Break Glass / LAPS - How it Works

Introduction

With this feature, you can eliminate the need to use Microsoft’s Local Administrator Password Solution (MS LAPS). An Admin By Request Break Glass Account is a more efficient, secure, and comprehensive version of Microsoft LAPS, rolled into your existing Privileged Access Management (PAM) software.

The LAPS Shortfall

If you’re familiar with MS LAPS, you’ll know how it works and why it’s necessary:

  • Hackers love the tried and tested technique of exploiting administrator accounts, either via horizontal or vertical privilege escalation.

  • MS LAPS works to prevent this by utilizing Active Directory (AD) to manage admin account passwords across all endpoints, with a key component of management being the forced rotation of passwords for each admin account.

  • When access to an admin account is needed, system admins can retrieve stored passwords from AD and log in to the administrator account.

The reasoning is valid, but MS LAPS leaves several security (and usability) gaps that we thought needing filling.

What is a Break Glass Account?

The Break Glass feature takes the functionality of MS LAPS and turns it into a much more attractive option:

It creates a new, temporary, one-time-use Administrator account on an endpoint, that works on domains, Azure AD, and stand-alone, which Audits all elevated activity, and terminates within a pre-defined amount of time or on log out.

The Benefits

The Break Glass Account feature incorporates the best bits of LAPS – then adds several layers of security and improves the user experience.

Security

  • Break Glass completely circumvents the need to use the built-in Windows local Administrator account – you can disable it completely to add an extra later of security to your endpoints.

  • The account must be used within an hour of being generated, minimizing the potential attack window and risk of account compromise.

  • Risk is further minimized by a one-time-only log in functionality: the user can log in once, and after log out, the account is terminated.

  • The user has only the time specified under Expiry when the Break Glass account was generated to use the administrator account; this duration is indicated on the built-in desktop background of each account. When the time-period is up, the session is terminated.

  • Measures are in place to ensure the Expiry time cannot be tampered with: if the Account user attempts to extend their time limit by adjusting the clock, the Account automatically logs out / terminates.

  • All Usernames and Passwords are automatically generated,random, and complex, minimizing the possibility for a successful brute force attack.

  • Passwords are stored within the web application, only accessible by User Portal users / IT Admins via credentials – a safer option compared to MS LAPS’s storage of admin account passwords in plain text along with the AD computer record.

Ease of Use

With the addition of the Break Glass feature, you get a PAM solution that covers multiple bases:

  • Admin rights management

  • Logging capabilities

  • A full inventory

  • Anti-malware

  • Just-In-Time provisioning

  • LAPS

All combined into one security software package – eliminating the need to manage multiple security solutions on different platforms or through different applications.

Several cumbersome configuration steps required for MS LAPS setup are also eliminated with the Break Glass feature. You don’t have to deploy a Client-Side Extension (CSE) on every endpoint, extend the AD schema in order for your systems and network to accommodate the feature, configure password settings such as complexity, length, and expiry, or configure access permissions and Group Policy; we’ve already done the hard yards for you.

Possibly the best feature for ease-of-use is that the Break Glass Account does not require a domain; it works on domains, Azure AD, and stand-alone.

Real-Life Use Cases

1. Regaining Domain-Trust Relationship

As the name suggests, the Break Glass feature is ideal for ‘last resort’ situations, such as when the domain-trust relationship is broken and needs to be reconnected using an Administrator account.

2. Provisioning a Just-In-Time Administrator Account

The Break Glass Account doubles up as a Just-In-Time account that can be used for specific purposes / situations when necessary, e.g., provisioning an account for someone who doesn’t have credentials, but requires access to service an endpoint.

3. Extra Possibilities with Server Edition

Further to point 2, with Admin By Request Windows Server Edition you can provision an admin account to a consultant without giving them domain-wide permissions at any point in time.

How to use Break Glass

Refer to the following for detailed information on configuring and using a Break Glass Account on different endpoints:

Webinar Recording

The webinar recording below covers the following:

  • How we got here – the need for this feature

  • Generating and using a Break Glass Account – how does it work?

  • Scenarios for use