In June 2016, I wrote a review of Specops Password Policy and was impressed with this company's dedication to Windows account security. You may already know that Specops sells a comprehensive suite of password and desktop management products; today we'll take a close look at one of them: Specops Password Auditor.
Specops Password Auditor has the primary use case of an organization that needs to search Active Directory for the following security vulnerabilities:
- Expiring, or expired passwords
- Administrative user and/or service accounts
- Accounts that don’t require passwords
You may use this tool to help you maintain your security compliance certification(s), or you may simply want to reduce your organizational attack surface. Specops offers you this free tool for the benefit of the Windows systems administration community, and as an entry point for one of their commercial products:
Let's take a closer look at Specops Password Auditor, shall we?
Installation and first run ^
Go ahead and download the 3-MB .msi package from the Specops website. I installed the freeware on one of my Windows Server 2016 domain controllers, although I just as well could have done so on an administrative workstation.
Specops Password Auditor has no database dependency, and you'll have the tool up and running in under one minute in most circumstances. One note: if you are logged onto your workstation with standard user privileges, you'll want to start the software under a domain administrative credential.
Right-click the Specops Password Auditor icon from the Start menu and then click More > Run as a different user as shown in the following screenshot.
The main user interface is simple—you simply verify the target Active Directory domain, the Active Directory Domain Services (AD DS) domain controller, and click Start Scanning. I show you this interface in the following screenshot.
The simplicity of the UI belies some underlying complexity in terms of what the tool actually does. First, Specops Password Auditor only reads AD data, never attempts to write. Second, the tool analyzes both your domain password policies and your fine-grained password policies.
Interpret the reports ^
After the scan, Specops Password Auditor presents its findings in a dashboard report. I share mine with you in the next screenshot.
This report dashboard is fully interactive. Here are the categories and what they tell you:
- Admin Accounts: High-privilege AD user accounts
- Stale Admin Accounts: High-privilege AD user accounts that have not logged onto the domain for at least 90 days (this value is customizable)
- Expiring Passwords: AD user accounts whose passwords are within seven days of expiration (customizable)
- Expired Passwords: AD user accounts that have expired passwords and may be locked out
- Password Policies: Group Policy Object (GPO)-based and fine-grained password policies
- Password Policy Usage: What percentage of your user base is affected by detected password policies
- Password Policy Compliance: How your current password policy compares to other industry standard recommendations
This last report, Password Policy Compliance, is particularly useful. Here Specops Password Auditor scores your current password policies against the following standards:
- Microsoft Research
- Microsoft TechNet
- National Institute of Standards and Technology (NIST)
- Payment Card Industry (PCI)
- System Administration, Networking, and Security Institute (SANS) Admin
- SANS Users
As you can see in the next composite screenshot, you can drill down into each comparison where you can see your policies values and whether they are compliant, partially compliant or do not meet the target recommendation set. Specops Password Auditor also lets you drill down into each value to get an understanding of the score. As an example, the default policy listed in the screenshot below failed to meet both Microsoft Technet and SANS password length recommendation in addition to failing to meet SANS dictionary and complexity requirements.
As I mentioned earlier, Specops Password Auditor integrates seamlessly into Specops Password Policy. This makes it easier to implement any password or account changes the Auditor tool unearths.
Note: Each password policy compliance report includes a Source hyperlink that points you directly to the body that produced a given set of recommendations. For example, the source for the Microsoft Research recommendations is the "Microsoft Password Guidance" white paper from the Microsoft Identity Protection Team.
You can export your password policy compliance reports in comma-separated value (CSV) format for analysis in Excel, Power BI, or your analysis tool of choice.
The Admin Accounts report is also super important because Specops Password Auditor can alert you to service or domain user accounts with administrative privileges you may not have known about.
In today's world of ransomware, you need to keep a tight lid on high-privilege accounts. The first step in doing so is determining which accounts have the high privileges in the first place.
For Windows systems administrators, Specops Password Auditor is a must-have utility. You can't beat the price (free), and if the tool helps you spot just one previously unknown high-privilege account, then the tool has given your business tremendous value.
I also submit that your support desk staff will appreciate being able to report on user accounts that are nearing password expiration. After all, who among us doesn't enjoy unlocking administratively locked user accounts? Ha!