Secure Password Management with Local Administrator Password Solution (LAPS) for Windows and Linux

A recent analysis of over 1.8 million passwords revealed that “admin” as a password tops the list, with over 40,000 entries. As IT admins, you'd think complex, secure passwords would be the norm, right? Surprisingly, local administrator passwords are often just as predictable as those of end-users. Add in classics like "password" or "admin123" and it’s practically inviting trouble to your network. 

Weak passwords make it far too easy for hackers. If a cybercriminal gains access to a local admin account with a predictable password, they can move across multiple systems within a network, especially when the same password is reused across devices. Relying on manual password management only increases the chances of human error or oversight, leaving networks even more vulnerable.

Efficient password management is critical and this is where SureMDM Local Administrator Password Solution (LAPS) comes in. It takes the headache out of managing local admin account passwords and ensures your account is secure and compliant. 

In this blog, we’ll dive into what SureMDM LAPS does, its standout features, and why it’s a game-changer for IT teams.

Local Administrator Password Solution (LAPS) Explained

LAPS ensures that each device’s local administrator account password is unique, complex, and regularly rotated by utilizing a combination of automated policies and encrypted storage. Passwords are generated dynamically based on predefined complexity rules, stored securely in the SureMDM web console. 

These passwords are then automatically updated either after each use or at regular intervals, ensuring that no static or shared password exists. This eliminates risks associated with shared passwords across multiple devices, prevents unauthorized access, and aids in audit compliance. 

Key Features of SureMDM LAPS

Automatic Password Rotation

• Passwords can be automatically rotated at set intervals (e.g., daily, weekly, or monthly).
• ‘Rotate Password Upon Use’ option to ensure that passwords are reset immediately after use.

Local Admin Account Addition

• Add local administrator accounts directly via SureMDM, including creating new admin accounts if they don’t already exist on a device.
• Many organizations usually rename the default admin account from “Administrator” to a custom name for security reasons. With SureMDM LAPS, you have the option to easily add default admin accounts for Windows devices.
• SureMDM can easily track such accounts, ensuring seamless management even if default admin account names vary across devices.

Password Complexity Options

• Admins can configure passwords to be simple, medium, or complex, depending on organizational requirements.
• Complex passwords include uppercase, lowercase, numbers, and special characters for enhanced security.

Audit Reports

• The ‘SureMDM LAPS Report’ captures essential details such as account names, types, associated groups, and password, including last modified dates. 
• Helps identify anomalies, such as unexpected password resets or unauthorized access attempts.

Access Control

• Role-based access ensures that only authorized personnel can view or manage passwords.
• Superusers and designated admins can configure LAPS, while others are restricted to viewing specific reports or actions.

Visibility and Management

• Admins can view LAPS configurations and associated passwords directly in the SureMDM console. It also shows the date and time the password was last modified.

Online LAPS

Online LAPS ensures password rotation happens only when a device is online and connected to the SureMDM server. This is a lifesaver for scenarios where devices stay offline for a while. Imagine a device is set to rotate passwords daily but stays offline for seven days—by the time it reconnects, you’d have seven password resets, and no way to access the device if you need to troubleshoot any issue as the current password is unknown. 

With Online LAPS, password rotation only kicks in when the device is online, so admins always have the current password when they need it. This feature strikes a balance between maintaining robust security and ensuring practical accessibility for IT admins.

This is how SureMDM LAPS would look in your SureMDM Web console.

Benefits of SureMDM LAPS

• Enhanced Security: By ensuring unique passwords for every device and rotating them regularly, LAPS minimizes the risk of unauthorized access.
• Simplified Troubleshooting: IT admins can temporarily share passwords for troubleshooting, knowing they’ll be rotated automatically afterward.
• Compliance Ready: Detailed audit trails and password reports simplify compliance with regulatory requirements.
• User-Friendly: SureMDM’s intuitive console makes configuring and managing LAPS straightforward.

Real-World Scenarios

1. Mitigating Insider Threats:
   • If an IT admin leaves the organization, the LAPS configuration ensures their knowledge of past passwords becomes irrelevant, as passwords are rotated automatically.
2. Preventing Data Breaches:
   • In the event of a lost or stolen device, the built-in password rotation mechanism ensures that the compromised password becomes invalid, safeguarding sensitive data.
3. Simplified Troubleshooting:
   • Temporary passwords can be shared with team members for troubleshooting. These passwords are reset automatically after use, reducing potential misuse.

SureMDM Local Administrator Password Solution is currently supported on Windows and Linux devices. Available for all SureMDM Premium and Enterprise customers.

Note: SureMDM LAPS is supported on Windows devices with SureMDM Agent version >=6.07.0 and Linux devices with SureMDM Agent version >=7.12.6

Conclusion

SureMDM LAPS offers IT admins a powerful way to manage local admin passwords effortlessly. By automating password rotation, it eliminates the risks of human error, enhances security, and ensures compliance. This automation not only boosts device security but also cuts down on administrative tasks. Explore SureMDM LAPS today and simplify your password management!