Documentation
Documentation Menu
The LAPS Shortfall
- Hackers love the tried and tested technique of exploiting administrator accounts, either via horizontal or vertical privilege escalation.
- MS LAPS works to prevent this by utilizing Active Directory (AD) to manage admin account passwords across all endpoints, with a key component of management being the forced rotation of passwords for each admin account.
- When access to an admin account is needed, system admins can retrieve stored passwords from AD and log in to the administrator account.
Break Glass Account – What is It?
The Benefits
Security
- Break Glass completely circumvents the need to use the built-in Windows local Administrator account – you can disable it completely to add an extra later of security to your endpoints.
- The account must be used within an hour of being generated, minimizing the potential attack window and risk of account compromise.
- Risk is further minimized by a one-time-only log in functionality: the user can log in once, and after log out, the account is terminated.
- The user has only the time specified under Expiry when the Break Glass account was generated to use the administrator account; this duration is indicated on the built-in desktop background of each account. When the time-period is up, the session is terminated.
- Measures are in place to ensure the Expiry time cannot be tampered with: if the Account user attempts to extend their time limit by adjusting the clock, the Account automatically logs out / terminates.
- All Usernames and Passwords are automatically generated, random, and complex, minimizing the possibility for a successful brute force attack.
- Passwords are stored within the web application, only accessible by User Portal users / IT Admins via credentials – a safer option compared to MS LAPS’s storage of admin account passwords in plain text along with the AD computer record.
Ease of Use
- Admin rights management
- Logging capabilities
- A full inventory
- Anti-malware
- Just-In-Time provisioning
- LAPS
Real-Life Use Cases
How to Use Break Glass:
Generate
- Waiting for Endpoint – The Account is generated in the User Portal but not yet created on the endpoint (to create the account on the endpoint, see the next section, Activate Account).
- Ready to Log On – The Account is created but has not yet been activated / used (i.e., logged in to).
- Session in Progress – The Account is currently in use.
- Account Removed – The Account has been terminated either due to the user logging out, or the pre-defined Expiry time being reached.
Activate
- Restart the device, then wait approximately 30 seconds for the account to be created. The User Portal will update the status message when the account is ready, and the Account will appear in the bottom-left of the Windows log on screen along with the other accounts available on that endpoint:
- If enabled, you can select Other User in the Windows log in screen and type the generated Break Glass Account Username and Password into the fields. This may fail on the first attempt; if so, wait 10 seconds and then try again.
- A third method to activate the account is by logging in to another account on the endpoint, selecting the Admin By Request icon from the bottom toolbar, and clicking the About item from the menu.
Terminate
View Activity
2. Privileged activity undertaken during the Break Glass session, such as Run as Admin, is logged in the Auditlog in your User Portal:
Ditch LAPS; Break Glass
LAPS / Break Glass Recording
After release, we held a webinar covering all the good stuff:
- How we got here – the need for this feature
- Generating and using a Break Glass Account – how does it work?
- Scenarios for use
- What else is new with 7.3
Stay Up To Date
Latest Blogs
Live Webinar: Chicanes & Tunnels – Securing Remote Connectivity with Cloudflare
Learn how to navigate remote access security and accelerate towards a safer digital journey with insights from Cloudflare Product Manager, Abe Carryl, and Admin By Request COO, Jacob Buus,...
Preventing Ransomware: Practices and Technologies in Cyber Defense
In today's interconnected digital world, ransomware attacks pose a significant threat to organizations everywhere. However, with the right knowledge and tools, these threats can be mitigated and even prevented....
Chinese Grand Prix Recap
It was a disappointing P16 finish for Kevin Magnussen at Shanghai International Circuit where the MoneyGram Haas F1 Team driver started the race from a P17 after an unlucky...