Review: Specops Password Policy

All who work in the information security industry agree that passwords are one of the worst security nightmares of the modern information security age. Having weak passwords – even as part of a multi-factor authentication scheme – degrades the security posture of an organization.

Unfortunately, as passwords scale well, they are still present in practically every organization and even central authentication places like Active Directory.

There are multiple security controls, even in core operating systems, which should prevent users from choosing weak passwords, but we all know the limits of those security controls in production. Most of the passwords in many Active Directory password dumps are cracked in mere days, which is time enough to foil password change requirements in any organization.

Some 17 years ago Specops Software took on the challenge of developing authentication tools for the Microsoft ecosystem. This review focuses on Specops Password Policy, their flagship tool for preventing Active Directory users from choosing weak passwords.

Installation

Specops Password Policy works by extending the functionality of Group Policy with more password strength options and fine-grained password policies.

The core component consists of three parts: the Specops Password Policy Sentinel (Domain Controller Sentinel), the Specops Authentication Client, and the Specops Password Policy Administration Tools.

The Administration tool can be installed on any computer that is part of the Active Directory domain, and it will be used to administer Specops Password Policy. The Domain Controller Sentinel should be installed on every domain controller.

The Specops Authentication Client is an optional component that is meant to be installed on every host that is part of a domain if you want to display the password policy rules when a user fails to meet the policy criteria when changing their password. The Client also notifies users when their passwords are about to expire.

If you are looking to get more serious about password security, there are also optional components. Blacklist Arbiter is the most interesting of those, as it notifies users if a password is found in a list of leaked passwords and prevents them from using it.

Review Specops Password Policy

Installation steps are easy to follow

Since the solution works with user passwords on Active Directory, you’ll need to have domain administrator rights in order to install it and make it work as intended. Although it has many components that should be installed on different servers, the wizard-like installer makes installing them a breeze.

A test of the installation process on a simple Active Directory domain revealed that all the components, including optional ones, can be installed in less than 15 minutes by following instructions provided by the installer. The installer even helps with the installation of the Specops Authentication Client on domain hosts using GPSI.

To try the solution out, I have installed a test Active Directory domain in the Amazon cloud with several testing servers as part of the domain, and I have populated users with different privileges and roles with a test script. I have also customized password expiry periods and passwords of the different users.

Use

Once the solution is installed, you (the administrator) will spend most of the time working with the Administration tool, which is used to tweak all the settings and enforce password policies. It is the administrative front-end for all the installed components.

When you open the Administration tool, on the left side you’ll see most of the configuration settings listed by category or tool. They allow you to target any GPO level, group, user with specific password and passphrase requirements.

Review Specops Password Policy

Specops Password Policy in Local Group Policy Editor

Specops Password Policy also comes with password policy templates for Microsoft, NCSC, NIST and NSA recommendations. If you need something specific, a new password and passphrase policy template can be made with a few mouse clicks.

Review Specops Password Policy

Creating highly secure custom password policy

Review Specops Password Policy

Once a template is selected, you will be presented additional configuration options that allow you to create a list of disallowed words, download dictionary and set maximum password age for users affected by the policy

If you want to enforce strong password policies, there’s a Blacklist feature that allows you to block and notify users if the password they’ve chosen is found in a list of leaked passwords. It works by querying the Specops cloud service, and you need to get a customer unique API key from Specops in order to enable it. The Blacklist Cloud API hosts an extensive and up-to-date list of leaked passwords.

Only the first few characters of the password’s bcrypt hash are sent to the cloud, as sending the complete hash would be a security nightmare. The small added risk of enabling the feature is nullified by the increased security that comes with preventing users from using leaked passwords (a low-hanging fruit for attackers).

Review Specops Password Policy

Configuration of blacklist part of the password policy

The Specops Password Auditor is another interesting tool that comes with Specops Password Policy. It scans user passwords in the specified Active Directory domain and reports expired and soon-to-expire passwords. (This should not be confused with account expirations.)

Review Specops Password Policy

Password Auditor results summary

The Auditor reports stale admin accounts, used password policies and shows the password policy compliance status. You can drill down in each item in the summary overview. You can also export the whole list to a CSV file for further processing.

Review Specops Password Policy

Password Auditor report on stale admin account

Those who prefer using Windows PowerShell for administering of Active Directory will be happy to know that it is possible to manage Specops Password Policy by using PowerShell cmdlets. Specops-related cmdlets are focused on managing password policies, so it is possible to create, list, delete and set password policy for both passwords and passphrases. You just need to Register the Specops Password Policy Powershell snapin and then you can start using it.

Review Specops Password Policy

Specops Password Policy PowerShell cmdlets

Final thoughts

If you are looking to strengthen passwords in Active Directory, you should definitely consider using Specops Password Policy. It’s easy and intuitive to use, and works as advertised.