If you have any systems administration experience, you know information security involves a trade-off between security and user-friendliness. Forcing your users to change their passwords every 30 days increases your business security posture, but I'm sure your users won't be too happy about it.

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

We live in an age of near-daily information breaches, and password attacks have grown sophisticated as computing power grows ever more powerful and less expensive.

Today I'll teach you about Specops Password Policy, one member of a robust password management solution that makes defining, enforcing, and auditing Active Directory passwords much easier to do than with Microsoft-only tools.

Installation ^

Specops Password Policy has a "smart" guided installation program that simplifies solution deployment. The following screenshot shows the installer interface; I'll then explain each solution component:

Specops Password Policy installation wizard

Specops Password Policy installation wizard

  • Administration Tools: These include the Password Policy Domain Administration and Password Auditor consoles. These are "thick client" applications. Install them on your administrative workstation.
  • Domain Controller Sentinel: This service attaches to your Active Directory domain (no forest extension required, fortunately) and enforces your Specops password policies. Deploy this element on all domain controllers.
  • Specops Password Client: Your domain users interact with this client UI to change their domain passwords. Deploy it using Group Policy Software Installation (GPSI), System Center Configuration Manager, or another method. You also should install the Password Client .ADMX Group Policy templates on your domain controllers.

Defining a password policy ^

To avoid conflicts, set your existing domain password policy to "Not defined" or to the lowest acceptable settings. From now on, you will configure domain password policy by using Specops Password Policy.

To that point, fire up the Administration console, enter your trial or full version license code, navigate to Password policy templates, and create your first password policy. Specops includes industry-standard default policies to help if you are subject to any of these regulations:

  • The National Cyber Security Centre (NCSC) recommendation
  • The National Institute of Standards and Technology (NIST) recommendation
  • The National Security Agency (NSA) recommendation
  • The Microsoft recommendation

Here's a screenshot of the interface:

Specops administration console

Specops administration console

To give you a feel for the password policy options available, I'll share each page of the Specops password policy configuration dialogs.

On the General Settings page, you have options for:

  • Password history
  • Password expiration
  • Account lockout
  • Password reset options
  • Client message
General policy settings

General policy settings

On the Password Rules page, your options include:

  • Password length requirements
  • Character group requirements (including regular expression definitions)
  • Password content restrictions
Password rule settings

Password rule settings

Finally, the Passphrase page enforces the use of passphrases instead of passwords. I use passphrases all the time with all of my accounts because, above all else, they are pseudo-random strings that contain no words found in any dictionary.

Passphrase rule options

Passphrase rule options

Dictionary-based password policy ^

A truism of any good password policy is that it should disallow words found in language dictionaries. But what about specialized dictionaries based on passwords leaked from high-profile breaches? What about hacker community vocabulary?

Specops Password Policy include the following password dictionary options:

  • Compliance
  • Common keyboard combinations/sequences
  • LinkedIn leaked password hashes
  • Adobe leaked passwords
  • Gawker passwords
  • “Leetspeak” words and phrases
Online dictionaries, compliance dictionary, keyboard combinations and sequences

Online dictionaries, compliance dictionary, keyboard combinations and sequences

According to Specops, leetspeak is a form of modified English that uses ASCII character and number substitutions. A good example is the poor password P@$$w0rd.

Configuring password dcitionaries

Configuring password dcitionaries

The purpose of Specops including these password dictionaries is to eliminate the human nature error of falling into predictable patterns in creating passwords.

Deploying a password policy ^

As long as you install the Specops Password Policy .ADMX templates on your domain controllers, you can use traditional domain Group Policy to distribute your new password policy template.

In Group Policy Editor, navigate to User Configuration\Policies\Windows Settings\Specops Password Policy and click either Create New Password Policy or Create New Password Policy from Template.

Deploy a password policy using Group Policy

Deploy a password policy using Group Policy

You can also customize the Specops authentication client behavior, although most of these options require additional Specops products. The Group Policy path is Computer Configuration\Policies\Administrative Templates\Specops Authentication Client.

Configure the Specops client behavior

Configure the Specops client behavior

Client-side experience ^

I mentioned earlier in this story the need to deploy the Specops Authentication Client to all of your domain workstations. One thing I like about the client software is how it integrates into the Windows experience as a natural extension of the operating system.

For example, take a look at the following screenshot to see what happened when I tried to change my user password from a Windows 10 domain member computer:

Specops client feedback

Specops client feedback

As you can see, the client gives customizable feedback to the users to help them adhere to your password policy requirements.

Password auditing ^

Specops Password Policy includes an additional thick-client administration tool called Specops Password Auditor.

Start the tool to scan all domain user accounts and generate a report as shown in the following sample screen capture. It displays the results as follows:

  • Administrative accounts
  • Expiring accounts
  • Expired passwords
  • Password policies active
  • Password policy usage across the domain
  • Password policy compliance
Password audit results

Password audit results

As you would expect, you can drill down into each section to see the differences between an effective policy versus what's in your template. You can also export the results to a comma-separated value (CSV) format file.

Password policy analysis

Password policy analysis

Wrap-up ^

I mentioned earlier that Specops Password Policy aims primarily at the domain-level configuration. You will need to consider related, separate Specops products to fill out your password management strategy:

  • Specops uReset and Password Reset: Self-service account unlock and password management
  • Specops Password Notification: Robust client-side messaging concerning the status of their domain user accounts
  • Specops Password Sync: Federate your domain passwords across different line-of-business systems, including Office 365

I noted in a previous product review that Specops requires you to contact them for a price quote. This is unfortunate, but I nonetheless feel is strong and makes enterprise management and compliance reporting much easier to accomplish than with native Active Directory security tools.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+

Users who have LIKED this post:

  • avatar
Share
3 Comments
  1. Jimmy 1 year ago

    Good day Timothy,

    This is a very interesting article and thank you for sharing. If  i may ask, how this can be done from group policy without using any third party software?

    I've been trying to do this from group policy, i manage to have my custom message appear on the client screen but not when the GPO is expiring. It appears on every log in. All other settings of the GPO are applied correctly.

    1+

    • Jimmy, Specops Password Policy works together with Group Policy and enhances Windows features. If you want to do this without third-party software, you have to write application yourself.

      0

  2. Jimmy 1 year ago

    Thank you Michael for you reply.

    I'll try to see what other solutions i can find of other ways to achieve this.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account