Comprehensive data protection for all workloads
Post Reply
evilaedmin
Expert
Posts: 176
Liked: 30 times
Joined: Jul 26, 2018 8:04 pm
Full Name: Eugene V
Contact:

LAPS and restoring Windows VMs with rotated passwords

Post by evilaedmin »

We use LAPS to secure the local administrator (SID 500) password of servers.

During our backup retention period, the local Administrator password will be rotated several times. We do not keep a history of these passwords.

The machine account will also be rotated within this time.

It's possible that if we go back far enough to attempt a full VM restore, it will not be accessible using AD based credentials (machine password rotated) and we will not be able to use local administrator to re-join to AD or reset machine password (local administrator password rotated via LAPS, and only the most recent is kept in AD secured via ACLs.

We presume that the need for a full VM restore is rare but let's assume it is a possibility.

Has anyone dealt with this problem and what was your approach?
mengl
Service Provider
Posts: 12
Liked: 10 times
Joined: Oct 19, 2018 7:02 am
Full Name: Michael Engl
Location: Germany
Contact:

Re: LAPS and restoring Windows VMs with rotated passwords

Post by mengl » 2 people like this post

As long as you keep the backups of your domain controllers as long as the VM backups you should be able to get the password by running an instant recovery from the dc or export/restore the computer object using the AD explorer.
Also if you disconnect the network of the restored VM you normally can login using cached (Administrator) credentials.
soncscy
Veteran
Posts: 643
Liked: 312 times
Joined: Aug 04, 2019 2:57 pm
Full Name: Harvey
Contact:

Re: LAPS and restoring Windows VMs with rotated passwords

Post by soncscy »

In our shop a few clients scripted this into simple encrypted CSV files (of their own volition). My understanding was most password managers would keep a key until they're told to delete it, so I assume a proper foss manager should help. Just give it a decent description for each key and you're golden.

While I understand your concern, I have to ask, what do you expect from a Backup Application? For my money's worth, I don't want then backup app touching my credentials unless is absolutely needs to, and if that's the case, it does so as a guest, not as a privileged account. But that's just how I prefer things.
evilaedmin
Expert
Posts: 176
Liked: 30 times
Joined: Jul 26, 2018 8:04 pm
Full Name: Eugene V
Contact:

Re: LAPS and restoring Windows VMs with rotated passwords

Post by evilaedmin » 1 person likes this post

mengl wrote: Apr 28, 2020 7:31 pm As long as you keep the backups of your domain controllers as long as the VM backups you should be able to get the password by running an instant recovery from the dc or export/restore the computer object using the AD explorer.
Also if you disconnect the network of the restored VM you normally can login using cached (Administrator) credentials.
Thanks this is exactly what I missed; we do have image based backups of AD and Veeam Explorer for AD was not something we ever tried before. Looks like we can view/export the properties of any object from any restore point. One might say I missed the [AD] forest for the trees. :mrgreen:
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 155 guests