Specops Password Sync consists of the following components. The overview below shows the communication between the components when completing a password synchronization.
Specops Password Change Notifier
The Specops Password Change Notifier responds to successful password changes performed by the domain controller and sends a password synchronization requests to the Sync Server. The Password Change Notifier must be installed on all Domain Controllers that handle password change requests.
Note: It is best to have the Password Change Notifier on all Domain Controllers, but only the Domain Controllers that handle password change requests will require the notifier.
The Specops Password Change Notifier contains the following sub components:
- Notifier Filter
- Notifier Service
Notifier Filter
The Notifier Filter intercepts password changes on the Domain Controller. When a successful password change is detected, the Notifier Filter will perform the following security validations:
- Verify Privileged Groups: Users with the adminCount user object property set to 1 in Active Directory (Domain Admins, Schema Admins, etc) are filtered out and will not have their passwords synchronized. An event will be written to the log every time a password synchronization job for a protected user is detected.
- Verify the Scope of Management: Every Sync Scope must have at least one User Scope of Management configured.
- Verify the configured Sync Servers: The Notifier Filter verifies the Sync Server(s) configured with a specific sync point. This prevents a rogue administrator from replacing an approved sync server with one they can control. This prevents rogue administrators from circumventing the core security of the system.
Once the security verifications have been completed, a password change request file will be created for each configured Sync Point. The password is encrypted with the Windows Data Protection (DPAPI) mechanism using the System credentials of the Domain Controller. This means that only the Domain Controller can decrypt the password. The default path to the job queue is:
%SystemRoot%\System32\SpecopsPasswordSync\Queues
- The path to the job queue is on the Domain Controller.
- Only the Local System has permissions to access this location.
Notifier Service
The Specops Password Change Notifier Service will pick up the password change request file from the queue folder, and get the correct Sync Server from Active Directory. The Notifier Service runs in the security context of the Domain Controller and is able to decrypt the password. The Notifier Service will try to set up an encrypted SSL session with the primary Sync Server for the Sync Point. If this fails, the secondary Sync Server is contacted. When the session is established, the identity of the remote Sync Server Service is verified using Kerberos Mutual Authentication to verify that the remote computer is the computer configured in Active Directory. The password change request is passed to the Sync Server through the secure encrypted channel. Once a successful communication attempt is made, the local encrypted password change request file is deleted from the queue folder.
Specops Password Sync Server
The Specops Password Sync Server synchronizes new passwords to connected systems.
The Specops Password Sync Notifier connects to and sends password change requests to the Specops Password Sync Server over an SSL connection on port 4377. When a Sync Server is contacted by the Notifier, the Sync Server verifies that the connecting computer is the correct Domain Controller using Kerberos Mutual authentication. When the request is validated, the password is encrypted with the system credentials DPAPI and added to the SQL CE database located in:
%LocalAppData%\Specops Password Sync\SpecopsPasswordSync.sdf
Sync Server TCP IP Ports
The Sync Server uses two ports for communication on the internal network.Sync Server TCP IP Ports
The Sync Server uses two ports for communication on the internal network.
Registry key | Description |
---|---|
TCP/4377 | Password Sync job communication between the Notifier Service and the Sync Server. |
TCP/4378 | Used when the admin tool communicates with the Sync Server. |
The port settings are stored in the service configuration file “ PasswordSync.Server.exe.config” in the service installation directory. You can change the port numbers by editing the following section of the file:
<service
name="Specopssoft.PasswordSync.Server.HttpPasswordChangeListener"
behaviorConfiguration="SpsServiceBehavior">
<add baseAddress="https://SRV01.specops.demo:4377/SPS"/>
<service
name="Specopssoft.PasswordSync.Server.SyncServerAdminHost"
behaviorConfiguration="DevelopmentSpsServiceBehavior">
<add
baseAddress="net.tcp://SRV01.specops.demo:4378/SPS"/>
Once you have modified the port numbers, you will need to save the file and restart the Sync Server service. If you change the ports and firewalls manually, you will need to perform the changes again after an upgrade.