Microsoft LAPS stored password exposed!

Using specific methods, Network Trace shows captured ms-Mcs-AdmPwd value, which is major concern. On the right, LDP shows legitimate read operation.
Microsoft LAPS versus feature rich Synergix ADCE
Pass-the-Hash (PtH) attacks against the Windows operating systems are becoming common. Microsoft wants organizations to assume that a breach has already occurred in order to highlight the need for a more mature defense. This article helps organizations plan their strategies for a more effective defense against pass-the-hash attacks.
With AD Client Extensions software installed, the Local Administrator Password is system generated and unlike Microsoft LAPS, it is stored in Active Directory in encrypted form. No AD Schema Changes are required and password can be stored in custom application partition thus allowing control over the replication to specific and physically well secured DCs. Passwords are validated regularly and reset to maintain their integrity. Only designated administrators are allowed to decrypt the password strings.
The feature was first launched in ADCE 2012 and has matured significantly over the past years making it a proven solution for large enterprise customers.
If you are considering Microsoft LAPS, stop now ! Register on our website to scheduled a conference call with our Cyber Security experts to discuss about weaknesses in Microsoft LAPS implementation and how expensive it can turn out to be for your enterprise.
The choice is clear !
The Ultimate Windows Extensions
THE CHOICE IS CLEAR
Microsoft
LAPS
SYNERGIX
ADCE
Non MAPS* related features
Multiple Account Password Solution
0
20+
MAPS
Multiple Account Password Solution
Managed Accounts
Builtin Administrator only
Builtin Administrator
Backup Administrator
Local User
Azure AD Domain Services
No Active Directory Schema Changes
Centralized Auditing
Strictly follow Principle of Least Privileges
Domain Admins exclusion
Encrypted Password
Unique Encryption Key
Limit Replication Scope using Application Partition
Store data in other objectClass ex.associated Device object
Password Masking
Tamper resistant password
RDP to target by masking username and password
Rename Local Administrator Account regularly
Rename Backup (non S-500) Admin Account regularly
Confidential Attribute without Schema Extensions
Require input of business reason before retrieving password
Password Aging after checkout
Windows 7.0 SP1 to Windows Server 2019 support
Windows XP and Windows Server 2003 Support
Strategic Solution