Product: Specops Password Auditor
Learn more/Product Homepage: click here
Download Free: click here
One of the most important things that any organization can do to keep its resources secure is to practice good password security. But how do you know if your passwords measure up? Specops has a free tool called Password Auditor that claims to be able to help. I decided to take Specops Password Auditor for a test drive to see how well it works.
The Installation Process
Normally when I write a review, I like to try to install and use the product without looking at the documentation, because that way I can get a feel for how intuitive the software is. In this case, however, Specops sent me an email message containing several different links, and I accidentally clicked on the link to the installation documentation. As you can see from this link, the installation process could not be easier. The entire process consists of downloading the software, and running a very simple Setup Wizard. In my case, the entire installation process (not counting the download) took less than ten seconds to complete.
Performing a Password Audit
When you launch Specops Password Auditor, you will be taken to a screen like the one that is shown in the figure below. As you can see in the figure, Specops has made it extremely easy to get started. All you have to do is to enter the name of your domain, and the fully qualified domain name of a domain controller within the domain, and then click the giant "Start Scanning" button. As if that were not easy enough, the Domain and Domain Controller fields were pre-populated on my test server, so I did not even have to provide Specops Password Auditor with any information. All I had to do was to click the "Start Scanning" button.
Before I begin talking about the scanning process, I want to point out some of the things that are displayed on the screen shown in the figure above. I absolutely love the fact that the software explains exactly what is going to happen, and how the information that it collects will be used. There is no technical jargon and no ambiguity. The software essentially tells you that it is going to scan your Active Directory and compare the settings within it to industry standards and best practices in order to generate a collection of reports. Furthermore, the screen tells you in no uncertain terms of the software will read information from the Active Directory, but will not make any changes.
The Active Directory Scan
Whenever I perform software reviews, I evaluate the software in a lab environment rather than trying it out in a production environment. In this case, my lab environment is equipped with a small Active Directory environment and contains about half a dozen user accounts, as shown below. I created these user accounts months ago, and haven’t really done anything with them since that time. As such, I honestly could not remember the contents of the password policies.
Because my lab environment is so small, I assumed that the process of scanning the Active Directory probably would not take very long. Even so, I could not believe how fast the scanning process was. I clicked on the Start Scanning button, and the scan completed within a matter of about two seconds. I’m only guessing as to how fast the scan really was. The scan could have completed in as little as one second, or it might have taken as long as three or four seconds. Whatever the duration, the scan was lightning fast. The figure below shows what it looks like when the scan completes.
The results screen displays various key statistics in sort of a dashboard view. Key information is displayed in a series of boxes that make it very easy to digest the information. As you look at the figure below, for example, you can see that I have one account that has administrative access, and I have four accounts with expired passwords. I can also see that the password policies are based on settings within the PoseyLab.com domain. The Password Policy Compliance box shows a yellow indicator next to my domain, indicating that there are probably some password policy settings that could be a little bit stronger.
If this were a production environment, the first thing that I would wonder based on this information is why I have four accounts with expired passwords. Do I have users whose passwords expired this morning, or are these abandoned accounts whose passwords expired long ago?
Clicking on the Expired Passwords box causes the software to display a report like the one that is shown in the figure below. As you can see in the figure, these particular accounts have not had their passwords changed in 127 days. Even though the screen does not explicitly tell you when the passwords expired, it is pretty easy to figure out from the information provided that these accounts are not being actively used. In fact, the interface even provides a message telling you that passwords that have been expired for an extended period of time can indicate a stale account.
Like I said earlier, I can’t remember how the password policies were set up for these accounts. Just to play devil’s advocate, however, let’s pretend that even though the accounts expired 127 days ago, I’m not sure if these accounts expired recently, or if the expiration happened some time ago. It’s easy enough to find out. You will notice in the figure above that these users are getting their password policy from PoseyLab.com. If I go back to the main screen and click on the PoseyLab.com password policy, I can see that passwords are required to be changed every 42 days, as shown in the next figure. Hence, these passwords really did expire quite some time ago.
OK, so what about that yellow indicator that I mentioned earlier? If I click on the Password Policy Compliance box, I am taken to a screen like the one shown below that lists various industry standards such as NIST and PCI. For each standard, there is an indicator icon that tells whether the current password policy is compliant, partially compliant, or non-compliant with the policy.
You can click on any one of these standards to see the areas in which your password policy does not measure up. As you can see in the figure below, Password Auditor does not clutter your screen with settings that are OK the way that they are. It only shows you the settings that you might want to address.
When I write a review for this site, I give it a rating from zero to five stars (with five stars being the highest possible rating). Although many of the applications that I have reviewed over the years have received favorable scores, I have only given a perfect score on the rarest of occasions. I believe that there is almost always something that can be improved.
In this case, however, I am breaking my own rule and giving Specops Password Auditor a perfect score. The software works flawlessly, the documentation is well written (not that you will need it), the software is easy to use, you can get it for free, and most importantly, it does something useful. I simply cannot justify giving Specops Password Auditor anything other than a well deserved perfect score.
TechGenix.com Rating 5/5