Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v3.0
v3.0
  • Home
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • What's new in Access Manager v3
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Upgrading from Access Manager v2
      • Considerations for migrating from Access Manager v2
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
    • Installing the Access Manager Agent
      • Enabling agent support on the AMS server
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Microsoft Entra ID
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up RapidLAPS
      • LAPS
        • Setting up Microsoft LAPS for Active Directory
        • Setting up Microsoft LAPS for Entra
        • Setting up Lithnet LAPS
      • Just-in-time Authentication (JIT)
        • Setting up JIT for computers
        • Setting up JIT for roles
      • Setting up BitLocker access
        • Setting up access to BitLocker keys stored in Active Directory
        • Setting up BitLocker recovery key backup and access using the Access Manager Agent
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Microsoft Entra
      • Getting started with RapidLAPS
    • Product lifecycle
    • Choosing between the Lithnet and Microsoft agent for LAPS
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
      • KB000009: Access Manager may return an out-of-date LAPS password, or no password at all
      • KB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)
      • KB000011: Users report delays in obtaining just-in-time access via AD
      • KB000012: Troubleshooting Windows authentication in the Access Manager Web App
      • KB000013: Access Manager cannot be installed on Windows Server 2016 with TLS 1.0 disabled
    • Advanced help topics
      • Creating an Entra app registration or Access Manager
      • Setting up agent policies
      • Managing word lists
      • Password history retention
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
      • Group policy configuration
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Add-AmsIdpClaimMapping
      • Clear-AmsIdpClaimMapping
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsActiveDirectoryJitGroupCreationRule
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsFveRecoveryKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsIdpClaimMapping
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • Get-AmsServiceConfig
      • New-AmsActiveDirectoryJitGroupCreationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsActiveDirectoryJitGroupCreationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitGroupCreationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
      • Set-AmsServiceConfig
    • Application help pages
      • Host configuration page
      • App Configuration
        • AMS License configuration page
        • Authentication configuration page
        • Email configuration page
        • Rate limit configuration page
        • IP Address detection configuration page
        • User interface configuration page
        • Auditing page
        • Security page
        • Database configuration page
      • Access Manager Agent
        • Access Manager Agent - Agent registration page
        • Agent Policies
          • Access Manager Agent - Windows polices page
          • Access Manager Agent - macOS polices page
          • Access Manager Agent - Linux polices page
          • Access Manager Agent - Legacy AMSv2 policies page
        • Access Manager Agent - Password settings page
        • Access Manager Agent - Devices page
        • Access Manager Agent - Groups page
      • Directory Configuration
        • Active Directory configuration page
          • Microsoft LAPS configuration page
          • Lithnet LAPS configuration page (Active Directory)
          • Just-in-time access configuration page
          • BitLocker configuration page
        • Microsoft Entra configuration page
      • Authorization Rules
        • Computer authorization rules page
        • Role authorization rules page
      • Effective access page
    • Getting Support
Powered by GitBook
On this page
  • Usability front-and-centre, without compromising security
  • Strengthening security and closing gaps
  • A universal solution for organizations of all sizes
  • Getting started
  • Other security solutions from Lithnet

Was this helpful?

Home

NextHow does Lithnet Access Manager help prevent lateral movement?

Last updated 10 months ago

Was this helpful?

Lithnet Access Manager allows you to safely delegate sensitive administrative access to computers in your organization in a modern and user-friendly way. Our goals are to help you deploy best practice security solutions like LAPS and just-in-time (JIT) access, while minimizing the friction usually associated with deploying such tools.

Access Manager can help reduce the likelihood and impact of a wide-spread compromise in your environment by enabling you to effectively replace permanent administrative access to your workstations and servers.

Usability front-and-centre, without compromising security

Every organization struggles to find the right balance between security and usability. At Lithnet, we believe that for security solutions to be successful, they must retain a high level of usability. If the scales tip too far, organizational resistance increases, and adoption failure becomes a real risk.

While LAPS on its own helps provide best-in-class protection against lateral movement attacks, we all know LAPS passwords are painful to use. We humans aren't great at remembering or typing out long and complicated passwords. Getting those LAPS passwords also requires the use of heavy-weight tools such as the Active Directory Users and Computers console, which isn't always an option out in the field.

We've designed a product that does not require you to make any compromises with security, while drastically improving usability. Lithnet Access Manager helps bring things back into balance - providing best-in-class security, with an uncompromising user experience.

RapidLAPS brings a passwordless login experience to LAPS

What if you could get all the security benefits of LAPS, without ever having to enter a LAPS password?

Access Manager provides a new feature called RapidLAPS. It's a passwordless LAPS experience, that integrates directly with the Windows logon screen. It allows authorized users to login using the LAPS account, by simply scanning a QR code or entering a PIN.

This means you can log into the LAPS account, without ever having to type or even know the LAPS password!

It also integrates with the Windows admin elevation prompt (run as administrator), allowing you to review and approve the app and user requesting administrative access.

Access Manager makes LAPS passwords easy to get to

While RapidLAPS works in the most common scenarios, there will be times when you need to access the LAPS password directly. In this case, Access Manager makes it as easy as possible.

Whether you are using Microsoft legacy LAPS, new Windows LAPS, or the Access Manager Agent, your LAPS passwords are always available via a single mobile-friendly, web-based app. Simply type in the computer name and Access Manager will find the password and present it. Whether the LAPS password is stored in Active Directory, Microsoft Entra, or AMS itself, the process is seamless to the user.

We use specific fonts so you can actually see the difference between a lower-case L and a capital I. We also show a breakdown of the password using the NATO phonetic alphabet to make it easy to read out to someone. You can even have Access Manager read the password with its text-to-speech capability!

Use LAPS passphrases, instead of passwords

If you do have to use the LAPS passwords, wouldn't it be great if they were passphrases, instead of passwords?

You can use Access Manager to manage your LAPS passwords, instead of the Microsoft agent. So now, you can generate passphrases, instead of random complex and difficult to comprehend passwords for the managed LAPS account.

Passphrases are generated from word lists you provide, making them fully customizable to your organizations needs.

Self-service just-in-time access to computers

There are some cases, such as accessing servers, where LAPS isn't suitable, and users need to be members of the local administrators group, using their own credentials.

Rather than granting users permanent access to these computers, now you can grant them self-service, just-in-time access to those computers.

Using the same web interface, they request JIT access to a computer, and their account is added to the local administrators group of the computer. This access is temporary and automatically removed after the allowed time period.

Just-in-time access to custom roles

It's not just computers that you can provide just-in-time access for. Any Active Directory group can be set up as a role in Access Manager.

Using the same self-service interface, entitled users can request access to the role at any time. Access Manager will then add them to the corresponding Active Directory group, and automatically remove them when the expiry time has elapsed.

Strengthening security and closing gaps

Deploying LAPS is a great way to protect devices, but how do you then keep LAPS passwords themselves safe? Attackers have tools that allow them to harvest LAPS passwords from Active Directory, and without the proper monitoring in place, it can happen without tripping any alarms.

Access Manager isn't just about improving usability, it also uplifts the security of your LAPS solution.

Access Manager protects sensitive access with strong authentication

LAPS passwords stored in Active Directory are vulnerable to harvesting via stolen credentials and tickets. There is no way to protect them with modern authentication and MFA.

Access Manager provides support for modern authentication options like OpenID Connect, allowing you to protect access to LAPS passwords by using identity providers such as Microsoft Entra or Okta. You can enforce strong authentication mechanisms like passkeys, and eliminate the risk of password harvesting directly from Active Directory.

Access Manager prevents mass-harvesting of LAPS passwords

If an attacker gets their hands on credentials that have permission to read LAPS passwords from Active Directory, there's nothing stopping them from extracting all the LAPS passwords for your organization in seconds.

Access Manager prevents this by implementing rate limiting for all access requests. You can set per-user and per-IP address rate limits, to mitigate the damage that can be done in the event a person with AMS access has their credentials compromised.

Access Manager improves visibility of LAPS access events

The out-of-box auditing story for Microsoft LAPS leaves a lot to be desired. Have you ever had to search event logs to try and find out who accessed a LAPS password in Active Directory? Were the right audit events even turned on when you needed them? How many domain controller event logs did you have to search through to find what you needed?

Access Manager provides detailed audit logs for every access event, and optionally allows you to send them via email, via webhook to Slack or Teams, to Splunk, and even to PowerShell, allowing unlimited flexibility on how you track these events.

A universal solution for organizations of all sizes

Access Manager lets you deploy LAPS to your entire organization

So we can deploy LAPS to Windows devices, but what about linux and macOS devices?

The Access Manager agent extends LAPS support to these operating systems, and allows retrieval through the exact same web app and exact same process as Windows LAPS passwords.

The Access Manager web app is a multi-purpose tool

We are your one-stop-shop for managing privileged access to endpoints, so using the same web app that allows users to access LAPS passwords, we've enabled other scenarios like retrieving BitLocker recovery passwords and providing just-in-time access to computers and roles.

Access Manager is extensible

We know each organization has its own individual needs that need to be considered when deploying solutions to manage and delegate privileged access. We've built Access Manager to be extensible through PowerShell, allowing you to bring your own custom auditing and authorization solutions to the product.

Getting started

Other security solutions from Lithnet

Read our to learn how to start using Access Manager to secure your environment today.

We recommend you also look at , to help strengthen your environment against commodity password-based attacks.

getting started guide
Lithnet Password Protection for Active Directory