPwdResetdPasswordPermission
Delegates permission to reset local
admin password
Communicates with Active
Directory
Needs Write Permissions
permission on target container
Update-AdmPwdPasswordHistory
Maintains (trims) password history
record for given computer based on
given criteria
Communicates with Active
Directory
Page 50
Cmdlet
Description
Communicates with
Needs Read/Write +
CONTROL_ACCESS permission on
computer object
New-AdmPwdKeyPair
Generates new key pair in PDS
Communicates by PDS.
Needs Key Admin role in PDS.
Audited in PDS
Get-AdmPwdPublicKey
Retrieves public part of key pair with
given ID from PDS
Communicates with PDS.
No special permission needed.
Not audited
Get-AdmPwdKeySize
Gets list of supported key sizes from
PDS
Communicates with PDS.
No special permission needed.
Not audited
Get-AdmPwdKeyAdminRoleName
Gets the name of AD group
implementing Key Admin role
Communicates with PDS.
No special permission needed.
Not audited
Note: For usage of PowerShell commands, refer to cmdlet help help that comes with PowerShell
module (Get-Help <name of cmdlet>)
7 Delivery
Delivery consists of the following components
-
MSI installer for x86 and amd64 platform
-
CSE binary compiled in Visual C++ 2013, for x86 and amd64 platforms
o
CSE is embedded in MSI installer
o
Linked with static runtime library, so it’s not necessary to distribute Visual C++
Redistributable to managed machines
-
ADMX template for GPO configuration
o
-
Binary for PowerShell module AdmPwd.PS for management of solution, and related files
o
-
Module and related files are embedded in MSI installer
Binary for PDS
o
-
Embedded in MSI installer
Module and related files are embedded in MSI installer
Web portal ready for deployment, with related files
Page 51
o
Delivered as separate ZIP archive
o
Ready for copy/paste deployment to IIS
Page 52
Download