¶ SYNERGIX LEDR
¶ Overview
The software SYNERGIX LEDR offers significant value compared to its predecessor SYNERGIX SEVA and competitors’ products from CyberArk, Dilinea and others.
Privilege Access Management / Admin On Demand feature addresses Privileged Access Management requirements by offering Just-In-Time Administration capabilities, allowing end users to run approved programs with elevated privileges. It offers practical and economical alternative to CyberArk EPM, Admin On Request and other PAM solutions.
Universal LAPS features is Operating System agnostic and is one of the many key selling features in the product. With Privilege Access Management / Admin on Demand feature, it offers an alternative to CyberArk EPM
The software improves security posture of endpoints, by rotating the logon names and passwords/pass phrases of all local accounts, existing or new accounts, including MS SQL Server sa account password! Password may be retrieved from the dashboard by authorized users only.
SYNERGIX LEDR is Operating System agnostic and works on
- MacOS
- Windows and
- Linux
RedHat, Oracle Linux, CentOS, Debian, Ubuntu, Fedora, OpenSUSE, and more.
Linux based appliance such as Tenable Nessus Vulnerability Scanner, OpenVPN and more.
Remote Desktop Protocol and SSHD port rotation add another security layer, by discouraging use of the well known 3389/tcp or 22/tcp network communication ports.
The software supports
- Active Directory joined computers
- Entra ID joined computers and
- Workgroup computers (Windows, macOS, Linux and Linux based appliances)
- Devices hosted in DMZ, AWS, GCP and in other Cloud Service Providers
¶ Privacy First
The software is a Cloud App hosted in customer’s Azure Tenant.
The Cloud App is hosted in customer’s Azure Tenant, and the secrets are stored securely in customer’s Azure Key vault, with exclusive access to the customer associates only. Error reporting data, if any, is forwarded to Log Analytics Workspace in the customer’s Azure Tenant.
¶ Universal LAPS Features
| Features | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| Local Administrator Password Solution |  |
  |
| Backup Administrator Password Solution |  |
|
| Low Privilege User Password Solution | |
|
| Logon Name Rotation | |
|
| Non-Compliant Local Users Password Solution | |
|
| Chetak* Administrator Password Solution | |
|
| Microsoft SQL sa Password Solution | |
|
| Remote Desktop Port Rotation | |
|
| SSHD Port Rotation | |
|
| Autologon Account Password Solution | |
|
¶ Non-compliant Local Accounts
All local user accounts on Windows, Linux and macOS will have their passwords rotated, ensuring the security of the systems. Designated administrators may retrieve the password from the web dashboad to login with such accounts and ultimately decide to disable or delete all such local user accounts, for auditing and for operational risk management purposes.
¶ Microsoft SQL Server sa Password Rotation
When this feature is enabled and properly configured, it will rotate Microsoft SQL sa Account Password and store it in the vault.
| Microsoft SQL Server | Windows OS | Linux | Comments |
|---|---|---|---|
| Microsoft SQL Server 2022 |  |
 |
Linux support planned |
| Microsoft SQL Server 2019 | |
|
|
| Microsoft SQL Server 2017 | |
|
¶ Password Encryption
| Microsoft LAPS | SYNERGIX LEDR | |
|---|---|---|
| Authorized Security Principal | One | Agnostic |
¶ Unauthorized Password Readers
| Microsoft LAPS | SYNERGIX LEDR | |
|---|---|---|
| Device | |
|
Reference:
DSRM Password Support
When encrypted password history is enabled and it’s time to rotate the password, the managed device first reads the current version of the encrypted password from Windows Server Active Directory. The current password is then added to the password history. Prior passwords in the history vault are deleted, when needed, to comply with the configured maximum history limitation.
¶ Authorized Password Readers
The software strictly follows Principle of Least Privileges. High privileged accounts in Entra ID or in Active Directory Domain Services are not granted high privileges in SYNERGIX LEDR software.
| Microsoft LAPS | SYNERGIX LEDR | |
|---|---|---|
| Global Administrator | |
|
| Cloud Device Administrator | |
|
| Intune Administrator | |
|
By default, Windows LAPS allows members of the Global Administrator, Cloud Device Administrator, and Intune Administrator roles to retrieve the clear-text password. In contrast SYNERGIX LEDR requires proper assignment of Password Reader permission.
¶ Identity Provider Agnostic
| Microsoft LAPS | SYNERGIX LEDR | |
|---|---|---|
| Identity Providers |   |
   |
¶ Windows Operating Systems
| Operating Systems | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| Windows 7.0 SP1 | |
|
| Windows 8.0 | |
|
| Windows 10 | |
|
| Windows 11 | |
|
| Windows Server 2008/R2 | |
|
| Windows Server 2012/R2 | |
|
| Windows Server 2016 | |
|
| Windows Server 2019 | |
|
| Windows Server 2022 | |
|
| Windows Server 2025 | |
|
¶ Linux Distributions
| Operating Systems | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| CentOS | |
|
| Debian | |
|
| Fedora | |
|
| Kali Linux | |
|
| openSUSE | |
|
| Oracle 9 | |
|
| RedHat Enterprise Linux | |
|
| Ubuntu Desktop | |
|
| Ubuntu Server | |
|
The software should also work on all Linux Distributions that can run .NET Core 8.0
¶ Apple macOS
| Operating Systems | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| Catalina | |
|
| Big Sur | |
|
| Monterey | |
|
| Ventura | |
|
| Sonoma | |
|
| Sequoia | |
|
¶ Appliances
| Operating Systems | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| openVPN | |
|
| Bitnami Stacks | |
|
| Tenable Nessus Vulnerability Scanner | |
|
¶ Admin on Demand
When the feature is enabled, users are granted Just-In-Time Administration privileges and can launch selected applications with admin token.
¶ Remote Desktop Protocol (RDP) Port Rotation
When the feature is enabled, RDP port is randomly assigned a number in specified high range, such as 33389 to 43389, along with updating the Windows Firewall rule.
New Windows Firewall rule is created but not enabled, denying the inbound connection on rotated port number until the configuration is updated to allow inbound network connection on the assigned RDP port.
For added benefit, consider implementation of Chetak*, a deception technique.
| Features | Microsoft LAPS | SYNERGIX LEDR |
|---|---|---|
| Remote Desktop Protocol Rotation | |
|
¶ Process Guard
When the feature is enabled, execution of Living of the Land Binaries (Lolbins) such as adfind.exe, msbuild.exe, csc.exe and others that are specified in the software configuration, by any non-system account, are challenged with a captcha prompt.
¶ SIEM Integration
When the feature is enabled, software forwards selected Security Events and Sysmon Events to customer’s Azure Log Analytics Workspace, enabling CyberSecurity Operations Analyst build detection rules.
¶ Security Events
Specific Windows Events, such as 4624 and others, are forwarded to Azure Log Analytics Workspace.
¶ Sysmon Events
All events configured in Sysmon configuration file, are forwarded to Azure Log Analytics Workspace.
¶ Detection Rules
- Users logging in from unowned device
- DNS queries to search for malicious domains
- Processes launched from $Recycle.Bin
- Processes launched with high privileges
- PowerShell encoded commands
- PowerShell Download
- Sticky-key attack
- More …
¶ Additional Features
¶ Service Monitoring
¶ Inventory
¶ RBAC
¶ Open API
¶ Auditing
¶ References
For more information, visit https://www.synergix.com
© 2025 Synergix Labs.
Optaguard is a product brand of Synergix Labs