- Azure Automanage: Configuring Azure VMs according to best practices - Mon, Nov 23 2020
- Configuring vSphere with Tanzu HAProxy VM - Fri, Nov 20 2020
- AdRem Software NetCrunch v11: Compelling monitoring solution with new features - Tue, Nov 17 2020
Specops Password Policy overview ^
The Specops Password Policy tool is a solution that helps bolster Active Directory password security. It extends the built-in functionality of Group Policy, helps to manage fine-grained password policies, and can be scoped to target any number of users with much more granular and secure password requirements than the built-in policies.
The solution is very granular in nature. Different Specops Password Policy enforcements can be scoped to different users. Users with greater access rights can be expected to meet stronger complexity requirements when compared to users with lesser rights.
Using Specops Password Policy, you can define any number of password requirements, including complexity, compromised password list checks, custom dictionaries, and passphrase settings. It provides a number of interesting capabilities over what most people are accustomed to with Active Directory. This includes eliminating complexity requirements in favor of allowing passphrases to enforce security policies.
Additionally, Specops Password Policy provides a couple of different methods for checking passwords against the breached password list database. You can download static files that provide a local breached password database. Alternatively, you can use their cloud-based Complete API, which checks passwords against the latest and greatest list of breached passwords for the most up-to-date checks possible.
Specops Password Policy new features ^
What has changed in the recent release of Specops Password Policy? There have been quite a few changes and enhancements, including:
- Simplified and centralized SMTP configuration
- Easier installation of the Sentinel component on domain controllers (Select All button)
- Admin tools now list the Sentinel state for domain controllers
- Simplified UI (expiration settings have a dedicated tab)
- SMTP email is now sent directly from the Sentinel service installed on the domain controllers
- Improved HTML editor
Added support for:
- Current password scanning upon database update with alerts for leaked passwords (Blacklist Express)
- HTML formatting and templates for password expiration emails
- Integrated Windows authentication for SMTP server
- Blacklist Complete notifications can be sent via the local SMTP server
- PowerShell cmdlets for SMTP configuration
- Active Directory "mail" attribute override
- Active Directory "mobile" attribute override
- Default country code for when the mobile country code is not included in the Active Directory attribute value
- .Net 4.7.2 or later is required
- Using a maximum of two parallel requests when sending to SMTP
- From this release, SMTP per-policy settings have been deprecated in favor of per-domain SMTP settings
Installation tweaks and admin features ^
As mentioned above, there are many new tweaks and features that ease the installation and management of Specops Password Policy. One of the installation tasks is getting the Sentinel component installed on your domain controllers.
The Sentinel component verifies whether a new password matches the Specops Password Policy settings as they are assigned to a particular user. It serves as a "password filter" of sorts for your domain controller. With the new version of Specops Password Policy 7.5, you can choose to select all for your domain controllers so you can install the Sentinel component on all DCs at the same time.
Specops has streamlined the process of managing the SMTP settings in Password Policy 7.5. Under domain settings, you can configure the global settings for SMTP configuration. Also, email functionality can be tested from the domain controller side, which is a change from previous releases.
Below, you can send a test email message from your domain controller after configuring your global SMTP settings.
The new version of Specops Password Policy allows easily seeing the state of the Sentinel service running on all domain controllers in the environment.
Specops Password Policy 7.5 includes a dedicated tab showing the Password Expiration settings and configuration. This makes the workflow for configuring password expiration settings stand out much more effectively.
As you can see below, the Password Expiration tab makes the workflow of covering all aspects of creating and configuring your password policy, including password expiration settings, much easier. On this screen, you also configure password expiration notifications.
Specops Password Policy 7.5 sports an improved HTML editor for customizing the look and feel of the Specops notification emails.
Same great features to control user passwords ^
Specops Software has done a great job in improving the features and functionality with this release, especially from the administration side of things. They have streamlined many features of the admin interface as well as the installation of the product in terms of how it handles the installation of the Sentinel component.
Specops Password Policy enables easily controlling the passwords end users create and use for their Active Directory accounts. You can easily see the Specops Password Policy capabilities in action below. Aside from the normal "complexity requirements not met" message, users receive the much more verbose message from the Specops Password Policy solution. As you can see, this particular password policy includes the breached password check for end users.
Wrapping up ^
I really like the Specops solution for managing passwords in an Active Directory environment. It very much rounds out the features and capabilities needed to strengthen end user password use and enforce good password hygiene in the environment. Specops allows you to stick with creating granular policies that can be applied with different customized settings in line with your Group Policy Objects (GPOs).
The breached password protection helps to ensure that your end users are not using passwords that are part of previously breached password lists. Attackers use these types of lists to perform password spraying attacks on your environment. This feature helps to ensure that your users are not allowed to use passwords that have previously been exposed. It also provides really great notification features that help to alert your end users when passwords are expiring, as it sends email to the email address assigned to their Active Directory account.
In this release, they have streamlined many of the management and administration aspects of the product and helped to improve the workflows of the UI when creating policies. From what I have seen, they have succeeded in streamlining and improving the product overall while continuing to deliver really great security features for Active Directory passwords. Check out the Specops Password Policy site for a free trial.