pingcastle icon indicating copy to clipboard operation
pingcastle copied to clipboard
verified publisher icon vletoux

Feature Request - New Windows LAPS Detection

Open jamesaepp opened this issue 2 years ago • 3 comments

Thanks for the great software!

I recently installed a new forest and setup the new Windows LAPS introduced below.

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747

When running pingcastle 3.0.0.3, the LAPS check under anomalies is matched. I'm guessing Pingcastle is relying on the legacy LAPS implementation. It would be great to have a hybrid approach here to detect the new Windows LAPS systems (and its features). Other things that would be really cool to detect:

  • Is the DFL high enough (2016) to support the LAPS password encryption features?
  • Informational - Is password history configured with LAPS?
  • Resolution of which users have effective rights to passwords (clear text or encrypted)
  • Are DSRM passwords being rotated with Windows LAPS?
  • Are post authentication actions enforced/configured?

etc.

jamesaepp avatar May 04 '23 18:05 jamesaepp

The latest beta version of PingCastle (available in the download portal if you are a registered user) includes this new feature. It will be also included in the next official version of PingCastle

vletoux avatar Jul 16 '23 17:07 vletoux

Hello !

I have tested the version of PingCastle 3.2.0.1 with the new LAPS but it doesn't work properly. From the code https://github.com/vletoux/pingcastle/blob/933316dab78685caaf4e2cee3dd541511035e73a/Healthcheck/LAPSAnalyzer.cs#L34 PingCastle only check ms-LAPS-Password but my client use msLAPS-EncryptedPassword.

To avoid this LAPS conflict, is it possible to use msLAPS-PasswordExpirationTime instead ?

1mm0rt41PC avatar Apr 11 '24 13:04 1mm0rt41PC