Skip to main content
Support
Beginner

LAPS & Credential Guard

LAPS randomizes every machine's local admin password and stores it in AD, while Credential Guard uses hardware virtualization to make credential theft from memory nearly impossible.

Two of the simplest yet most impactful defenses you can deploy are LAPS and Credential Guard. Local Administrator Password Solution (LAPS) solves a common problem: most organizations use the same local admin password on every workstation, which means compromising one machine gives you admin access to all of them. LAPS automatically generates a unique, random password for each machine's local admin account and stores it securely in Active Directory, where only authorized administrators can read it. Credential Guard tackles a different problem: when you log into Windows, your password hash and Kerberos tickets live in memory. Tools like Mimikatz can extract them. Credential Guard uses hardware-backed virtualization to isolate these secrets in a protected container that even kernel-level malware cannot access.

Imagine an apartment building where every unit has the same lock and key — a burglar who copies one key can open every door. That is the problem with shared local admin passwords. LAPS is like giving every apartment a unique lock that changes regularly, with the master copies stored in a secured management office. Credential Guard is an armored safe inside each apartment: even if a burglar gets inside, the valuables (passwords and tickets) are locked in a safe they cannot open without the building's hardware security chip.

Key Takeaways

  1. LAPS gives every machine a unique, auto-rotating local admin password stored in AD.
  2. Without LAPS, a single compromised local admin password grants access to every machine.
  3. Attackers enumerate LAPS coverage gaps — machines without LAPS are the easy lateral movement targets.
  4. Legacy LAPS stores passwords in plaintext — ACL audit on ms-Mcs-AdmPwd is critical.
  5. Credential Guard uses hardware virtualization (VBS) to isolate NTLM hashes and Kerberos tickets.
  6. Even kernel-level malware cannot extract credentials from the Credential Guard container.
  7. Together, LAPS and Credential Guard eliminate two of the most common lateral movement techniques.
Why Should I Care?

Shared local admin passwords and in-memory credential theft are the bread and butter of lateral movement. LAPS and Credential Guard shut down both attack paths with minimal operational overhead. However, LAPS itself becomes a target — attackers who gain read access to LAPS attributes can harvest passwords, and coverage gaps leave machines exposed.

Related Topics

Pass-the-Hash & Pass-the-TicketTiered Administration ModelPrivileged Access Workstations (PAWs)ACL/ACE Abuse Attack Paths
Sources
Least Privilege & Just Enough Admin
Protected Users & Authentication Policies
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org