We live in an age of near-daily information breaches, and password attacks have grown sophisticated as computing power grows ever more powerful and less expensive.
Today I'll teach you about Specops Password Policy, one member of a robust password management solution that makes defining, enforcing, and auditing Active Directory passwords much easier to do than with Microsoft-only tools.
Specops Password Policy has a "smart" guided installation program that simplifies solution deployment. The following screenshot shows the installer interface; I'll then explain each solution component:
- Administration Tools: These include the Password Policy Domain Administration and Password Auditor consoles. These are "thick client" applications. Install them on your administrative workstation.
- Domain Controller Sentinel: This service attaches to your Active Directory domain (no forest extension required, fortunately) and enforces your Specops password policies. Deploy this element on all domain controllers.
- Specops Password Client: Your domain users interact with this client UI to change their domain passwords. Deploy it using Group Policy Software Installation (GPSI), System Center Configuration Manager, or another method. You also should install the Password Client .ADMX Group Policy templates on your domain controllers.
Defining a password policy ^
To avoid conflicts, set your existing domain password policy to "Not defined" or to the lowest acceptable settings. From now on, you will configure domain password policy by using Specops Password Policy.
To that point, fire up the Administration console, enter your trial or full version license code, navigate to Password policy templates, and create your first password policy. Specops includes industry-standard default policies to help if you are subject to any of these regulations:
- The National Cyber Security Centre (NCSC) recommendation
- The National Institute of Standards and Technology (NIST) recommendation
- The National Security Agency (NSA) recommendation
- The Microsoft recommendation
Here's a screenshot of the interface:
To give you a feel for the password policy options available, I'll share each page of the Specops password policy configuration dialogs.
On the General Settings page, you have options for:
- Password history
- Password expiration
- Account lockout
- Password reset options
- Client message
On the Password Rules page, your options include:
- Password length requirements
- Character group requirements (including regular expression definitions)
- Password content restrictions
Finally, the Passphrase page enforces the use of passphrases instead of passwords. I use passphrases all the time with all of my accounts because, above all else, they are pseudo-random strings that contain no words found in any dictionary.
Dictionary-based password policy ^
A truism of any good password policy is that it should disallow words found in language dictionaries. But what about specialized dictionaries based on passwords leaked from high-profile breaches? What about hacker community vocabulary?
Specops Password Policy include the following password dictionary options:
- Common keyboard combinations/sequences
- LinkedIn leaked password hashes
- Adobe leaked passwords
- Gawker passwords
- “Leetspeak” words and phrases
According to Specops, leetspeak is a form of modified English that uses ASCII character and number substitutions. A good example is the poor password P@$$w0rd.
The purpose of Specops including these password dictionaries is to eliminate the human nature error of falling into predictable patterns in creating passwords.
Deploying a password policy ^
As long as you install the Specops Password Policy .ADMX templates on your domain controllers, you can use traditional domain Group Policy to distribute your new password policy template.
In Group Policy Editor, navigate to User Configuration\Policies\Windows Settings\Specops Password Policy and click either Create New Password Policy or Create New Password Policy from Template.
You can also customize the Specops authentication client behavior, although most of these options require additional Specops products. The Group Policy path is Computer Configuration\Policies\Administrative Templates\Specops Authentication Client.
Client-side experience ^
I mentioned earlier in this story the need to deploy the Specops Authentication Client to all of your domain workstations. One thing I like about the client software is how it integrates into the Windows experience as a natural extension of the operating system.
For example, take a look at the following screenshot to see what happened when I tried to change my user password from a Windows 10 domain member computer:
As you can see, the client gives customizable feedback to the users to help them adhere to your password policy requirements.
Password auditing ^
Specops Password Policy includes an additional thick-client administration tool called Specops Password Auditor.
Start the tool to scan all domain user accounts and generate a report as shown in the following sample screen capture. It displays the results as follows:
- Administrative accounts
- Expiring accounts
- Expired passwords
- Password policies active
- Password policy usage across the domain
- Password policy compliance
As you would expect, you can drill down into each section to see the differences between an effective policy versus what's in your template. You can also export the results to a comma-separated value (CSV) format file.
I mentioned earlier that Specops Password Policy aims primarily at the domain-level configuration. You will need to consider related, separate Specops products to fill out your password management strategy:
- Specops uReset and Password Reset: Self-service account unlock and password management
- Specops Password Notification: Robust client-side messaging concerning the status of their domain user accounts
- Specops Password Sync: Federate your domain passwords across different line-of-business systems, including Office 365
I noted in a previous product review that Specops requires you to contact them for a price quote. This is unfortunate, but I nonetheless feel is strong and makes enterprise management and compliance reporting much easier to accomplish than with native Active Directory security tools.