Latest posts by Timothy Warner (see all)
- Using implicit PowerShell remoting to import remote modules - Thu, Mar 23 2017
- PowerShell remoting between Windows and Linux - Tue, Mar 21 2017
- ManageEngine Key Manager Plus - Track SSH keys and SSL certificates - Tue, Feb 28 2017
Let's face it: passwords aren't going away. Yes, we're in the 21st century. Yes, we have various multi-factor authentication (MFA) and biometric identity schemes. But the unavoidable fact is that for most Windows systems administrators, our corporate secrets are only as protected as our passwords are strong.
As you know, Windows Server includes some bare-bones password management features in Group Policy. Here, let me show you a screenshot:
Windows Server 2012 gave us fine-grained password policy with which we can deploy different password policies to different user populations within our organizations. All this is well and good, but how many of the following "pain points" do you deal with on a daily basis?
- Help desk personnel constantly having to reset user passwords
- Fielding user complaints regarding password policy and change requirements
- Lack of self-service password reset
- Difficulty passing compliance audits because your password controls aren't granular enough
- Specops Password Policy: Substantial enhancement to native AD password policy
- Specops uReset: self-service password reset utilizing claims-based identity; supports authentication tokens from over 20 identity providers
- Specops Password Reset: End user–friendly self-service password reset and account unlock
- Specops Password Sync: Allows AD password to be used with non-AD and external SaaS resources
How Specops Password Policy works ^
One thing I really like about Specops Password Policy is that it requires no database or other heavy infrastructure plumbing. Take a look at the following conceptual diagram I drew, and I'll walk you through the various parts and pieces of the solution:
- Specops Client: This agent should be deployed to every domain workstation.
- Specops Password Policy Sentinel: This is the password filter engine that should be installed on all Active Directory domain controllers.
- Specops Password Policy Administration Tool: Domain admins use this tool and the typical Windows Server Remote Server Administration Tools (RSAT) to manage Specops password policies.
As you'll see in a moment, you can do some amazing things to your password policy (or policies) in your domain. Recall that Windows Server's fine-grained password policy has the following limitations:
- Maximum of 6 policies per domain
- Targets AD users and groups only
- Limited to built-in password policy (GPO) options
By contrast, Specops Password Policy can target any GPO level, computer, user, or group population and has the added benefit of expanded password policy options, including the use of passphrases.
Let's get the product installed so we can kick the proverbial tires together.
Install Specops Password Policy ^
First of all, sign up for a free trial, and a Specops representative will send you a link to the installer package as well as a trial license file.
Make sure you're logged on to a domain controller as an administrator and fire up the installation wizard as shown here:
As you can see in the previous screenshot, the interface updates as you progress through each installation phase. This is useful because I find that when I perform a multi-phase product installation, I sometimes forget which components I've installed vs. which ones I haven't.
The installer actually walks you through each administrative phase. For instance, the following interface screenshot shows the process of installing the domain controller sentinel component:
At the conclusion of the Specops Password Policy installation process, you'll have extended Group Policy to include Specops-specific functionality and deployed the agent to your users. You're now ready to actually build your first policy.
Create your first Specops password policy ^
On your administrative workstation, fire up the Specops Password Policy Domain Administration Tool. As usual, I'll give you a screenshot and then explain each major part of the interface:
- Domain Administration: Manage your license and enable/disable the service
- Domain Settings: Specify whether you need reversible password encryption and point the tool to your SMTP mail server for alerts
- Password Policy Sentinel state: Verify that Sentinel's running and on which domain controllers
- Configured password policies: View and edit any of your password policies
- Language files: Manage client language files; this is used to localize the software
- Password policy templates: Create, edit, and delete policy templates; the Microsoft and NSA templates ship with the product
Now open the Group Policy Management Console and open the Group Policy Object (GPO) that will hold your first password policy. On my system, I used the Default Domain Policy as shown in the following screen capture:
Make sure to create a Group Policy Central Store so that all your domain controllers can access the Specops GPO templates. Now take another look at the previous screen capture. You specify client agent settings under Computer Configuration (annotation 1). You build your password policy under User Configuration (2). Finally, you manage the policy itself (3).
The actual interface for building your policy is pretty awesome. We don't have the white space to give the subject its due (check the documentation), but let me show you the Password Rules page:
Do you see the Use online dictionaries option? You can actually configure Specops to include the password hashes from the 2012 LinkedIn breach, the 2010 Gawker breach, and the Adobe "Top 100" worst password lists as part of your policy requirements! They regularly update this section to include major leaked password lists or you can import your own lists
The idea here is that while we don't want to overly burden our users with regard to their password complexity, we also don't want to open unnecessary attack vectors by allowing any sort of weak passwords or passphrases.
Another neat thing you can do with Specops Password Policy is configure custom user feedback when a user's new password doesn't meet your corporate requirements. Because the Specops solution rides on top of Windows' native LSASS process, the user will see detailed help text from within the OS password-change screen as shown here:
You do have to invest in other members of the Specops Password Management solution if you want to enable, for instance, self-service password reset (beyond the native OS tool) and account unlock.
One thing I didn't like about Specops Password Policy was that I couldn't locate licensing/pricing information anywhere on the website. Instead, prospective customers are asked to reach out to Specops directly.
But this doesn’t take away from my overall experience with the product. It is great that Specops Password Policy integrates so naturally into Windows Group Policy. Also, its breadth and depth of password policy options are super impressive.