Product: Specops Password Policy
Product Homepage: click here
Free Trial: click here
Establishing an effective password policy is critically important for IT security administrators. After all, attackers are commonly looking for ways to access data using valid, trusted credentials. Weak passwords are an easy attack vector, and with the advent of cloud computing and virtually limitless compute capacity available on demand, cracking simple and even moderately complex passwords is no longer a difficult task. Further complicating matters are the myriad data breaches yielding millions and millions of user accounts and passwords, giving cybercriminals a strong indication of common passwords in use and typical patterns for creating non-standard passwords. The use of intelligent password guessing tools and rainbow tables conspire to make a good percentage of passwords easy to crack with relative ease. For security administrators, enforcing strong password policies is vital to protecting their networks.
Windows Password Policy Limitations
For organizations who have deployed Active Directory, a password policy is enforced by default for all users (settings are enforced as part of the Default Domain Policy group policy object). The default settings are a good starting point, but in many cases security administrators would be well-advised to increase the security of these policies. However, does it make sense to have the same password policy applied to all users in the domain? Typically, no. For example, it might be more appropriate to have very strict password policies for highly privileged users such as domain administrators. However, non-privileged users don’t have these same requirements, so a less restrictive password policy might be desirable.
Beginning with Windows Server 2008, Microsoft introduced their Fine Grained Password Policies feature. It was only marginally helpful, mostly due to the difficulty of implementing it and the lack of any intuitive management tools for it. Things got better in Windows Server 2012, and Fine Grained Password Policies could be implemented using the Active Directory Administrative Center (ADAC). Here again though, the process used to implement these policies proved to be limiting.
Specops Password Policy
Specops Password Policy is a tool that allows for the creation and management of fine-grained password policies in a simple fashion. It overcomes the limitations of native Windows password policies tools and allows for the implementation of numerous distinct password policies as required. Specops Password Policy uses Active Directory Group Policy Objects (GPOs) to implement granular password policies, which can be applied to users, groups, Organizational Units (OUs), and sites. The Specops Password Policy administration tools integrate with the native Group Policy Management Console (GPMC) allowing administrators to effectively manage password policies across their organization using familiar tools and procedures.
Installing the Specops Password Policy software takes no time at all. All installation steps can be completed from a management workstation. After downloading and extracting the software, click Start Installation on the Specops Setup Assistant menu.
Accept the End User License Agreement (EULA) and then install the Administration Tools. Optionally you can choose to install the Active Directory Users and Computers (ADUC) Menu Extensions. Once the administration tools have been installed successfully, the Domain Controller Sentinel must be installed on all domain controllers in the domain. It will be necessary to create a network share or use an existing network share to distribute the software to the domain controllers. Copy the installation files, SpecopsPasswordPolicySentinel-x86.msi and SpecopsPasswordPolicySentinel-x64.msi, from the location you extracted the installation files to (under the /Products/SpecopsPasswordPolicy folder) to the network share you created or selected. Select all domain controllers and click Install.
Domain controllers will have to be restarted after installing the Domain Controller Sentinel.
Finally, you can install the Specops Password Client if desired. This optional component enables the communication of specific password policy requirements to the client when they fail to meet established password policy. Also, the password client can be leveraged to proactively communicate to users when their passwords are about to expire. The Password Client installation can be deployed automatically using a variety of software distribution mechanisms such as Active Directory Group Policy Software Installation, System Center Configuration Manager (SCCM), or any third-party solution.
Password Policy Creation
After all domain controllers have been restarted, open the Specops Password Policy Domain Administration console. Before proceeding it will be necessary to provide a license for the product. Click Edit license information and provide the licensing details as required. In addition, ensure that the Specops Password Policy is enabled for the domain.
Highlighting Configured password policies in the navigation tree will show all password policy GPOs for the domain. Here you can make changes to the default domain policy, if required. To create custom password policies, it is recommended that a password policy template be created. Select Password policy templates and then choose New Password Policy Template.
Provide a name for the template and optionally provide a description. You have the option of enabling password rules, passphrases, or both. Select the appropriate option and then click General Settings.
You will most likely receive a message that the password policy is incompatible with the built-in domain password policy. You can click on the message to see those details.
At a minimum you will have to configure a password policy that defines settings that do not conflict with those of the default domain policy. On the General Settings tab, we’ll set the number of remembered passwords to 24 and the minimum password age to 1 to eliminate this conflict. There are numerous options on this page to configure additional settings for password policy enforcement.
Settings such as Disallow incremental passwords, Minimum number of changed characters, and Disallow reusing part of current password require the use of reversible encryption. This option can be set by highlighting Domain Settings in the navigation tree and selecting the option to Save previous password with reversible encryption.
Select the Password Rules tab and specify a Minimum password length as long or longer than the default domain password policy. Specify password complexity requirements equal to or better than the default domain password policy as well.
Be sure to evaluate the Password content restrictions rules, as preventing the use of the full or partial user name in the password, as well as disallowing digits as the first or last character in a password are vitally important to secure password creation. You can also prevent the use of consecutive identical characters and dictionary words (even in reverse!). Password content restrictions require the use of reversible encryption.
Once you’ve completed the creation of a password policy template, click Save in the lower right corner of the window.
Implementing a Password Policy
Implementing a password policy is accomplished using the native Windows Group Policy Management Console (GPMC). Expand the domain and then right-click Group Policy Objects and choose New. Provide a descriptive name for the new GPO and click Ok. Now right-click the newly created GPO and choose Edit. Expand User Configuration, Policies, and then Windows Settings and highlight Specops Password Policy.
If you do not see Specops Password Policy in the Group Policy Management Editor, you do not have the Specops Password Policy Administrator installed. Either install the Password Policy administration tools or open the GPMC from a machine that has these tools already installed.
In the main window choose Create New Password Policy from Template. Select the appropriate template and click Ok. Select the option to enable password rules, passphrases, or both, and then click the General Settings tab. Confirm password policy settings and specify any additional options for password expiration, account lockout settings, password reset options, and client message.
Select the Password Rules tab and make any final adjustments to the policy, as required. Click Ok to continue.
A summary of the password policy settings configured in the GPO are displayed.
If you are satisfied with the policy settings, close the Group Policy Management Editor. You can use any method you like to target specific users to receive this group policy, including linking to a site, domain, or specific Organizational Unit (OU), using security group filtering, or any combination thereof.
You can repeat the steps above to create as many password policies as required. Often, unique password policies are defined for users with access to critical infrastructure or sensitive data that include strict controls, while non-privileged users can be provided with a more relaxed password policy.
Specops Password Policy in Action
When a user logs on to a system that has the Specops Password Policy client installed and is required to change their password, a helpful message containing specific details regarding the policy is surfaced to the user if their new password does not meet the minimum requirements.
Specops Password Policy is an essential tool that can be leveraged by organizations large and small to greatly improve their overall security posture by granularly enforcing password policies across the enterprise. The tool is very easy to use, installs quickly, and leverages existing Windows administration procedures to implement fine-grained password policies. Existing system administrators will find that integrating Specops Password Policy will require very little in terms to both time and effort, and the learning curve to use the product is minimal.
This product installs quickly, is easy to learn and use, and in a matter of minutes I was able to implement granular password policies for users in my organization. It is extremely powerful and flexible, and I highly recommend this product. I give Specops Password Policy the WindowSecurity.com Gold Award with a rating of 5 out of 5.