Skip to content
This repository has been archived by the owner on Aug 4, 2024. It is now read-only.

Permissions

Jump to bottom
Ryan Newington edited this page Nov 10, 2020 · 10 revisions

The Lithnet LAPS web app controls authorisation to LAPS passwords through the lithnet-laps/targets element of the web.config file in the root of the application directory.

Targets

The Lithnet LAPS web app uses <targets> to control access to computer LAPS password entries. A target defines who should be able to access a particular LAPS password, and what should happen when they do.

Example target configuration

The following example demonstrates a basic permission setup for the LAPS web app

<lithnet-laps>
  <targets>
    <target name="OU=Server Management,DC=dev1,dc=local" 
            type="Container" 
            expire-after="02:00:00">
      <audit emailAddresses="server-admins@lithnet.io,security-team@lithnet.io"/>
       <readers>
         <reader principal="DEV1\ServerAdmins" />
       </readers>
    </target>
    <target name="OU=Workstations,DC=dev1,dc=local" 
            type="Container" 
            expire-after="03:00:00">
      <audit emailOnSuccess="false" 
             emailOnFailure="true"
             emailAddresses="desktop-admins@lithnet.io"/>
      <readers>
        <reader principal="DEV1\WorkstationAdmins" />
      </readers>
    </target>
    <target name="Web Servers" 
            type="Group" 
            expire-after="01:00:00">
      <audit emailAddresses="web-admins@lithnet.io"/>
      <readers>
        <reader principal="DEV1\Web Admins" />
      </readers>
    </target>
    <target name="IDM-SEC01-V01" 
            type="Computer" 
            expire-after="01:00:00">
      <audit emailAddresses="security-team@lithnet.io"/>
      <readers>
        <reader principal="DEV1\Security Team" />
     </readers>
    </target>
  </targets>
</lithnet-laps>
  • The ServerAdmins group can read passwords for any machine in OU=Server Management,DC=dev1,dc=local. Email audits will be sent to server-admins@lithnet.io and security-team@lithnet.io. Any passwords that are accessed will be set to expire after two hours.
  • The WorkstationAdmins group can read passwords for any machine in OU=Workstations,DC=dev1,dc=local. Email audits will only be sent for failed attempts to read the passwords. Any passwords that are accessed will be set to expire after three hours.
  • The Web Admins group can read passwords for any machine that is a member of the Web Servers group. All domain admins are notified when any successful or unsuccessful attempts to read the password are performed. Passwords will be set to expiry one hour after being accessed.
  • Finally, the server IDM-SEC01-V01 is considered very sensitive, and should only be accessed by members of the Security Team group.

Reference

<target>

A target is an OU, container, computer, or group that you want to control the LAPS password to.

<target name="OU=Server Management,DC=fim-dev1,dc=local" 
        type="Container" 
        expire-after="02:00:00">
  <audit ... />
  <readers>
   ...
  </readers>
</target>
Property Description
name Required. The name of the computer, group, or OU
type Required. The type of the target. Allowed values are Container, Computer or Group
expire-after Optional. The amount of time the password will remain valid for after being accessed. For example, if this is set to 01:00:00 (1 hour) then the LAPS password will be set to expire one hour after it has been accessed
audit Optional. Specifies when an audit email should be sent and to whom. See the audit section below
readers Required. A list of principals that are allowed to access the LAPS password for this target. See the readers section below
expire-after data format

The expire-after element is parsed using the rules of the .NET TimeSpan parser, that vary based on the current culture.

Examples based on en-US culture are as follows

"6" or "6:00:00:00" or "6.00:00:00" --> 6 Days
"6:12" --> 6 Hours 12 Minutes
"6:12:14" --> 6 Hours 12 Minutes 14 Seconds
"24:00:00" --> Danger Will Robinson: 24 days, not 24 hours

Target matching

The LAPS web app searches for target matches in the following order. If there are multiple matches for a Group or Container type, the first match ordered in the list is used.

  1. Computer
  2. Group
  3. Container

When a request for password is received, the LAPS web app will search first for any targets of type 'Computer' that match the requested name. If none are found, then the LAPS web app will consider any 'Group' targets where the computer is a member of that group. If more than one match is found, then the target that appears first in the list will be used to evaluate the reader permission. If no groups targets match, then the LAPS web app will examine 'Container' targets, and match on the first one it finds.

Note, that once a match to a target rule is made, no other targets are considered. For example, if we have a computer COMPUTER-A, and that computer is in GROUP-A. If you have computer target for COMPUTER-A and a group target for GROUP-A, then only the reader permission from the computer target will be evaluated. If the user does not match a reader principal on the computer target they will be denied access to the password, even if they match a principal on the group target. The principals on the group target will not be evaluated because the computer target is a more specific match.

<audit>

The <audit> element controls when an audit email should be sent and who to send it to.

<audit emailOnSuccess="true" 
       emailOnFailure="true" 
       emailAddresses="support@lithnet.io"/>
Property Description
emailOnSuccess Optional. A true or false value that specifies if an email should be sent when a password is successfully accessed. The default value is true
emailOnFailure Optional. A true or false value that specifies if an email should be sent when an unsuccessful attempt is made to access a password. The default value is true
emailAddresses Optional. A comma-separated list of email recipients

<readers>

The <readers> element specifies one or more <reader> principals that are allowed to access a target's passwords.

<readers>
  <reader principal="DEV1\WorkstationAdmins" />
  <reader principal="DEV1\ServerAdmins" />
</readers>
Property Description
principal Required. A user samAccountName or userPricipalName, or a group samAccountName

Managing your web.config file

Always take a backup of your web.config file before and after making any changes. A malformed web.config file will stop your web site from loading. If this happens, check the event log for the specific details of the problem or roll back the file to a known-good version.

You should also keep a backup copy of your working web.config file. It is easy to accidentally overwrite it when deploying a new version of the web application.

Clone this wiki locally