How to Secure Passwords with Specops Password Policy

Published:18 January 2022 - 12 min. read

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Password hygiene can make or break an organization’s security efforts. Finding the balance between weak and complicated passwords can be a challenge. Luckily, Specops Password Policy (SPP) takes the guesswork from implementing strong passwords with features that are baked into the product.

With Specops Password Policy, you can create password rules that comply with industry-standard templates. You’ll have more granular control on password policies than what the default Windows password policy can offer.

Continue reading and learn how to install, configure, and create Specops Password Policy to start protecting your Active Directory user passwords.

This post is kindly sponsored by Specops Software.

Prerequisites

Should you plan to follow along with this hand-on tutorial, make sure to have the requirements in place as follows.

  • A Windows Server 2012 R2 (or later) domain controller (DC). This tutorial will be using a Windows Server 2019 DC.
  • A Windows 7 (or later) domain-joined computer. You’ll use this computer to test how the Specops Password Policy works on the user side.
  • The Specops Password Policy installer, which you can download from this link.
  • You’ll also need the trial license, which you can request by filling out the Specops Password Policy product page information form. Someone from Specops will then send you an email with the trial license and trial API key for Arbiter, which is required for the Breached Password Protection add-on.

Installing Specops Password Policy

Specops Password Policy has multiple components that you’ll need to install individually. These component works together to complete the Specops Password Policy experience. But you don’t need to download these installers separately; you can install these components from one place.

Installing Administration Tools

The administration tools allow you to manage the Specops Password Policy configurations, such as installing the license or creating new policies. This installation also adds a group policy management console (GPMC) snap-in that lets you edit password policies in a group policy object (GPO).

To install the Administration tools, follow these steps.

1. Locate the specopspasswordpolicy_setup.exe you downloaded and double-click the file.

2. A pop-up window shows up asking where to extract the installation files. The default target location is C:\\Temp\\SpecopsPasswordPolicy_Setup_<version>. Leave the default or change the location if you prefer to extract to another folder and click OK.

Selecting the installer folder
Selecting the installer folder

3. After the extraction, the Specops Setup Assistant window launches. Click Start installation.

The Specops Setup Assistant
The Specops Setup Assistant

4. Accept the End User License Agreement (EULA).

Accepting the Specops Password Auditor EULA
Accepting the Specops Password Auditor EULA

5. On the installer menu, you’ll see the list of components available to install. Click on the Administration Tools button.

Clicking the Administrator Tools installer
Clicking the Administrator Tools installer

6. Next, click Add menu ext to enable Specops-specific context menu items to the Active Directory User and Computers (ADUC) console. This action does not touch the schema.

Installing the Specops Password Policy context menu.
Installing the Specops Password Policy context menu.

7. Now, click Install to install the Specops Password Policy Administration Tools.

Installing the administration tools
Installing the administration tools

8. After the installation, click OK.

The installation succeeded
The installation succeeded

Installing Specops Arbiter

Specops Arbiter is the component that enables using the Specops Breached Password Protection (BPP) add-on. This add-on gives Specops Password Policy access to the online list of leaked and compromised passwords that Specops provides.

You only need to install this component if you wil use the Breached Password Protection.

To install the Sepcops Arbiter on your DC, proceed as follows.

1. On the Speocops Password Policy installation menu, click Specops Arbiter.

Clicking the Specops Arbiter installer
Clicking the Specops Arbiter installer

2. Click Install next to the Sepcops Arbiter installation.

Installing Specops Arbiter
Installing Specops Arbiter

3. Finally, click OK after the installation.

 The Specops Arbiter installation succeeded
The Specops Arbiter installation succeeded

Installing Specops Password Policy Sentinel

The Specops Password Policy Sentinel is the component that filters and verifies new passwords against the Specops Password Policy settings you implement. This component also checks if the password is on the breached password list, but only if you configure the Specops Arbiter, too.

You must install Specops Password Policy Sentinel on all writable domain controllers in production.

Follow the steps below to install Specops Password Policy Sentinel on all writable DCs.

1. On the main installation menu, click Domain Controller Sentinel.

Clicking the Specops Password Policy Sentinel installer
Clicking the Specops Password Policy Sentinel installer

2. Next, on the list of DCs, click the checkbox next to each DC to install the Specops Password Sentinel. This example only has one DC. After marking your target DCs, click Install and wait for the installation to complete.

Installing Specops Password Policy Sentinel on the Domain Controllers
Installing Specops Password Policy Sentinel on the Domain Controllers

3. Finally, reboot the affected domain controllers on the list. As you can see below, the DC requires a reboot.

Confirm the installation status and reboot requirements.
Confirm the installation status and reboot requirements.

Installing Specops Authentication Client

While the Specops Authentication Client is an optional component, installing it on client computers elevates the user experience when changing passwords.

The client has three main functions; display the password policy rules, evaluate the new password in real-time, and notify users of expiring passwords.

Evaluating new passwords in real-time is only available on Windows 10 64-bit (not 32-bit) or Windows 11.

Admins can choose to install Specops Authentication Client via the software installation strategy that their organization has in place. But in this example, for testing purposes, you’ll install the Specops Authentication Client manually on the client PC.

1. First, log in to the client computer with administrator access. The client installation requires admin rights.

2. Open a new PowerShell window as administrator and change the current directory to your Downloads folder by running the command below.

cd ~/Downloads

3. Run the command below to download the Specops Authentication Client installer.

$url = 'https://download.specopssoft.com/Release/Client/Specops.Authentication.Client-x64.msi'
Invoke-WebRequest -Uri $url -Outfile ($url).split('/')[-1] -UseBasicParsing
Get-ChildItem *.msi
Downloading the Specops Authentication Client installer

4. Type in the installer file name, append the switch /passive, and press Enter.

The default installation folders are %ProgramFiles%\\Specopssoft for 64-bit and %ProgramFiles(x86)%\\Specopssoft for 32-bit clients.

.\Specops.Authentication.Client-x64.msi /passive

Wait for the installation to complete, which only takes a few seconds.

Installing the Specops Authentication Client
Installing the Specops Authentication Client

Importing the Specops Password Policy Product License

So far, you have already installed all the components responsible for making Specops Password Policy work. But before you can start tinkering with the password rules and other general settings, you first need to import the license.

1. First, launch the administration tool. To do so, click Start —> Specops Software —> Password Policy Administration.

Launching the Administration Tool
Launching the Administration Tool

2. The first time you open the administration tool on the computer, you will get the License Error message, as shown below. This error is normal since you haven’t imported the license yet.

Click OK to close this pop-up window.

License error message
License error message

3. Click the Import license file button on the administration tool window to start importing the license.

Clicking the Import license file button
Clicking the Import license file button

4. Browse for and locate the license file (with JSON extension) and click Open.

After importing the license, you’ll see that the Specops Password Policy status is now enabled. And on the left pane, you’ll see the different menu items for configuration that were missing before installing the license.

Specops Password Policy Status is now enabled
Specops Password Policy Status is now enabled

Enabling the Breached Password Protection Add-on

Apart from password rules, SPP can also check user passwords against a breached passwords list, whether online or with an offline database. But first, you need to enable this feature.

Importing the Breached Password Protection API Key

After installing the product license, you can now access the Breached Password Protection configuration page. This configuration page allows you to apply the API key, giving the Arbiter access to the online breached password list.

To import the API key, follow these steps.

1. Click Breached Password Protection on the left pane.

2. Under the Complete API tab, click the Register new Arbiter button.

Clicking the Register new Arbiter button
Clicking the Register new Arbiter button

3. Next, search for or specify the domain controller name to register and click OK. This example selects the atadc01 DC.

Specifying the DC to register
Specifying the DC to register

4. The DC should now be on the list, as you can see below. Click the Import API key button.

Click Import API key
Click Import API key

5. Now, open the API key file in a text editor such as Notepad. Copy the API key from the text editor, paste it into the Add API Key box, and click OK.

Copying the API key
Copying the API key

The API key column will now have a checkmark, as shown below.

The API key column shows a checkmark after the import
The API key column shows a checkmark after the import

Downloading the Breached Password Express List

Instead of checking passwords against an online list, the Breached Password Express List enables SPP to check the passwords using a local dictionary. Plus, the Express List enables the checking of passwords in real-time.

The Breached Password Express List size is approximately 5.2GB as of 11/17/2021. This list contains only a subset of the complete list, which the API provides. After downloading, the list will be in the SysVol directory and trigger replication between the domain controllers. It is recommended to have at least double this space available for replication.

1. Click the Express List tab inside the Breached Password Protection page.

2. Next, click Download latest version.

Click Download latest version
Click Download latest version

3. Specify the temporary directory where to save the express list and click OK. Make sure the temporary location has enough free space.

Specify the temporary download location
Specify the temporary download location

4. On the confirmation prompt, click Continue.

Confirm the download
Confirm the download

And wait for the download and copy process to complete.

Wait for the download to complete
Wait for the download to complete

5. Click OK after completing the download.

Download completed
Download completed

Configuring SMTP Settings for Email Notifications

A part of the Specops Password Policy experience is users’ email notifications regarding password-related actions. If you don’t plan or want to use email notifications, you can skip this step.

1. Click Domain Settings on the left pane and click Edit under the SMTP Settings section.

Click Edit under the SMTP Settings
Click Edit under the SMTP Settings

2. Now, enter the information about your SMTP server and email addresses, and click Test Settings.

SMTP Settings
SMTP Settings

3. On the Test SMTP Settings window, enter the recipient email address for the testing and click Send. The screenshot below shows the result of successful email testing. Click Close.

Testing SMTP settings
Testing SMTP settings

4. Back to the SMTP settings window, click OK to save the changes.

Creating a New Password Policy

Finally! After importing the licenses and other preparations, you’re now ready to start securing your users’ passwords. Now it’s time to create a new password policy and apply it to your domain.

1. On the Administration tool, click Password Policies.

Opening the Password Policies
Opening the Password Policies

As you can see below, only one password policy exists inside the Default Domain Policy GPO. This default policy primarily affects the users unless the Specops Password Policy you’ll be creating is fine-grained and has a higher entropy score.

The entropy score is SPP’s rating of a password policy’s strength based on its password rules. If the Specops password policy you are creating has a lower entropy score, make sure to set the Default Domain Policy to the lowest level first.

Default password policy
Default password policy

2. Now, click on the Create new Password Policy button.

3. On the Create a new Password Policy window, you have two options to create a password policy; create a new GPO or use an existing GPO for the new password policy. In this example, you’ll create a new GPO called SPP. Now, click on New Group Policy object.

Click New Group Policy object
Click New Group Policy object

4. Enter the name of the new GPO and select the organizational unit (OU) where the GPO should apply. The GPO name in this example is SPP and will apply to the domain root [ata.int]. Click OK to create the GPO.

You may also customize to which OUs the policy should apply at this point by manually adding each target OU.

Creating the GPO
Creating the GPO

5. Select the GPO you created previously from the list, such as SPP in this example, and click OK.

Selecting the GPO
Selecting the GPO

6. Next, select the starting template for your new password policy. There are four pre-defined templates that follow industry-standard recommendations, such as Microsoft, NCSC, NIST, and NSA. The Custom template will match the default domain password policy.

Select the Microsoft Recommendation – high security template in this example and click Next.

Selecting the Microsoft recommendation template
Selecting the Microsoft recommendation template

Configuring General Settings

1. Now the password policy configuration page opens. Under the Start tab, the choices are whether to Enable Password Rules, Enable Passphrase, or Enable Both (password and passphrase).

In this example, leave the default choice — Enable Password Rules.

Enabling Password Rules
Enabling Password Rules

2. Next, click the General Settings tab. Under the Password history section, leave the default settings where users cannot reuse the previous 24 passwords and change a less than a 1-day old password.

The Password reset options are specific to administrator actions only. For example, when an administrator resets a user password in ADUC.

3. Also, leave the default settings under the Client message section. This setting determines what message the users will see after submitting a failed password attempt.

General Settings
General Settings

Configuring Password Expiration

1. Click the Password Expiration tab. Under the Password expiration section, leave the Maximum password age (days) value to its default.

The Length based password aging settings, when enabled, rewards the users who use longer passwords with a later password expiration date.

2. Under the Password expiration notifications, check the Notify at login box and change its value to 10. This setting means that the users will receive a desktop notification about their password expiring. This setting only works with the Specops Authentication Client.

The screenshot below shows an example of the client notification about the user password expiring.

Password expiration notification
Password expiration notification

3. If you configured an SMTP server for email notifications, check the Send email notification box and change its value to 10. With this setting, the users will receive a daily email telling them that their password will expire.

Password Expiration Settings
Password Expiration Settings

Configuring Password Rules

Next, click the Password Rules tab. Review each setting but leave the default values for now. The default settings, as you can see below, will:

  • Require a minimum password length of 8.
  • Block using the full username in the password.
  • Require the password to have at least three of the following: 1 upper case, 1 lower case, 1 digit, and 1 special character.
Password Rules
Password Rules

Configuring Breached Password Protection

There are two versions of the Breached Password Protection that perform the same function but differently. These are the Express List and Complete API.

The Express List only works if you downloaded the Breached Password Express List.

To enable the BPP Express List:

1. Check the Prevent users from changing to a leaked password. Enabling this option will cause a password change to fail if the password matches a leaked password in the Express List.

2. Check the Continuously check for leaked passwords and force users to change them. This option schedules a nightly check of every user’s password. SPP will automatically expire the password of accounts whose passwords are on the express list, forcing users to change passwords.

3. Change the Notify user when they are forced to change password. This setting enables sending email notifications to users who need to change passwords. The notification will use the sender information you configured in the SMTP server settings.

BPP Express List settings
BPP Express List settings

The screenshot below shows the result of a failed password change if the new password is in the BPP Express List.

BPP Express List failed password change
BPP Express List failed password change

On the other hand, the Complete API checks the passwords against the online breached password list from Specops. To configure the BPP Complete API, follow the steps below.

1. Click the Complete API side tab.

2. Check the Enable Breached Password Complete API. This setting enables online password checking.

3. Check the Enable Breach Protection when passwords are reset. Enabling this option applies the BPP online checking when the user or administrator performed a password reset.

4. Check the Require that users with leaked passwords change then at next logon. This option automatically expires the user’s password and forces a password change.

BPP Complete API settings
BPP Complete API settings

5. Check the Send emails to users with passwords on the breach list and change the Email transport mode to SMTP if you have configured an SMTP server.

BPP Complete API email notification settings
BPP Complete API email notification settings

The screenshot below shows the email notification that the user receives if their new password is in the breached password list.

Invalid password email notification
Invalid password email notification

6. Leave the Send text messages to users with passwords on the breach list. With this option enabled, BPP will send a text message to the user’s mobile phone number in AD. The mobile phone number must follow the international format that begins with +<country code> (e.g.,+46).

Click OK to save the new password policy.

BPP Text message notification settings
BPP Text message notification settings

The screenshot below shows an example text message informing the user about their disallowed password.

Invalid password text message
Invalid password text message

Congratulations! You have now configured a password policy that is more fine-grained and with built-in notification features.

The new Specops Password Policy
The new Specops Password Policy

Conclusion

In this day and age, using strong passwords should be non-negotiable. But ‘strong’ can be subjective, and translating it into a good password policy can be challenging. But because Specops Password Policy has pre-defined templates, you don’t need to start a password policy from scratch.

With the Breached Password Protection add-on, you ensure that users will not use a leaked password. You can even define a custom dictionary to add to your disallowed passwords

Why don’t you continue exploring Specops Password Policy? Tweak or customize rules to fully understand how this product can help protect your user’s passwords, and in effect, protect your organization, too!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!