Microsoft provides limited means for the Active Directory to enforce secure passwords. The Swedish manufacturer Specops Software closes this gap Password Policy, which allows the management of user passwords via a sophisticated set of rules and a central blacklist.
Microsoft wants to get rid of passwords as the only authentication method as soon as possible, but many companies will probably stick to them internally for some time to come. It is therefore all the more important that admins largely eliminate known weaknesses in passwords.
The password dilemma
The sore points include trivial passwords that are easy to guess, especially if you know the social environment of a user. Conversely, there is no point in forcing users to overly complex passwords because they will then be unable to remember them. The result is increased help desk inquiries or the bad habit of sticking the password on the monitor as a note.
The on-board resources of the Active Directory basically provide two means of specifying rules for new passwords. On the one hand, this is the default domain policy with a few predefined criteria that passwords must meet.
Limits of on-board resources
On the other hand, Server 2008 added the fine-grained password policies, which can be assigned to individual users or groups and thus override the domain password rules for these objects. However, these policies cannot be assigned to OUs.
Both mechanisms offer the same settings to secure passwords. These include their minimum and maximum ages and restrictions on their reuse. The specifications for the actual structure of the passwords are limited to the minimum length and the complexity requirements, which cannot be configured.
Additional options through SpecOps Password Policy
SpecOps Password Policy (SPP) provides a number of additional ways to enforce strong passwords. This begins with the fact that the complexity requirements can be fine-tuned. In addition to the minimum and maximum password length, this also means that admins can determine how many letters and non-alphabetic characters a password must contain.
It can also be excluded that the name of the user is wholly or partly contained in the password, that characters are repeated one after the other or that digits appear at the beginning or end. Admins are given even more precise control by defining a regular expression that determines the permissible structure of passwords.
Checking against dictionaries
A common method of attacking passwords is to use dictionaries that are gradually tried out. Such activities can be prevented by means of account lockout guidelines, but again these have the disadvantage that they can be misused for denial of service attacks.
Instead, SpecOps counters this danger by integrating several dictionaries that can be downloaded in the Admin client and integrated into the policy. In addition to those provided by the manufacturer, there are lists of passwords that hackers have stolen from websites such as LinkedIn or Gawker and made available on the Internet.
SPP can thus prevent users from using a password that is contained in one of the stored dictionaries.
Managed Password Blacklist
The manufacturer sees the dictionaries primarily as a leftover from previous generations of the product. Instead, SpecOps now relies primarily on a regularly updated blacklist in the cloud, in which the company maintains compromised passwords from different sources.
However, when changing the password, domain controllers do not check this directly on the basis of the cloud database, but on the basis of a locally cached subset. For this purpose, SPP keeps the most common passwords in the form of hashes in a local cache.
If desired, the tool can then query the complete database in the cloud, but this is done asynchronously. The hashes are encrypted several times to protect them against attacks.
If a new password turns out to be unsuitable, Password Policy notifies the admin or the user by email. In this case, the password could be changed again at the next logon.
Passport phrases as an alternative
Increased requirements for the construction and reuse of passwords increase security and make it increasingly difficult for users to find and remember appropriate passwords.
As an alternative, SpecOps therefore supports so-called passphrases, which consist of an entire sentence or at least several words. In this context, sayings or popular idioms are popular, which are easier for users to remember than cryptic passwords.
You can set your own rules for passphrases in SPP. After very long strings can only be cracked with much more effort, you can relax the specifications for the use of numbers and special characters.
If you configure rules for passwords and passphrases in SPP, the software differentiates between them based on their length. The default for passphrase is 20 characters, at least 15 are required. Everything that reaches or exceeds this configured value is checked with the rule for passphrase.
This can also force the use of lower and upper case letters, numbers and special characters. In addition, patterns can be specified using a regular expression.
As with the on-board tools, admins can specify in the general settings whether and when users can use previous passwords again. Incremental passwords can be prevented, for example by counting up the numbers attached, or the recycling of word components.
Flexible expiration date
As with the Windows integrated password system, SpecOps also defines an expiry date after which users must renew their password. However, SPP also goes beyond the integrated options here by making the period of validity dependent on the length of the password.
Microsoft is however with the Security baseline for Windows 10 1903 has strayed from forcing users to change their passwords regularly and also speaks against it in Office 365. An exception is of course the case that a password has been compromised. Then you should replace it as soon as possible.
How Password Policy works
SPP requires a component called Sentinel on each domain controller, which runs there as a password filter and checks new passwords for their compliance with the defined rules. The policies themselves are assigned to the users via GPOs, so that theoretically each OU can receive its own password rules.
The rules are configured using a plug-in for the Group Policy Editor. If you create a new policy there, an assistant starts who offers the choice of a template on the basis of which he creates the password rules.
These are based on the recommendations of various organizations, including one from Microsoft. Alternatively, you can derive the new rules from the default domain policy or define them yourself from scratch.
The default values from a template can then be adjusted in the following dialogs for the general settings, the expiry date and for the password and passphrase rules.
Insightful messages on the client
If you check new passwords against relatively strict rules, SPP will always reject them because they are not secure enough. In this case, the user should be informed of the criteria that the password has not met so that he can avoid entering it again incorrectly.
Windows’ own mechanism for password rules is content with the terse message that the password violates the requirements of the domain policy. For this purpose, SpecOps extends the system with an optional authentication client on the endpoints. It provides detailed information about the complexity requirements when a new password is rejected.
However, it can be seen here that the password rules of SPP always follow the filter in the default domain policy. If a password is too weak for Windows’ own criteria, it is already rejected by the system itself and users receive the usual message. Therefore, one solution is to lower the requirements in the domain policy so that almost all passwords meet them.
SpecOps Password Policy comes with a setup program that sets up the components mentioned in order. In the first step, the administration tools come into play. On the one hand, this is a graphical console with which you can configure some global settings for the domain, get an overview of all existing policies and language files, or create new templates.
The tools also include the add-in for the GPO editor, which is installed in the same process as the domain administration. The system administrator uses this to configure the policies for the individual password GPOs.
To install the server component you have to set up a network release or select an existing one if you use the wizard. From there, it is distributed to all writable domain controllers that have to be restarted afterwards.
For the Authentication Client, SpecOps provides an installation via group policies. To do this, select an existing GPO or create a new one. This is then automatically configured for the distribution of the client.
The component is loaded separately as a 32- and 64-bit MSI on a network release. If required, the client can also be configured via a GPO; the required ADMX file can be obtained from the manufacturer’s website.
SpecOps Password Policy can significantly increase the security of this process if companies rely on authentication to the Active Directory using only their username and password.
By integrating the tool with Group Policy, most admins should be able to cope with it quickly. The installation includes several components, but is relatively easy thanks to a well-structured setup program. The interaction with the default domain policy is a little trickier to bring the authentication client into play.
SpecOps offers one Trial version of the software on his website at. However, you don’t get a download link after registration, but the prospect has to wait for the sales team to contact him and give a brief introduction to the product.
The manufacturer also shows an unusual behavior when it comes to price information. Information on the cost of the software, which is billed per user and domain, can only be obtained on request. The reason for this is that you want to maintain the necessary flexibility in pricing for the customer’s environment.
It is also difficult to understand why a core function of Password Policy, namely the blacklist maintained by the manufacturer, is only available as an additional option and must be licensed separately.