LAPS for Azure is Local Administrator Password Solution for Azure cloud-based services. In a world where attacks on data networks are an everyday occurrence, LAPS has proven itself to be a reliable method of simplifying and securing the difficult task of localized password management. LAPS for Azure is the implementation designed to provide the same level of password management and control in the much more difficult cloud network environment.

In this article we’ll examine LAPS as a technique, discuss its implementation in the cloud, then talk about the specific advantages available by implementing the Synergix Secure Vault (SEVA) version of LAPS for Azure applications. If you already know about LAPS and how it functions in both local and cloud networks, simply jump to the SEVA pages in the contents list below to find what you need.

Microsoft Azure

Microsoft Azure is Microsoft’s public cloud computing platform competing with Amazon Web Services, IBM Cloud and the Google Cloud Platform among others. Users can pick and choose from a broad range of cloud services including rapidly expanding analytics, compute, and networking facilities for their new or existing applications.

What is LAPS

LAPS enables secure management of local account passwords for domain joined computers. It stores passwords in Active Directory (AD) and protects against unauthorized access via an active control list (ACL).

Password management quickly becomes a complex issue when multiple users are required to log on to computers without domain credentials. One of the most cited examples of the danger this presents to an organization occurs in local admin where multiple users provide identical account and password to machines throughout the network. Administrator account is alive and well, especially in organizations whose networks evolved when cyber security wasn’t as big a threat as it is today. While companies with legacy systems tend to be technically aware of this problem, spending on the fix is often left until after a disaster takes place. Vulnerability is compounded by the fact modern hacking tools such as the open source Mimikatz, designed to give Microsoft a heads up that Windows security was far from perfect, are super effective in legacy environments. These are almost always companies where the management team can’t agree on security priorities.

LAPS provides a password management solution by setting a different, random password for the common local administrator account on every computer in the domain. It has been a reliable workhorse for traditional on-premises AD Windows infrastructures, providing secure facilities for password management of the Local Admin account on these systems.

SEVA aka LAPS for Azure

So far so good, but unfortunately LAPS does not work well in the cloud. Microsoft has been very tardy in developing a LAPS for Azure infrastructure as this link attests, and while there will likely be solutions forthcoming, leaks from the company suggest that non-Windows systems using Azure AD will not be covered adequately. For vulnerability like relaying to services such as LDAP to read LAPS, refer to this link

Synergix SEVA (Secrets Vault) is an alternative to Windows LAPS for Azure AD that covers Windows and the entire installed computer base. SEVA’s comprehensive password coverage across the entire infrastructure prevents the possibility of lone computers in design labs, specialty hubs in IT and even the connected home network becoming the easy way in for hackers and bad actors.

SEVA offers LAPS protection for serverless and cloud-based systems running on Microsoft Azure and supports password rotation of multiple accounts on Windows, Unix, and MacOS devices connected to Azure AD, OnPrem AD, Workgroup, or hosted in competing public clouds such as AWS and GCP. SEVA is LAPS for Azure.

lateral-movement
Lateral Movement

Anyone interested in why systems like SEVA and LAPS for Azure need to exist must understand the dangers of Lateral Movement. This is the technique used by cyber attackers to move deeper into a network after gaining initial access. Typically, a weak point in the infrastructure is targeted, access is gained, and the hacker moves laterally through the network seeking target assets while picking up additional passwords and tools as the attack progresses. The longer the attack continues, the more likely it is that the assets under siege will be compromised. Even if an attack is discovered on the first computer affected, lateral escalation that has persisted for more than an hour or so will likely allow an attacker to avoid detection and retain access.

The SEVA alternate to LAPS for Azure mitigates the major risk of lateral movement that occurs when local admins use the same local account and password combination on their computers. Password hacking tools like Mimikatz are rendered ineffective by a network wide implementation of SEVA preventing Lateral Movement by design. Feedback on threats, especially in organizations moving from legacy password control systems to SEVA should adopt methods of monitoring unauthorized access to their data and networks by using popular Endpoint Detection and Response (EDR) programs such as Crowdstrike’s Falcon.

SEVA Features

SEVA Platform

The SEVA platform is Microsoft Certified and can be downloaded as LAPS for Azure from the Azure Marketplace website.

SEVA 365

It offers extended support for On-Prem AD joined Computers, Workgroup Joined, Windows, macOS, Unix and AWS, GCP and other public cloud platforms. Compare versions here.

Role Based Access Control

With RBAC, administrators are able to create custom roles and assign role members. Roles can be made granular and limit the requestor to one or more local account password retrievals.

Data Privacy

Unlike a SaaS solution where the vendor may have visibility to customer data, SEVA software is deployed in customer's Azure subscription allowing them to have exclusive visibility into their data set.

Easy Deployment

The SEVA requires no on-premises infrastructure to manage which makes it easy to deploy. OnPrem devices can connect to Azure endpoint via web proxy.

SEVA Benefits over existing MS LAPS for Azure
  • Manages both AD and Azure AD Joined computers’ account passwords.
  • Provides password protection on Azure AD, domain joined, hybrid joined and Workgroup Windows devices
  • Works with the entire deployed infrastructure including MacOS and Unix boxes
SEVA Deployment

With all the features and benefits SEVA offers, it truly is the best solution to close the door on Microsoft’s mediocre LAPS for Azure offerings. Looking down the road it seems certain that even if MS gets their act together and finally deploys a usable LAPS system for the cloud there will be common platforms left out of the infrastructure mix, including Mac and Unix boxes. That seems to future proof deployment of SEVA as the LAPS for Azure alternative that covers the entire deployed infrastructure.

Register now on Synergix.com and download the free software and easy to follow installation guide.

This website uses cookies to ensure you get the best experience on our website.