DeepSurface: Microsoft LAPS
DocumentationInstallation GuideOverviewLet DeepSurface Host For YouGetting StartedSystem RequirementsSelf Hosted Quick Start - Installing to Cloud PlatformsSelf Hosted - Installation Using an OVARegistration, Package Installation, and InitializationFirst Steps After Initialization of the ConsoleDeployment OptionsMain and Subordinate ConsolesAgent-Based DeploymentUser Managed Scan DeploymentCredentialed Scanning DeploymentMixed EnvironmentDeployment ToolsActive Directory Group PolicyMicrosoft Endpoint Configuration Manager (part of InTune)Tanium DeployHCL BigFixIvantiVirtual MachinesVMWareVirtual BoxVirtualBox Guest AdditionsAWS EC2 (BYOL)AWS EC2 (Usage Based)Azure CloudGoogle CloudAdditional Items to ConsiderMain Console Server CertificatesLDAPTOFUClock SyncDeepSurface CommandsMultiple Vulnerability SourcesAPI DocumentationUser GuideReportingDashboardsExportsRisk InsightHostsPatchesVulnerabilitiesVulnerability InstancesUsersRemediation Workflow ManagerPlansSettingsIntegrationsWorkflowExportingAccepted Risk PlansAccepted Risk WorkflowExploreModelPathsActivityTasksConfiguration AlertsScan LogsNotification SettingsScanningStatusAgentsUser ManagedCredentialed Scanning SettingsCredentialsScan GroupsGeneral SettingsCloud ScanningNetwork ConnectivitySubordinatesVulnerability SourcesSetupSensitive Assets: PolicesSensitive Assets: ManualAdmin SettingsSMTP SettingsCertificatesOutbound ProxyAuthentication ProvidersUsersTagsIntegrations GuideVulnerability SourcesCrowdStrike SpotlightSentinelOneCarbon Black CloudMicrosoft Defender for EndpointWazuhLansweeper CloudNessus APITenable.io APISecurity Center/Tenable.sc APIRapid7 InsightVM APIQualys APINozomi GuardianEclypsiumAWS InspectorRemediationJira SoftwareTanium (BETA)Authentication ProvidersLDAP (Active Directory)SAML (Azure Active Directory)SAML (Google)SAML (Okta)PAMCyberArkDelinea (Thycotic)Microsoft LAPSSecurity GuideFirewall ConfigurationBase Network RequirementsAgent Network RequirementsCredentialed Scanning Network RequirementsAPI Network RequirementsHow DeepSurface Scans WorkDomain (LDAP) ScanningHost Scanning RoutineReasons for the Administrative Access RequirementEndpoint Protection ConsiderationsOther ItemsScope of Data Storage and RetentionIPS/IDS ConsiderationsLoggingResetting the DSADMIN passwordProduct InformationChangelogsOpen source LicensesEnd User License Agreement (EULA)
DeepSurface supports Microsoft’s LAPS tool as a method of privileged access management that can be used when DeepSurface performs Authenticated Scanning of your Windows hosts.
How it Works:
If your organization has enabled LAPS as the method for managing local Administrator account passwords, you can configure a Scan Credential in DeepSurface to use LAPS for accessing the local Administrator passwords for the associated hosts. To use this feature, a configured LAPS credential should be added to the desired Scan Group(s) prior to running an Authenticated Scan.
When performing an Authenticated Scan of a host with LAPS configured, DeepSurface will first connect to a domain controller using the provided Scan Credentials. Upon successfully authenticating to the domain controller via LDAP, DeepSurface will retrieve the LAPS-managed local Administrator password for each host, as needed. DeepSurface will use the obtained local Administrator credentials to authenticate to each host while performing DeepSurface scanning tasks. This can improve the security of scans by avoiding the exposure of domain credentials to each individual host.
Windows Environment Configuration Requirements:
- LAPS must be installed on each host and domain group policy must be configured to support this. For more information, see: Microsoft LAPS Installation
- DeepSurface must be able to access LDAP on at least one domain controller of the configured domain using port 636 or 389.
- At least one domain controller must have a properly configured TLS certificate.
- The provided Scan Credentials must include privileges that allow DeepSurface to retrieve the host credentials in the domain group with LAPS support configured.
Configuring your Scan Credentials in DeepSurface:
- Select a LAPS supported Credential protocol: SMB, SMB/WMI, or WinRM w/ PSRP.
- Optionally add a Custom Label.
- Add the name of the Domain associated with the credential. This is required for any Scan Credential with LAPS configured.
- Enter the username of the domain user and associated password.
- Select LAPS as the PAM Type.
- If you have configured LAPS to manage a local user account name other than “Administrator”, be sure to change the value in the DeepSurface “LAPS Local User” field to match.
- Note that for a scan using LAPS to work, you must have previously scanned a Domain Controller associated with the given Domain, or scan the Domain Controller in the same scan as the scan that is using LAPS to authenticate on hosts.
