¶ SYNERGIX LEDR
¶ Overview
The software SYNERGIX LEDR offers significant value compared to its predecessor SYNERGIX SEVA.
Universal LAPS solution is one of the many key selling propositions.
The software improves security posture of endpoints by rotating the logon names and passwords/pass phrases of all local accounts, existing or new accounts, including MS SQL Server sa account password! Password may be retrieved from the dashboard by authorized users only.
Admin On Demand features, offers Just-In-Time Administration allowing end users to run selected programs with elevated privileges.
Remote Desktop Protocol port rotation adds another security layer, by discouraging use of the well known 3389/tcp network communication port.
SYNERGIX LEDR is Operating System agnostic and works on
- MacOS
- Windows and
- Linux
RedHat, Oracle Linux, CentOS, Debian, Ubuntu, Fedora, OpenSUSE, and more.
Linux based appliance such as Tenable Nessus Vulnerability Scanner, OpenVPN and more.
The software supports
- Active Directory joined computes,
- Entra ID joined computers and
- Workgroup computers.
¶ Privacy First
The software is not a SaaS solution.
The Cloud App is hosted in customer’s Azure Tenant and the secrets are stored securely in customer’s Azure Key vault, with exclusive access to the customer associates only. Error reporting data, if any, is forwarded to Log Analytics Workspace in the customer’s Azure Tenant.
¶ Universal LAPS Features
| Features | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| Local Administrator Password Solution |  |
  |
| Backup Administrator Password Solution |  |
|
| Low Privilege User Password Solution | |
|
| Logon Name Rotation | |
|
| Non-Compliant Local Users Password Solution | |
|
| Chetak* Administrator Password Solution | |
|
| Microsoft SQL sa Password Solution | |
|
| Autologon Account Password Solution | |
|
¶ Non-compliant Local Accounts
All local user accounts on Windows, Linux and macOS will have their password rotated, ensuring the security of the systems. Designated administrators may retrieve the password from the dashboad to login with such accounts and ultimately decide to disable or delete all such local user accounts, for auditing and for operational risk management purposes.
¶ Microsoft SQL Server sa Password Rotation
When this feature is enabled and properly configured, it will rotate Microsoft SQL sa Account Password and store it in the vault.
| Microsoft SQL Server | Windows OS | Linux | Comments |
|---|---|---|---|
| Microsoft SQL Server 2022 |  |
 |
Linux support planned |
| Microsoft SQL Server 2019 | |
|
|
| Microsoft SQL Server 2017 | |
|
¶ Password Encryption
| Microsoft LAPS | SYNERGIX LEDR | |
|---|---|---|
| Authorized Security Principal | One | Agnostic |
¶ Unauthorized Password Readers
| Microsoft LAPS | SYNERGIX LEDR | |
|---|---|---|
| Device | |
|
Reference:
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts-overview#dsrm-password-support
When encrypted password history is enabled and it’s time to rotate the password, the managed device first reads the current version of the encrypted password from Windows Server Active Directory. The current password is then added to the password history. Earlier versions of the password in the history are deleted as needed to comply with the configured maximum history limitation.
¶ Authorized Password Readers
| Microsoft LAPS | SYNERGIX LEDR | |
|---|---|---|
| Global Administrator | |
|
| Cloud Device Administrator | |
|
| Intune Administrator | |
|
By default, Windows LAPS allows members of the Global Administrator, Cloud Device Administrator, and Intune Administrator roles to retrieve the clear-text password. In contrast SYNERGIX LEDR requires proper assignment of Password Reader permissions.
¶ Identity Provider Agnostic
| Microsoft LAPS | SYNERGIX LEDR | |
|---|---|---|
| Identity Providers |   |
   |
¶ Windows Operating Systems
| Operating Systems | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| Windows 7.0 SP1 | |
|
| Windows 8.0 | |
|
| Windows 10 | |
|
| Windows 11 | |
|
| Windows Server 2008/R2 | |
|
| Windows Server 2012/R2 | |
|
| Windows Server 2016 | |
|
| Windows Server 2019 | |
|
| Windows Server 2022 | |
|
| Windows Server 2025 | |
|
¶ Linux Distributions
| Operating Systems | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| CentOS | |
|
| Debian | |
|
| Fedora | |
|
| Kali Linux | |
|
| openSUSE | |
|
| Oracle 9 | |
|
| RedHat Enterprise Linux | |
|
| Ubuntu Desktop | |
|
| Ubuntu Server | |
|
The software should also work on all Linux Distributions that can run .NET Core 8.0
¶ Apple macOS
| Operating Systems | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| Catalina | |
|
| Big Sur | |
|
| Monterey | |
|
| Ventura | |
|
| Sonoma | |
|
| Sequoia | |
|
¶ Appliances
| Operating Systems | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| openVPN | |
|
| Bitnami | |
|
| Tenable Nessus Vulnerability Scanner | |
|
¶ Admin on Demand
When the feature is enabled, users are granted Just-In-Time Administration privileges and can launch selected applications with admin token.
¶ Remote Desktop Protocol (RDP) Port Rotation
When the feature is enabled, RDP port is randomly assigned a port number in specified high range, such as 33389 to 43389, along with updating the Windows Firewall rule.
New Windows Firewall rule is created but not enabled, denying the inbound connection on rotated port number until the configuration is updated to allow inbound network connection on the assigned RDP port.
For added benefit, consider implementation of Chetak*, a deception technique.
| Features | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| Remote Desktop Protocol Rotation | |
|
¶ Process Guard
When the feature is enabled, execution of Lolbin processes such as adfind.exe, msbuild.exe, csc.exe and others specified in the software configuration, by any non-system account, are challenged with a captcha prompt.
¶ SIEM Integration
When the feature is enabled, software forwards selected Security Events and Sysmon Events to Azure Log Analytics Workspace, enabling CyberSecurity Operations Analyst build detection rules.
¶ Security Events
Specific Windows Events, such as 4624 and others, are forwarded to Azure Log Analytics Workspace.
¶ Sysmon Events
All events configured in Sysmon configuration file, are forwarded to Azure Log Analytics Workspace.
¶ Detection Rules
- Users logging in from unowned device
- DNS queries to search for malicious domains
- Processes launched from $Recycle.Bin
- Processes launched with high privileges
- PowerShell encoded commands
- PowerShell Download
- Sticky-key attack
- More …
¶ Service Monitoring
¶ Inventory
¶ RBAC
¶ Open API
¶ Auditing
¶ References
For more information, visit https://www.synergix.com
© 2025 Synergix Labs.
Optaguard is a product brand of Synergix Labs