Download URL for Microsoft LAPS
Anthony Meluso
Director of Technology
Watchung Hills Regional High School
108 Stirling Rd.
Warren, NJ 07059
908-647-4800 Ext. 4962
Michael B. Smith
I’ve asked a couple of relevant parties. If I get an answer, I’ll let you know.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/CAPEMYtG6vNoi5KfdckzOXkOH4z5xZeusdyPHR0Y%2Bo-_DaYweLw%40mail.gmail.com.
Anthony Meluso
Director of Technology
Watchung Hills Regional High School
108 Stirling Rd.
Warren, NJ 07059
908-647-4800 Ext. 4962
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8db7216ac5f541c09d7e763f9392e005%40smithcons.com.
STOSSE Florian (SAFRAN ELECTRONICS & DEFENSE)
Hello,
It is also provided by the DoD through the DISA STIGs GPO package : https://public.cyber.mil/stigs/gpo/
The « ADMX templates\Microsoft » folder contains the LAPS template (AdmPwd.admx and .adml files), the current Microsoft Security Guide template, and the legacy Security Guide template.
Best regards,
Florian Stosse
Information security engineer
Safran Electronics & Defense | Safran Data Systems | Space & Communication
De : ntsys...@googlegroups.com <ntsys...@googlegroups.com> De la part de Anthony Meluso
Envoyé : vendredi 23 avril 2021 03:23
À : ntsys...@googlegroups.com
Objet : [ntsysadmin] Download URL for Microsoft LAPS
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAPEMYtG6vNoi5KfdckzOXkOH4z5xZeusdyPHR0Y%2Bo-_DaYweLw%40mail.gmail.com.
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#
Anthony Meluso
Director of Technology
Watchung Hills Regional High School
108 Stirling Rd.
Warren, NJ 07059
908-647-4800 Ext. 4962
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/872fd04753344e72b2923de02394c6fa%40Y0032SY.rd1.rf1.
STOSSE Florian (SAFRAN ELECTRONICS & DEFENSE)
Oh, then I found the latest version (v6.2.0) available on GitHub, someone made a backup of it (the x64 version though) :
https://github.com/manuelbachleitner/LAPS/blob/master/LAPS.x64.msi
The file is digitally signed by Microsoft, and its SHA-256 checksum matches the one hardcoded in the Chocolatey LAPS package (https://community.chocolatey.org/packages/laps/6.2.0), so it looks legit to me J
Best regards,
Florian Stosse
Information security engineer
Safran Electronics & Defense | Safran Data Systems | Space & Communication
De : ntsys...@googlegroups.com <ntsys...@googlegroups.com> De la part de Anthony Meluso
Envoyé : vendredi 23 avril 2021 15:14
À : ntsys...@googlegroups.com
Objet : Re: [ntsysadmin] Download URL for Microsoft LAPS
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAPEMYtGkknLN9aSFmfz02HEZJvx%2BJ%2BZC-8u-ZpkjQ9VB%2B6Qntg%40mail.gmail.com.
STOSSE Florian (SAFRAN ELECTRONICS & DEFENSE)
Here is the x86 version : https://github.com/cube0x0/Security-Assessment/blob/b9f40607b97861947d09c4acc8b17e31beb22582/GPO/LAPS/LAPS.x86.msi
Same thing, digitally signed by MSFT, and matches the SHA 256 of Chocolatey. For reference, here is the SHA256 from the Chocolatey install script (the URL are 404 broken, like the KB article you linked):
$url = 'https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x86.msi'
$checksum = '9F0FA541B472C20508973F561B0D7850A7BF779C8459F9E33471083619FD6EDA'
$checksumType = 'sha256'
$url64 = 'https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi'
$checksum64 = 'F63EBBC45E2D080630BD62A195CD225DE734131A56BB7B453C84336E37ABD766'
$checksumType64 = 'sha256'
Best regards,
Florian Stosse
Information security engineer
Safran Electronics & Defense | Safran Data Systems | Space & Communication
De : STOSSE Florian (SAFRAN ELECTRONICS & DEFENSE)
Envoyé : vendredi 23 avril 2021 15:25
À : 'ntsys...@googlegroups.com' <ntsys...@googlegroups.com>
Objet : RE: [ntsysadmin] Download URL for Microsoft LAPS
Oh, then I found the latest version (v6.2.0) available on GitHub, someone made a backup of it (the x64 version though) :
https://github.com/manuelbachleitner/LAPS/blob/master/LAPS.x64.msi
The file is digitally signed by Microsoft, and its SHA-256 checksum matches the one hardcoded in the Chocolatey LAPS package (https://community.chocolatey.org/packages/laps/6.2.0), so it looks legit to me J
Best regards,
Florian Stosse
Information security engineer
Safran Electronics & Defense | Safran Data Systems | Space & Communication
De : ntsys...@googlegroups.com <ntsys...@googlegroups.com> De la part de Anthony Meluso
Envoyé : vendredi 23 avril 2021 15:14
À : ntsys...@googlegroups.com
Objet : Re: [ntsysadmin] Download URL for Microsoft LAPS
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAPEMYtGkknLN9aSFmfz02HEZJvx%2BJ%2BZC-8u-ZpkjQ9VB%2B6Qntg%40mail.gmail.com.
Anthony Meluso
Director of Technology
Watchung Hills Regional High School
108 Stirling Rd.
Warren, NJ 07059
908-647-4800 Ext. 4962
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/46f26d7acbb74620a763153071545250%40Y0032SY.rd1.rf1.
Jim Kennedy
According to my sources it now requires an Azure premium subscription with Intune MDM.
Susan ariving in 3…2…1…..and she is right. Putting basic security needs behind a paywall is insane.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Anthony Meluso
Sent: Thursday, April 22, 2021 9:23 PM
To: ntsys...@googlegroups.com
--
Melvin Backus
Any idea if that’s also an indication there is a new version of it? That seems to be the historic justification for removal of a previously available free tool.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
¯\_(ツ)_/¯
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR11MB38210DE8F696325F8354C8E7F6459%40MN2PR11MB3821.namprd11.prod.outlook.com.
Jim Kennedy
Well, this is embarrassing.
My source was kidding me, with sarcasm due to MS doing this on many thing recently. I missed the sarcasm in his message.
So to be clear, disregard my comment that it is behind a paywall. While it might be, I have no information one way or the other.
From: 'Jim Kennedy' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Friday, April 23, 2021 9:40 AM
To: ntsys...@googlegroups.com
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR11MB38210DE8F696325F8354C8E7F6459%40MN2PR11MB3821.namprd11.prod.outlook.com.
Anthony Meluso
Director of Technology
Watchung Hills Regional High School
108 Stirling Rd.
Warren, NJ 07059
908-647-4800 Ext. 4962
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR11MB3821010E7543AA5E58EA53F4F6459%40MN2PR11MB3821.namprd11.prod.outlook.com.
Henry Awad
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/1ADD796D2529E94DB4552E7C1F12A21A017C873EAB%40ATLEXCH03.byers.local.
Michael B. Smith
Make sure you also read the first comment on the article. Which is critically important.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK77SDo1O2rQKho3e4oXukCWSyMqzjFLYrU8c7ki5kZwXw%40mail.gmail.com.
Anthony Meluso
Director of Technology
Watchung Hills Regional High School
108 Stirling Rd.
Warren, NJ 07059
908-647-4800 Ext. 4962
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/003c8b763d0f4f58b228f05810b93798%40smithcons.com.
Gabriel Clifton
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK77SDo1O2rQKho3e4oXukCWSyMqzjFLYrU8c7ki5kZwXw%40mail.gmail.com.
Gabriel
Clifton | Network Administrator
Fort Stockton ISD | Technology Center
gabriel...@fsisd.net | http://www.fsisd.net
Office (432) 336-4055 ext 2
Fax (432) 336-4050
1204 W. Second St., Fort Stockton, TX 79735
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
— Ernest Hemingway
— Dr. Dre
Jim Kennedy
Proper permissions on this AD object, and then proper control of the account(s) that have those perms is key to doing this right. Done right the risk vs the reward is very acceptable, in my opinion.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/003c8b763d0f4f58b228f05810b93798%40smithcons.com.
Hammer, Erich F
While the other comments are correct that proper security and auditing on the LAPS attributes are a must, I'm curious how an encrypted LAPS password in AD would be any better.
In order for an approved user to view the password when they need to, the password would need to be decrypted. That's one reason for LAPS -- to allow specific, approved people the ability to access the password. Unless I'm missing something, any decryption mechanism for authorized users would almost certainly also be exploitable via script. The same vulnerability would still exist whether the passwords are encrypted or not. Am I just being unimaginative?
On Friday, April 23, 2021 at 10:30, Henry Awad eloquently inscribed:
> You might be interested in reading this article before implementing LAPS.
>
> LAPS: Concerns about Microsoft’s Local Administrator Password Solution
>
> <https://techgenix.com/case-against-using-laps/>
> Henry Awad
> Senior Systems Engineer
> Technology Services
> The Catholic University of America
>
> On Fri, Apr 23, 2021 at 9:58 AM Melvin Backus <melvin...@byers.com
> <mailto:melvin...@byers.com> > wrote:
>
> Any idea if that’s also an indication there is a new version of it? That
> seems to be the historic justification for removal of a previously available
> free tool.
>
> --
> There are 10 kinds of people in the world...
> those who understand binary and those who don't.
>
> ¯\_(ツ)_/¯
>
> From: 'Jim Kennedy' via ntsysadmin
> <ntsys...@googlegroups.com <mailto:ntsys...@googlegroups.com>
>>
> Sent: Friday, April 23, 2021 9:40 AM To: ntsys...@googlegroups.com
>
> According to my sources it now requires an Azure premium
> subscription with Intune MDM.
>
> Susan ariving in 3…2…1…..and she is right. Putting basic security needs
> behind a paywall is insane.
>
> <ntsys...@googlegroups.com <mailto:ntsys...@googlegroups.com> > On
> Behalf Of Anthony Meluso Sent: Thursday, April 22, 2021 9:23 PM To:
> ntsys...@googlegroups.com <mailto:ntsys...@googlegroups.com>
> Subject: [ntsysadmin] Download URL for Microsoft LAPS
>
> Hello! Can someone provide me with an alternative link to download
> Microsoft LAPS. It appears the current one leading to a 404 page.
>
> https://www.microsoft.com/en-us/download/details.aspx?id=46899
>
> Take care,
>
> Anthony Meluso
> Director of Technology
> Watchung Hills Regional High School
> 108 Stirling Rd.
> Warren, NJ 07059
> 908-647-4800 Ext. 4962
>
> -- You received this message because you are subscribed to the Google
> Groups "ntsysadmin" group. To unsubscribe from this group and stop
> receiving emails from it, send an email to
> ntsysadmin+...@googlegroups.com
> https://groups.google.com/d/msgid/ntsysadmin/CAPEMYtG6vNoi5KfdckzOX
> kOH4z5xZeusdyPHR0Y%2Bo-_DaYweLw%40mail.gmail.com
> XkOH4z5xZeusdyPHR0Y%2Bo-
> _DaYweLw%40mail.gmail.com?utm_medium=email&utm_source=footer> .
> -- You received this message because you are subscribed to the Google
> Groups "ntsysadmin" group. To unsubscribe from this group and stop
> receiving emails from it, send an email to
> ntsysadmin+...@googlegroups.com
> 325F8354C8E7F6459%40MN2PR11MB3821.namprd11.prod.outlook.com
> <https://groups.google.com/d/msgid/ntsysadmin/MN2PR11MB38210DE8F6
> 96325F8354C8E7F6459%40MN2PR11MB3821.namprd11.prod.outlook.com?ut
> m_medium=email&utm_source=footer> .
> -- You received this message because you are subscribed to the Google
> Groups "ntsysadmin" group. To unsubscribe from this group and stop
> receiving emails from it, send an email to
> ntsysadmin+...@googlegroups.com
> 7C1F12A21A017C873EAB%40ATLEXCH03.byers.local
> <https://groups.google.com/d/msgid/ntsysadmin/1ADD796D2529E94DB4552
> E7C1F12A21A017C873EAB%40ATLEXCH03.byers.local?utm_medium=email&u
> tm_source=footer> .
>
>
Michael B. Smith
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CH2PR04MB7013D9D3F648EB863FA11B8ECC459%40CH2PR04MB7013.namprd04.prod.outlook.com.
Micheal Espinola
https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.ARM64.msi
https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x86.msi
https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS_Datasheet.docx
https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS_OperationsGuide.docx
https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS_TechnicalSpecification.docx
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAPEMYtG6vNoi5KfdckzOXkOH4z5xZeusdyPHR0Y%2Bo-_DaYweLw%40mail.gmail.com.
Anthony Meluso
Director of Technology
Watchung Hills Regional High School
108 Stirling Rd.
Warren, NJ 07059
908-647-4800 Ext. 4962
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAAfzEuxX7%3DF9wpT%2B3eVGYSxtaujnnZuQhvry4Yf-_3vyFThyTg%40mail.gmail.com.
Jim Kennedy
They must have seen my tweet, I am an influencer!! I did tag MSSecurity.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Micheal Espinola
Sent: Friday, April 23, 2021 11:59 AM
To: ntsys...@googlegroups.com
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAAfzEuxX7%3DF9wpT%2B3eVGYSxtaujnnZuQhvry4Yf-_3vyFThyTg%40mail.gmail.com.