Impact of running Specops Password Auditor on Active Directory
Specops Password Auditor (SPA), Specops Password Policy (SPP), and Breached Password Protection (BPP) are often used together to help organizations improve the security and password hygiene of their Active Directory (AD).
They often run SPA first – why not, it’s FREE (download from here)! This tool gives you a good understanding of how bad the problems are with your user’s passwords, and can be run from any domain joined workstation.
Once they have a baseline report from SPA, this often leads to a proof of concept with SPP, along with its BPP service, which together provide ongoing protection when finally applied to user accounts.
During all of the implementation phases, we’re often asked about the technical impact of using these solutions on AD, and other services.
In part one of this blog, we will look at the impact of SPA on AD. Part 2 will look at the impact of SPP and BPP on AD.
Specops Password Auditor
First, let’s take a look at SPA. As I mentioned in the introduction, this is basically a desktop application, and can be run either as a regular user, or as a domain admin.
If you run it as a domain admin you’ll get access to 3 advanced reports:
- Which users are currently running a compromised password
- Which users have the same password
- Which users have a blank password
These are the pre-requisites:
- The workstation or server you are running it on should be Windows 8/10, or Server 2012 and above.
- The latest version of the MS .net Framework installed
- AD domain joined on the LAN (not VPN)
- Be able to contact a DC over all the usual Windows/RPC network ports – there are lots.
The LAN connection to a DC is important because the three special reports mentioned above have to extract the current password hashes of your users from the domain controller. It only takes a few seconds, but any packet loss can break the process, and you may have to start again.
Next, you’ll need to download the Express version of the BPP database.
This is still free when used with SPA, it’s 5GB in size made up of 256 18mb (ish) files. Which in total add up to around 738 million of the most commonly used leaked password hashes. We regularly update this database and each time you run SPA it will check to make sure you have the latest version and gives you the opportunity to download it. So, make sure you have enough local disk space on your workstation/server to hold and update this database.
It will download the files from: https://download.specopssoft.com
Remember this tool isn’t cracking anyone’s password, it’s purely temporarily extracting the hashes. In fact, it uses the same methods to do this as AD replication does. So, no rules are being broken, and we’re not accessing any data that isn’t already available to a domain admin level account.
The report only takes a few seconds to run and then you will be presented with the results page.
From here you can drill into each report and extract the data to CSV’s if you need to analyse it further.
SPA can also produce a fancy PDF report that will explain what each result means if you need to present your findings to the board or senior management.
It does NOT report any data back to Specops either, so apart from downloading the installer, and the 5GB database, you can run this on a computer just fine without an internet connection. There are also no adverts, or anything annoying like you usually find in freeware.
SPA won’t make any changes to your data, it’s purely a reporting tool so any subsequent actions – like asking users with breached passwords to change them – will need to be done manually if running SPA in isolation.
However, if you use SPP/BPP you can automate this action, if appropriate, for your users and their current working environment. Which leads me nicely on to SPP/BPP.
(Last updated on February 17, 2021)