Welcome to WebLAPS documentation!¶

WebLAPS is a web application which helps to secure windows environment with MS LAPS solution implemented. MS LAPS is effective tool to perform automatic password rotation of built-in Administrator password. In case of compromising one of user account which is used for LAPS passwords access (like account of help desk user) all computers could be compromised! To eliminate security risks and provide convenient way for LAPS password accessing LAPS Portal was created.

WebLAPS could be used to implement just-in-time administration (JITA) approach recommended by MS when accounts of system administrators are added to privileged groups for defined period of time and automatically removed after.

WebLAPS has an agent which could be used to manage local user accounts at non domain joined computers. It also can automatically create managed user, rotate its password and control membership in defined groups.

WebLAPS has mobile clients which works under Android and iOS devices which in a secure way delivers passwords to mobile device. Mobile client also allows to login to LAPS Portal with help of confirmation of authentication request which is delivered by push notification.

WebLAPS is written in Java, and could be used on any operation systems which support Java 1.8. LAPS Portal includes all necessary components and does not require additional software like web server or database engine. It is possible to join several LAPS Portal to cluster to operatin in a high availability mode in such case you will need a load balancer and an external database engine.

WebLAPS uses Active Directory user accounts and groups to perform access control. To increase security of passwords managed by LAPS authentication with one time passwords was implemented. Currently following 2fa connectors implemented:

RADIUS
LinOTP
FortiAuthenticator
Duo
Built-in TOTP provider which does not require any external system

Security controls implemented in WebLAPS

2FA or OTP only authentication
password encryption by LAPS.E or AdmPwd.E supported
customizable capcha for brutforce attacks prevention
configurable maximum count of requests per seconds to authentications methods
configurable maximum count of requests per seconds to LAPS passwords accessing to prevent automatic exports of LAPS managed passwords
access to Active Directory via LDAP over SSL
all secrets are saved in encrypted form
CSRF protection
user access token is bind to IP address of successful authentication. Access token has a configurable time limit
ability to schedule LAPS passwords backup in encrypted form in case of AD unavailability
audit access to passwords managed by LAPS. It is possible to export LAPS logs in CEF format to external system via syslog

Working with LAPS Portal¶

LAPS Passwords access¶

After successfully login you can get password of computer. It is possible to use computer name of IP address. If you use IP address LAPS portal do reverse DNS lookup to determine computer name

It is possible to mark computer as favorite to save time during next search. LAPS Portal also saves search history (computer names only).

Quick launch buttons¶

Warning

Quick launch buttons uses ActiveX that’s why supported only in Internet Explorer

You create command templates in My Profile -> Commands. Here you can set command patterns to pass computer name and password to any command which can process it. For example to quick launch DameWare remote admin toll you can use following pattern:

"c:\program Files\DameWare Mini Remote Control 11.0 x64\dwrcc.exe" -c: -h: -a:1 -m:%pc% -u:Administrator -p:%pwd%

Templates supports following parameters:

%pc% - computer name
%pwd% - password
%copypwd% - copy password to clipboard (will be deleted from command template after copy)

After command templates are configured quick launch button will be shown in LAPS passwords viewer.

LAPS security log¶

Portal has built in Log viewer where you can look for various events

Just-in-time administration (JITA)¶

Just-in-time administration (JITA) is an approach for minimizing the privileged account attack vector in a security strategy, combined with a precise definition of assigned authorizations. Every time an eligible users needs to perform a task which requires membership in privileged groups, they enable such membership for defined period of time. The membership expire after a specified time period, so that a malicious user can’t steal the access.

After successfully login you can see JITA roles available at “JITA” part of portal.

At “My roles” panel you can start, stop or extend active JITA session. At start session dialog it is needed to set duration which should be less than maximum allowed TTL defined in role’s configuration and justification describing a reason.

Active JITA sessions of authenticated user are shown at “My active sessions” pannel. It is possible to stop or prolong active JITA session.

LAPS Portal mobile application¶

LAPS Portal has mobile client which works under Android and iOS devices. Main features of LAPS mobile client:

secure access to passwords managed by MS LAPS: in addition to TLS encryption all passwords are additionally encrypted with AES algorithm with unique device key per user. This device key is generated during device enrollment process and stored in secure way at mobile device. On iOS key is stored directly in the KeyChain. On Android key itself is encrypted with random 256-bit AES master key which is encrypted with a device-generated RSA (RSA/ECB/PKCS1Padding) from the Android KeyStore. The combination of the encrypted RSA(AES(master key)) and AES(device key) are stored in SharedPreferences.
PIN protection. If device has fingerprint scanner it will be automatically used by application
ability to get LAPS passwords in a convenient and secure way using mobile device
ability to setup password new expiration date
login to LAPS Portal with help of confirmation of push notification

LAPS mobile application enrollment¶

There are two way how to start use LAPS mobile application

Go to Profile settings -> Mobile, press “Enroll mobile device” and scan generated QR code at mobile device

Enter External Portal URL configured at Administration->Communications->Mobile to mobile device URL field, fill username, password and OTP

LAPS mobile application usage¶

Enter PIN or use your fingerprint to login to LAPS Mobile

Enter computer name and press find button

WebLAPS agent¶

WebLAPS agent is used to manage passwords of local users and control membership in local groups. It could be run on joined or non domain joined computers.

WebLAPS agent installation¶

Before you begin make sure that MS .NET Framework 4.5.1 is installed.

You can install WebLAPS agent using command line:

msiexec /i WebLAPSInstaller.msi /quiet /norestart SERVERURL=<serverulr> JOINKEY=<joinkey>

Parameter	Example	Description
SERVERURL	https://weblapspublic.host;https://weblapsprivate.host	WebLAPS server URL. You can set multiple URLs delimmited with “;” in case if you want to perform password rotation on remote computers outside of corporate network. WebLAPS agent will try to select first available server. If you use reversproxy you can publish URLs used by agent with mask /api/computers/remote/* so no other functionality will be available from internet.
JOINKEY	superSECRETkey1	key validated once by WebLAPS during initial connection.
NOSSLCHECK	1	disable server certificate validation
GROUPID	bc96b2b6-ab66-4592-be0a-2dfcfe317e58	You can manually set computer container ID which will be used by agent to get policy otherwise distribution rules will be used to determine container

WebLAPS agent policy¶

Go to Administration -> Computers -> Policies and select computer container, next press “Add new” button. You can configure multiple policies which will be applied to the same computer container. Policies are inherited from all parent containers.

WebLAPS agent policy is applied to specified local user account. WebLAPS agent can automatically create managed user if it is not exists. For automatic password rotation please select Manage password checkbox and set “Password age”. You can automatically remove all users from defined group except approved. You can specify multiple approved users delimited with “;”. For domain user use following format: domain\login.

To view result settings for a container go to Administration -> Computers -> Container Details and select a computer container.

WebLAPS agent access management¶

Go to Administration->Computers -> Access Groups and setup user group to computer container mappings. You must use distinguished names of groups. Members of group will be able to get passwords managed by WebLAPS agent in the container and sub containers. If you have multiple policies for several managed users per one container you can additionally restrict managed .users to which passwords you provide access by filling Allow access only to following subjects parameter.

Additionally you can provide access only for particular computer to an user or a group (group nesting is not supported) by editing computer object. This mechanism does not connected with access control subsystem based on groups and containers

_images/weblaps_agent_access_managedby.png

Installation Prerequisites¶

Prior to installing the WebLAPS, the following requirements must be met:

Install Java JRE or JDK version 1.8
Check that java executable is on your system PATH. Following command must return no errors

java -version

if any error occurred please fix your Java installation https://www.java.com/en/download/help/path.xml

Make sure that network connection is open to port 636 (LDAPS) from weblaps host to domain controllers
Make sure that your LDAPS is configured at your domain controllers. LAPS stores passwords in special confidential attribute which is accessible only via secured connection. https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
Prepare service user in AD and grant it permissions to read and reset passwords.
Export certificate of CA which signed certificate for LDAPS
import CA certificate at mobile devices if you want to use LAPS mobile app and you use your own CA to issue certificate for WebLAPS server.

Installation in Unix¶

Installation is pretty simple, the only thing you need is to install Java JRE 1.8

Install Java JRE or JDK version 1.8
Create local user “laps” – this user will be used to run portal service:
```
useradd laps --shell /sbin/nologin --no-create-home
```
Create working directory for LAPS WebPortal and extract distributive:
```
mkdir /opt/laps
unzip /tmp/laps.zip /opt/laps
```

Change an owner of the directory and set correct access rights:

chown -R laps:laps /opt/laps
chmod –R u=rx,g=rx,o-rwx /opt/laps
chmod u+w /opt/laps/wrapper/tmp
chmod u+w /opt/laps/logs
chmod u+w /opt/laps/conf
chmod u+w /opt/laps/keystore

If java executable is not on PATH set correct path to java executable in /opt/laps/wrapper/conf/wrapper.conf:
```
wrapper.java.command = path_to_java_executable
```
Install LAPS portal service. New service “laps” will be created.:
```
/opt/laps/wrapper/sh/installDaemon.sh
systemctl daemon-reload
```
Run the service:
```
service laps start
```
Open in browser https://host:8443

Installation in Windows¶

Installation is pretty simple, the only thing you need is to install Java JRE 1.8

Create local user “laps” – this user will be used to run portal service.

Allow user “laps” to work as a service:

gpedit.msc -> Local Policy -> User Rights Assignment -> Log on as a service: add user "laps"

Create directory C:\laps\ and extract distributive.
Change the directories owner and set up appropriate access rights: user “laps” must have read and write access rights, other users except administrators must not have access to the directory
if java.exe is not on %PATH% set correct path to java executable in file C:\laps\wrapper\conf\wrapper.conf. As file path separator use “/”:

wrapper.java.command = path_to_java_exe
Install LAPS portal service. New service “laps” will be created.:
```
C:\\laps\\wrapper\\bat\\installService.bat
```
If you have your own license file copy it to C:\laps\_conf\license.txt. Default destribition includes a community license file.
Run the service:
```
net start laps
```
Open in browser https://host:8443

LAPS Portal administration¶

Accessing admin console¶

Right after initial setup LAPS Portal uses port 8443, open LAPS Portal in your browser https://host:8443. Select built-in authorization and login with admin/admin

Warning

Change default password in profile settings menu

Active Directory integration¶

Go to Administration->Communications->LDAP and setup following settings:

bind user account which has access rights to get attributes ms-Mcs-AdmPwd and modify ms-Mcs-AdmPwdExpirationTime
FQDN name of AD servers (it is allowed to set several servers divided by “;”“)

Warning

ms-Mcs-AdmPwd is a special attribute which could be accessed via ldap over SSL thats why it is impossible to use IP addresses

Base OU for computers, users and groups searching
Attribute of a computer which could contains an user or a group (group nesting is not supported) which will allow to get LAPS password of the computer. This mechanism does not connected with access control subsystem based on groups and containers

You can enable scheduled password rotation for bind user

Certificates¶

Go to Administration->Communications->Certificates and import AD servers certificate and CA certificates (all certificate chain must be imported). In case of other integration which uses ssl/tls protocol like LinOTP HTTP API, FortiAuthenticator and others please do not forget import theirs certificates as well. LAPS Portal supports X.509 DER encoded certificates.

After fresh install LAPS Portal generates self-signed certificate which has alias “jetty”. To replace self-signed certificate:

Administration -> Communications ->Certificates press “Generate CSR” button, enter DNS name of host where LAPS Portal is located and save generated certificated signing request file.
Generate certificated signed by externals CA using generated CSR file
Import CA’s certificate
Import certificate signed by CA, set as alias DNS name of server
add string parameter “jetty_cert_alias” at engine.conf file with value of certificate alias
restart LAPS Portal

Warning

After certificates import do not forget to restart LAPS Portal

Access rights for LAPS¶

Go to Administration->Security->LAPS Groups and setup user group to OU mappings. You must use distinguished names of groups and OUs. Members of group will be able to get LAPS passwords of computers in the OU and sub OUs.

It is possible to import CSV file with groups and OUs mapping, file must be in following portal:

name of element;group DN;OU DN
forexample:
Boston;CN=LAPS_Boston,OU=Groups,DC=domain,DC=com;OU=Boston,OU=Computers,DC=domain,DC=com

Import the file

JITA Roles¶

Just in time administration (JITA) module activates privileged roles (membership in defined AD groups) to authorized user for finite amount of time. With such approach accounts of system administrators will be added to privileged groups or set of groups only after 2FA verification during portal login.

JITA roles are configured at Administration->Security->LAPS Groups. Each JITA role consist of role name, short description, role group distinguished name which is used to provide access to the role, role membership maximum TTL after which user account will be automatically removed from privileged groups and set of priviledged groups.

Authentication setup¶

Go to Administration->Security->Authentication and setup authentication parameters:

Require or not password check for internal LAPS Portal users. If you switch off this requirement then you must enable one time passwords (OTP) validation for this type of users!
Require or not password check for Active Directory users. Such approach could be recommended in case you will allow to use LAPS Portal from untrusted environment to eliminate risk of password stealing. If you switch off this requirement then you must enable one time passwords (OTP) validation for this type of users!
Require or not OTP validation for AD users
Require or not OTP validation for users stored in LAPS Portal
Type of OTP provider:
- linotp provider is used for integration with LinOTP via http API. You must setup LinOTP valudation URL
- radius provider. You must configure address, shared secret and authentication type: chap, mschap, pap, peap, eap-md5, eap-tls, eap-mschap
- fortiauth provider for integration with FortiAuthenticator
- duo provider for integration with Duo
- totp provider which is built in to LAPS Portal. You can use this provider in case you do not have in your environment OTP system to enable two factor authentication for LAPS Portal. If you use this type of TOTP provider you will need to use mobile application like FreeOTP, Google Authenticator, etc.
Capcha generation requirements: capcha alphabet, unsuccessfull login attempts after capcha will be required
Account lockout policy: Account lockout threshold (number of unsuccessfull login attempts) after user will unable to login during defined period of time

LAPS passwords expiration¶

Go to Administration->Security->Extra and configure automatic LAPS password rotation. After access to ms-Mcs-AdmPwd by any user LAPS portal will modify ms-Mcs-AdmPwdExpirationTime attribute. You can also configure maximum allowed time difference between current time and value which LAPS Portal user can setup in expire field. If you have more than one domain controller you can force modifing of ms-Mcs-AdmPwdExpirationTime attribute on all configured domain controllers. Optinally you can add timeout between attempts to get passwords. This timeout will prevent from retriving passwords in fast way. This timeout is not used for API access via tokens described below.

LAPS Portal API and tokens¶

If you have external systems like Endpoint Detection and Response which require access to passwords managed by LAPS you can use API provided by LAPS portal. To provide access LAPS Portal API you must configure access token. Each access token could be bind to specific IP address and additionally restricted by OU

To get LAPS password with help of API you should use GET request to /passwordbytoken/{pc} and pass token in X-Auth cookie

GET /passwordbytoken/computer123
Content-Type: application/json
Cookie: X-Auth=APITOKEN

LAPS Portal and SIEM integration¶

Go to Administration->Communications->Syslog and set IP of syslog receiver. LAPS Portal send logs in CEF format via UDP.

LAPS Portal mobile app settings¶

LAPS Portal has mobile client which works on Android and iOS devices. With help of mobile application it is possible to get passwords and login to LAPS Portal with help of confirmation at mobile device of authentication request which is delivered by push notification. Go to Administration->Communications->Mobile and perform configuration:

Enable or disable mobile features of LAPS Portal
Sync URL for mobile app - is URL which LAPS Portal uses to deliver authentication requests via push notifications. Contact to contact@weblaps.pro to get working URL
External Portal URL - is an URL which will be used by mobile clients to work with LAPS Portal. The only endpoint which is required for mobile device is /api/mobile/fromdevice. In case if you do not plan to publish mobile API to Internet you can use following URL: https://domain.com/api/mobile and mobile application will automatically transform it to https://domain.com/api/mobile/fromdevice. If you plan to expose mobile API to Internet it is recommended to use reverse proxy with rewrite URL capabilities which will transform all requests in following way: https://example.org/8fe6392f5994f2ac193627c3001029e4863d10ea => https://domain.com/api/mobile. You can additionally allow only POST and OPTIONS methods
Organization name and password is used by cloud service to deliver authentication requests via push notifications

LAPS Portal high availability mode¶

High availability mode allows you to join several nodes of LAPS Portal to single cluster and place them behind load balancer or reverse proxy. Please check requirements before using LAPS Portal in cluster mode:

all nodes must use external database engine
all nodes must have same private key at keystore with alias “jetty”
all nodes must use theirs own certificates generated by CA and certificate of CA must be imported to keystore
load balancer must inject X-Forwarded-For header with valid source IP address

LAPS.E, AdmPwd.E password encryption¶

If you use password encryption with help of LAPS.E or AdmPwd.E it is needed to import private keys. It is needed to convert every private key usually located at c:\Program Files\AdmPwdSrc\CryptoKeyStorage or c:\Program Files\AdmPwd\PDS\CryptoKeyStorage from GenericPrivateBlob to PKCS#8 format with help of KeyConverter utility.

Next import converted private keys at Administration->Security->Extra and activate Decrypt encrypted passwords (laps.e, AdmPwd.E) checkbox.

Warning

It is important to set right Key ID which is equals to a number at the beginning of private key’s file name. For a file 1_Key.dat or 1_PrivateKey.dat Key ID is 1.

Extra settings¶

Go Administration->Communications->Extra and configure:

User access token duration (maximum time of users inactivity)

Some sensitive API are protected by internal DoS filter. You can restrict maximum number of requests per second to this sensitive API related to authentication, password accessing
Forwarded customizer is used to extract source IP address from X-Forwarded-For header which contains information of client IP address if LAPS Portal located behind a reverse proxy or a load balancer.

Backup passwords managed by LAPS

At Administration->System->Laps Backup you can configure automatic backup of passwords managed by LAPS. You can use saved passwords in case of AD unavailability. You can configure:

сron exporession
password which will be used to encrypt ZIP archive with computers passwords
base DN of computers
maximum count of archive files

LAPS Portal maintenance¶

LAPS Portal restarting¶

To restart LAPS portal you can use:

on unix systems:
```
service laps restart
```

on windows systems:

open services.msc and restart laps service

via LAPS Portal GUI. Go to Administration -> System -> Service and press “Restart” button

Log files¶

LAPS portal creates following log files:

logs/laps*.log
logs/wrapper.log

You can view logs of LAPS Portal in Administration -> System ->Log(File), select log file and press “Search” button

engine.conf file¶

File conf/engine.conf is JSON file which contains basic configuration options

Option	Value type	Description
basepath	string	path to directory where LAPS portal is located. This parameter is automatically filled by LAPS Portal itself
init_completed	boolean	flag which is set to true after first launching when default settings are configured
sslport	int	port used by LAPS Portal to serve TLS connection
keystore_pass	string	password for java ket storage file
jetty_cert_alias	string	alias of certificate which will be used by TLS engine
jdbc_driver	string	jdbc driver wor database management system used by LASP Portal
db_host	string	databse host
db_port	int	databse port
db	string	database name
db_username	string	database user
db_password	string	database password

LAPS Portal backup¶

To restore LAPS portal you should backup following files:

conf/engine.conf (in case you modified default network port)
conf/confdb.db – internal sqlite database which contains settings and event logs
conf/license.txt - license activation file
keystore/keystore.jks – certificate store
backups/laps/* - backup files with passwords of computers managed by LAPS
wrapper/conf/wrapper.conf – service/daemon configuration
bin/log4j.properties – log level properties

Admin password reset¶

If you forget admin password you can reset it in following way:

on windows systems::

wrapper/bat runConsole.bat resetpass
on unix systems::

wrapper/sh ./runConsole.sh resetpass

Errors¶

AcceptSecurityContext¶

AcceptSecurityContext error can appear during establishing connection to ActiveDirectory:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

For error code 49 reason of error shown in data field

data field code	description
525	User not found
52e	Wrong password
530	not allowed to login at this time
531	no access right to login to this computer
532	password expired
533	user account disabled
701	user account expired
773	password reset is required
775	user account is locked

SSLHandshakeException¶

javax.naming.CommunicationException javax.net.ssl.SSLHandshakeException indicates that LAPS Portal could not validate certificate chain during SSL/TLS hadshake. In case of following errors:

javax.naming.CommunicationException: simple bind failed: server.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

You should check whether all certificate chain imported into LAPS Portal. After importing certificates do not forget to restart LAPS Portal service.

In case this error appears during communication with AD Controllers you should also check how many certificates domain controller has with Server Authentication purpose. In normal situation AD Controller should have one personal certificate with Server Authentication purposes . According to https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx “You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication. If you have legitimate reasons for using more than one, you may end up having certificate selection issues, which is discussed further in the Active Directory Domain Services Certificate Storage. As workaround import all certificates with Server Authentication purposes to LAPS Portal

SocketException¶

java.net.SocketException indicates that there is LAPS Portal unable to establish TCP connection to domain controller. It could be caused by local or network firewall, problems in DNS resolition or that LDAPS is not configured on domain controller. In case of following error

Error connectiong to LDAP javax.naming.CommunicationException: ad.domain.com:636 [Root exception is java.net.SocketException: Connection reset]

please check that you can connect on port 636 from host where WebLAPS is installed to domain controller. You can do it with telnet command:

telnet domain.controller.host 636

where domain.controller.host is a domain controller FQDN. Please check following article to be sure that LDAP over SSL is porperly configured at your domain controller https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Unable to start service¶

WebLAPS service crashes, log/wrapper.log contains following lines:

INFO|wrapper|Service laps|20-05-21 17:58:41|could not start process 57 INFO|wrapper|Service laps|20-05-21 17:58:41|The parameter is incorrect. INFO|wrapper|Service laps|20-05-21 17:58:41|null/null/null SEVERE|wrapper|Service laps|20-05-21 17:58:41|failed to spawn wrapped process

Please check that java.exe file is on system path. In case if there are more than one JRE edit wrapperconfwrapper.conf, find follwing line

wrapper.java.command = ${ if (“${os.name}”.toLowerCase().startsWith(“windows”)) “java.exe”; else “java”}

and comment it with ‘#’. Next set wrapper.java.command to right path to java.exe file like this (replace with correct path to java.exe)

wrapper.java.command = c:/Program Files/Java/jre1.8.0_251/bin/java.exe