Review of Specops Password Policy

Product: Review of Specops Password Policy

Learn more/Product Homepage: click here

Download a Free Trial: click here

With all of the recent high profile security breaches, it is more important than ever to make sure that your organization uses strong passwords. Even so, evaluating the effectiveness of your organization’s password policy can be tough to do, and ensuring compliance with that password policy can be even tougher. Fortunately, Specops can address these issues with its Password Policy software.

The Installation Process

Normally when I write a review, I like to try to install and configure the product without the aid of the documentation.

The deployment process consisted of three main phases. I had to deploy the administrative tools, then I had to deploy the Password Policy Sentinel on my domain controllers. Finally, there was a client component that had to be deployed on my client devices.

As much as I wish there were not so many components to install, Specops did a good job of making the installation process easy. As you can see in the figure below, the installation wizard walks you through the process of installing each component.

This is the Specops Password Policy installation wizard.
This is the Specops Password Policy installation wizard.

I also like that Specops has automated the deployment process as much as possible. As you can see in the figure below, Specops requires a network share to be created, but they do not make you do it manually. You can create the required share with the click of a button.

Specops largely automates the deployment process.
Specops largely automates the deployment process.

Overall, I found the installation process to be easy and efficient, although I did have to reboot my domain controller as a part of the process.

The Administrative Console

Once the software was installed, I opened the administrative console, and effortlessly imported the license file without the aid of any documentation. My next step was to take a look around the console, which you can see in the figure below.

This is the Specops Password Policy administrative console.
This is the Specops Password Policy administrative console.

As you can see in the figure above, the console is divided into a series of containers, which include Domain Settings, Password Policy Sentinel State, Configured Password Policies, Language Files, Password Policy Templates, and Specops Password Auditor.

Because Specops Password Policy is designed to help you to enforce the use of secure passwords, I decided to enable the Sentinel, and then go to the Configured Password Policies container, which you can see below.

This is what the Configured Password Policies container looks like.
This is what the Configured Password Policies container looks like.

As you can see in the figure, the console is in this case, displaying the password related policy settings from the Active Directory’s Default Domain Policy. Not only does the software display all of the policy settings, but it also evaluates the password policy based on its perceived complexity. In this case, the orange bar indicates that the current policy settings aren’t as secure as they could be. Unfortunately, Specops Password Policy won’t let you make changes from directly within the console, but there is a button that you can click to load the Group Policy Object Editor.

After spending some time with the Configured Password Policies container, I decided to check out the Password Policies Templates. The password policy templates are group policy templates containing password specific settings. In order to help demonstrate the way that password policy templates can be used, Specops provides two built-in templates. One of these templates is the Microsoft Recommended – High Security template, and the other is an NSA Recommendation template, as shown below.

Specops Password Policy includes two built-in templates.
Specops Password Policy includes two built-in templates.

When you click on a template, you are given the option of enabling password rules, enabling passphrase rules, or both. Passphrases are usually sentences that are used in place of a password.

The individual settings are spread across a series of tabs. The General Settings tab contains settings related to password history, password expiration, account lockout, and password reset options. There is also a client message field that you can use to create a custom message that is displayed to clients.

If you opt to enable password rules, then the console will display a Password Rules tab that includes settings related to password length, character group requirements, regular expression, password content restrictions, and dictionaries. If you were wondering whether Specops had merely created a new interface to the existing Active Directory password policies, the answer is no. The content restriction and dictionary settings provide functionality that does not natively exist in Windows.

Content restrictions allow you to prevent certain patterns of text within a password. For example, you might choose to block the use of a digit at the end of a password. This keeps users from simply incrementing their passwords ([email protected], [email protected], and [email protected]) each time that a password change is required. The Dictionary option allows you to prevent the use of passwords that appear within custom dictionaries. You can also import an online dictionary, and LinkedIn, Gawker, and Adobe dictionaries are provided out of the box. Once again, a password complexity bar gauges the effectiveness of your password policy as shown below.

This is the Password Rules screen.
This is the Password Rules screen.

If you have chosen to allow the use of passphrases, then the Passphrases tab does the same basic thing as the Password Rules tab, except that the settings pertain to passphrases. For example, you might require passphrases to be at least 20 characters and include a mix of upper and lower case characters.

The Specops Password Auditor

The Specops Password Auditor is technically a separate tool from Specops Password Policy, but it was installed automatically on my test system, so I decided to have a look at it. As you can see in the figure below, the Password Auditor works by reading password information from the Active Directory and detecting any password related weaknesses.

This is the Specops Password Auditor’s initial screen.
This is the Specops Password Auditor’s initial screen.

Out of curiosity, I went ahead and scanned the passwords in my lab environment. There are only about half a dozen user accounts in my lab, but even at that , was impressed by how quickly the password scan completed. The results, which you can see in the figure below, show admin accounts, passwords that will be expiring in the next seven days, passwords that have already expired, the password policies that are in use, the password policy usage and the level of password policy compliance.

These are the results of my scan.
These are the results of my scan.

I was curious as to why the Password Policy Compliance box showed a yellow status indicator, so I clicked on it. Upon doing so, I was presented with a screen that showed how my password policy stacked up against industry standards such as NIST, PCI, and SANS.  I found this information, which you can see below, to be both useful and informative.

My password policy’s relative strength was evaluated against industry standards.
My password policy’s relative strength was evaluated against industry standards.

The Verdict

Over the years it has become customary to assign a numerical rating to the products that I review on this site. These ratings range between zero and five stars, with five stars being the highest possible score. With that said, I decided to give Specops Password Policy a score of 4.5, which is a Gold Award.

Although I was initially concerned that the software was little more than an Active Directory front end, the software ultimately proved to be a bona fide tool for increasing password security. Furthermore, I found the software to be stable, reliable, and very responsive. I did not encounter any bugs during my review, and the software was intuitive to the point that I was able to use it without ever looking at the instructions or calling tech support.

TechGenix.com Rating 4.5/5

 

2 thoughts on “Review of Specops Password Policy”

  1. I did implementation back in December for one client, and unfortunately, after two months I’m looking for alternative solution. Frustration started with incompetent technical support and refusal to provide help with few features. It all escalated once de-provisioning process started failing. They create protected “leaf” objects under user object which prevents account to be deleted. It is not documented and they say it’s because not many of their clients ever delete user accounts. I will think twice before I recommend SpecOps Password Policy to another customer.

  2. Hi Vojin, sorry to hear that your implementation has been less than smooth. Specops Password Policy leverages leaf objects as an added level of security in addition to providing the benefit of requiring no AD schema updates/changes or a separate database for storing information. The leaf objects can easily be deleted and this is documented in several places, e.g. https://specopssoft.com/blog/deleting-specops-password-users/
    . Additionally the statement that our customers never delete user accounts is incorrect. While we are sorry that you misunderstood our messaging, it is very unfortunate and concerning that your client was misinformed about the ability of our products and support. The story does not hold and we truly welcome you and/or your client to revisit for a better experience. Lastly, we are always appreciative of suggestions to help us improve our documentation. However, we would prefer you submit any suggestions to https://specopssoft.com/contact-us/

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top