Reference Material | Specops Breached Password Protection

Specops Password Policy (version 7.0 and later) is compatible with Specops Breached Password Protection. The Breached Password Protection list is a list of leaked passwords. If you are an administrator, you can prevent users from using passwords that are in this list. The list of leaked passwords is curated by Specops Software and is a combination of thousands of different sources of leaked passwords. This includes well known sources, such as haveibeenpwned.com, as well as more obscure sources. The master list contains several billion passwords and is regularly updated with new ones.

You can configure Breached Password Protection with the following settings:

Breached Password Protection Complete:  

  • Contains the master list of leaked passwords, stored in the cloud, so it is always up to date. 
    Note: This is not zero-day protection as the leaked password list will need to be added to the database in our recognized format.
  • If a user changes their password to one that is in the leaked list of passwords, Breached Password Protection Complete notifies the user by email or SMS. Their account is also flagged, forcing the user to change their password the next time they sign in.  
  • Requires more infrastructure in Active Directoryincludes installing the Specops Arbiter and downloading an API key. This requires an additional server, on which you install the Specops Arbiter, that will communicate with the Breached Password Protection Cloud API.  Please noteyou must run .Net 4.7.1 and Windows Server 2012 R2 or later.  

Breached Password Protection Express 

  • Uses a subset of the list of leaked passwords that’s normally updated every 6 months. 
  • The list is downloaded to Active Directory (will affect replication between Domain Controllers). 
  • Administrators must manually check if there are updates to the list of leaked passwords, and then download the updated list.  
  • Immediately stops user from changing to a leaked password.  

Requirements
ComponentRequirements
Specops Password Policy Sentinel• Windows Server 2012 R2 or later
• .Net Framework 4.7.1 or later
• Writable domain controller
Specops Arbiter• .NET 4.7.1 or later
• Windows Server 2012 R2 or later
Breached Password Protection Express UpdatesDisk space
Dictionaries for Specops Password Breached Password Protection Express are downloaded and stored in sysvol, replicated to every domain controller.

  • 10 GB free space in sysvol on each domain controller.

  • Temporary: Additional 10 GB on the admin computer where the dictionaries are downloaded.

Components

Specops Password Policy with Breached Password Protection consists of the following components.

Specops Password Policy Sentinel

The Specops Password Policy Sentinel is an installation package that must be installed on all writable domain controllers in a domain.

The Specops Sentinel consists of the Sentinel Password Filter, and the Sentinel Service.

Sentinel Password Filter

The Sentinel Password Filter is a Windows Password Filter that verifies whether a new password matches the Specops Password Policy settings assigned to the user.

When validation with Specops Breached Password Protection is configured, the Sentinel Password Filter writes a Breached Password Protection validation request file for each new password (password change/reset), as configured in the Specops Password Policy GPO settings.

Sentinel Service

The Sentinel Service (Windows Service) is a component of Specops Password Policy. The Sentinel Service is always installed as part of the Specops Password Policy Sentinel, but effective only if Breached Password Protection validation is configured.

The Sentinel Service takes the Breached Password Protection validation requests from the queue folder, and passes them to the Breached Password Protection Arbiter, which will determine whether the password is allowed or has been breached. Depending on the Specops Password Policy GPO settings, the Breached Password Protection Service may enforce User must change password at next logon for breached passwords.

The Sentinel Service runs as local system and, by default, is allowed to set User must change password at next logon on affected users.

Installation requirements: .NET 3.5 SP1 or later

Breached Password Protection Arbiter

The Breached Password Protection Arbiter is a component of Specops Password Policy, and should be installed on a server with an internet connection. A single Arbiter is sufficient for most organizations. If your organization requires redundancy, additional Arbiters are recommended.

The Breached Password Protection Arbiter acts as a gateway between the Breached Password Protection Service and the Specops Breached Password Protection Cloud API, where the list of leaked passwords is found. The Breached Password Protection Arbiter uses an API key to communicate with the Breached Password Protection Cloud API.

The Arbiter runs as network service and, by default, has read-only access to Active Directory. By reading the Specops Password Policy settings, the Arbiter can determine the actions required if a password hash is found in the Breached Password Protection list.

To use Breached Password Protection validation, at least one Arbiter must be installed in the domain. Organizations using Specops Password Policy without Breached Password Protection validation do not need to install the Arbiter.

Installation requirements: .NET 4.7.1 or later

Note: The Breached Password Protection Express settings do not require the Password Breached Password Protection Arbiter component.

Breached Password Protection Cloud API

The Breached Password Protection Cloud API, hosted by Specops in the cloud, is a component of Specops Password Policy.

The Breached Password Protection Cloud API hosts an extensive list of leaked passwords.

Note: The Breached Password Protection Express settings do not require the Breached Password Protection Arbiter component.

Configure Breached Password Protection Complete (Complete API)

To configure Breached Password Protection Complete, you will need to: 

  • Install Specops Password Policy Sentinel on all domain controllers. The same version must be installed on all domain controllers.  

NoteSpecops Password Policy customers running version 6.8.18106.1 or earlier will require a new license key. 

  • Install one (or more) Arbiters in the domain(s) 
  • Register the Arbiter(s) from Specops Password Policy Domain Administration tool 
  • Add the API key (received from a Specops Product Specialist) to the Specops Password Policy Domain Administration tool.

To enable Breached Password Protection validation using Breached Password Protection Complete for new passwords (password change/reset), you must configure Specops Password Policy GPOs for users to be affected 

  1. Open the Password Policy Domain Administration tool. 
  2. Click the Breached Password Protection tab.
  3. In the Breached Password Protection section, select the Enable Breached Password Protection Complete (Complete API) checkbox. 
  4. In the Breached Password Protection configuration section, specify when you want Breached Password Protection validation to take place. You can choose from the following options: 
    • Verify passwords at change: A user’s password will be checked against the list of leaked passwords whenever they change it
    • Verify passwords at reset: A user’s password will be checked against the list of leaked passwords whenever they reset it. 
    • Both: A user’s password will be checked against the list of leaked passwords whenever they reset or change their password. 
  5. Select the Send emails to users with breached passwords checkbox.  In the Breached Password Protection Complete email notification section, you can configure an email notification that will be sent to a user if their newly chosen password is in the list of leaked passwords. 
    • In the From email field, enter the email of the admin who is sending the email.  
    • In the From name field, enter the name of the administrator that is sending the email. 
    • In the Subject name field, enter a subject for the email notification. For example: Invalid Windows password.  
    • In the Body field, you can specify the text that will go into the body of the email. You can use the default text provided, or you can add more customizations such as text and placeholders, by clicking Edit.
    • Note: Emails can only be sent to and from addresses with a domain registered with the API key.
  6. In the Breached Password Protection Complete text message notification section, you can configure a text message notification that will be sent to a user if their newly chosen password is in the list of leaked passwords.
    • Select the Send text messages to users with breached passwords checkbox.  
    • In the Text Message field, you can specify the text that will go into the body of the text message. You can use the default text provided, or you can add more customizations such as more text and placeholders.  
    • Note: SMS notifications are sent to the mobile number stored in the mobile attribute in Active Directory.
  7. Click Apply. 
  8. Click OK. 
Configure Breached Password Protection Express (Express List)

If you are an administrator, you can download a list of leaked passwords and store them in your local environment. Whenever a user in your organization resets or changes their password, their newly chosen password will be checked against this list of leaked passwords. If the user’s chosen password is in the list of leaked passwords, they must choose a different one.  

Breached Password Protection Express differs from Breached Password Protection Complete in the following ways:  

  • Instant password validation: as the list of leaked passwords is stored locally, Breached Password Protection Express can immediately confirm if a user’s newly chosen password is acceptable or not. Users will get instant validation regardless of where they change their password, even if they have both versions of Breached Password Protection configured and enabled.   
  • Leaked password scanning: Breached Password Protection Express can scan the passwords of all users who are affected by the policy. The passwords will be compared with the downloaded Breached Password Protection Express list. Users with leaked passwords will be prompted to change their password at next logon.
  • Notifications: Since this runs (typically) nightly rather than when a user changes their password, it is possible to enable notifications to inform users that their password was found to be leaked, and that they must change it at next logon.
  • Updates: the list of leaked passwords must be updated manually. If a new version of the list has been published, you must download it from the Password Policy Domain Administration tool 

Download the list of leaked passwords 

You must download the list of leaked passwords to your local environment, so that your chosen Group Policy Object(s) can reference the list of leaked passwords.   

Note: You only need to download the list once. Once downloaded, the list will be stored in SYSVOL. The list is downloaded and applies on a domain-wide level.  

To download the Breached Password Protection list, follow these steps:  

  1. Start the Password Policy Domain Administration tool. 
  2. Navigate to the Breached Password Protection page 
  3. Click the Breached Password Protection Express (Express List) tab.  
  4. If a new version of the list is available, click the Download latest version button.
  5. The Download Breached Password Protection window will open. During the download, the files are first downloaded to a temporary directory. By default, the current user’s “temp” directory is used to temporarily store the files before they are automatically transferred to a permanent location in SYSVOL. To select another temporary directory, click the Browse button.  
  6. When the download has completed, the files are copied to the following location in SYSVOL:  \\<yourdomain.com>\SYSVOL\<yourdomain>\Policies\SpecopsPassword\Dictionaries
  7. Click OK, and the files will start downloading. Depending on the size of the package, this may take some time.  
  8. When the download has completed, you will see a message confirming that the list has successfully downloaded and is up to date. This message shows the version number of the package that has been downloaded, the date of the version’s publication, and the size of the package.

Enable Breached Password Protection Express 

Once you have downloaded the Breached Password Protection list, you must enable Breached Password Protection Express, so that it applies to the relevant Group Policy Objects.  

To do this, follow these steps:  

  1. Open the Password Policy Domain Administration tool. 
  2. In the Specops Password Policy admin tool, click the Breached Password Protection (Express List) tab. 
  3. In the Breached Password Protection section, select the Enable Breached Password Protection Express checkbox. If you only select the Enable Breached Password Protection Express checkbox, all configuration options relating to Breached Password Protection Complete such as: Breached Password Protection Complete email notification, and Breached Password Protection Complete text message notification will be grayed out and disabled.  This is because notification emails and text messages are not needed when using Breached Password Protection Express.  
  4. Click Apply 
  5. Click OK. 

Update Breached Password Protection Express 

The list of leaked passwords will be updated at regular intervals. The update will then be published, so that it is available for download.  

To check if a new version is available for download, follow these steps:  

  1. Start the Password Policy Domain Admin tool.  
  2. Navigate to the Breached Password Protection section.  
  3. Click the Breached Password Protection Express (Express List) tab.  

If a new version of the list is available, you will see a notification saying: “There is an updated version of the list of leaked passwords ready for download”.  

You will also see a comparison between the current version you have stored locally and the online version that has been released. 

4. Click Download latest version and the changes will apply. 

Configure both Breached Password Protection Complete and Breached Password Protection Express 

You can configure and enable Breached Password Protection Complete and Breached Password Protection Express at the same time, by selecting the Enable Breached Password Protection Complete and Enable Breached Password Protection Express checkboxes. If you have enabled both, and your users change their password, Breached Password Protection Express will verify if the password is in the list of leaked passwords that has been downloaded. If the password is found in the Express list stored in your local environment, the Breached Password Protection Express rule will prevent the user from changing to that password.  If it is not found in the list that is stored locally, the password will be checked against the list found in Breached Password Protection Complete. If it is found in the online list, the user’s account will be flagged with a “must change password” notification and they will be required to change to a different one. 

Frequently Asked Questions

Does Specops Password Breached Password Protection replace the downloadable password dictionaries?

We recommend using Specops Breached Password Protection in combination with the custom dictionaries. The custom list should include passwords relevant to your organization, including name, location, services, and relevant acronyms.

Are passwords sent externally with Specops Breached Password Protection?

No. The Sentinel Password Filter generates a bcrypt hash of the user’s new password. Neither the password nor the bcrypt hash is exposed. The first few bytes of the bcrypt hash are used to query a set of matching hashes. The Breached Password Protection match takes place on the domain controller, within the organization’s network.

What are the benefits of multiple Arbiters? How does the DC (handling the password change) select an Arbiter?

Having more than one Arbiter adds redundancy, in case an Arbiter is temporarily down. Additional Arbiters do not affect performance. The number of concurrent password changes, for an organization with many DCs, should not cause latency issues.

If there are multiple Arbiters, the Breached Password Protection Service will use round robin during selection.

How does the Breached Password Protection Cloud API handle mobile numbers and email addresses when sending SMS and email notifications to users?

Breached Password Protection Cloud API uses SendGrid for emails notifications, and Twilio for SMS notifications. Emails and SMS notifications requests from the Arbiter to the Breached Password Protection Cloud API are encrypted with TLS. The customer ID and message timestamp are stored in Graylog. Neither the password nor the hash is revealed in the user notification.