Overview

Specops Password Auditor scans your Active Directory and detects security-related weaknesses, specifically related to password settings. The collected information is used to display multiple interactive reports containing user and password policy information. The reports include, among others, a summary of accounts using compromised passwords, duplicated passwords, comparisons of your organization's password settings with industry standards and best practices according to multiple official standards.

Specops Password Auditor will only read information from Active Directory, it will not make any changes. It will read the Default Domain Password Policy, any Fine-Grained Password Policies, as well as any Specops Password Policies (if installed).

NOTE
To be able to read Fine-Grained Password Policies, and the password hashes for the Breached Password Protection, Identical Passwords or Blank Password reports, you will need domain administrator privileges in Active Directory.

The following user account attributes will also be read:

  • pwdLastSet
  • userAccountControl
  • lastLogonTimestamp

Alt text for this image

Reports


The following is a list of reports you can view/export from Specops Password Auditor tool.

Blank Passwords

This report identifies user accounts with blank passwords. These accounts are affected by a policy without a password requirement.

Breached Passwords

This report identifies user accounts with passwords that are known to be compromised (when analyzed against the breached password list you download when initiating a Password Auditor scan). The accounts in this list should be prompted to change their password.

NOTE
The Breached Passwords report does not use clear text passwords. The MD4 hashes of the compromised passwords is compared to the hashes of the passwords from the domain. The hashes are not stored, they are read and kept in memory by Specops Password Auditor.

Identical Passwords

Use this report to identify groups of user accounts that have the same password. Admin users who use the same password for their normal user accounts and their admin accounts increase their attack surface. The accounts in this list should be prompted to change their password. Clicking on any cell in the list will reveal a table with all the accounts in that particular group.

Password Age

This report shows a tabled list of all passwords with a column showing when the password was last changed. This can be useful when trying to determine which accounts have changed their password after a known breach.

Admin Accounts

Provides a tabled list of accounts with admin privileges. Use this report to identify whether admin privileges are used appropriately (granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions). Delete unnecessary admin accounts and consider a delegated Active Directory security model to follow best practice.

Stale Admin Accounts

Shows a tabled list of admin accounts that have not been accessed for a specific period of time. To adjust the time period since the last activity (from 30 to 360 days from the present), use the slider at the top. Use this report to audit unused accounts. Dormant accounts should be deleted as they can be leveraged by attackers to access resources without being noticed.

Password Not Required

Shows a tabled list of user accounts that either have the control flag for not requiring a password set, or are affected by a password policy that does not specify a minimum password length. The accounts in this list indicate serious security holes within your organization.

Password Never Expires

Provides an overview of accounts that have their passwords set to never expire. These can be more vulnerable to attack if the user is reusing this password elsewhere.

Expiring Passwords

Provides a list of all accounts with information on when the password for the account is set to expire within a certain time frame. The time until expiration can be set by adjusting the slider at the top, from 10 to 365 days from report generation. The list can be viewed as a table or a chart. Toggle between the two views by selecting the desired view in the View dropdown at the top. Anticipating the expiration with a contingency plan can be effective for curbing password reset calls.

Expired Passwords

Provides a tabled list of all passwords that have been expired for an extended period of time. Password that have been expired for an extended period of time can indicate stale accounts. By default, accounts with the flag “User must change password at next logon” set are excluded in the list. To include these accounts, select the radio button at the top.

Password Policies

Use this report for an overview of your password policies including change interval, dictionary enforcement, as well as entropy (relative strength). The overview shows password policies per domain and GPO. Entropy measures the effectiveness of the policy in resisiting brute-force attacks.

The following settings are used to determine the maximum entropy.

  • Minimum length= 16 characters
  • At least one of each of the following:
    • Lower case
    • Upper case
    • Digit
    • Special Character

Any policy with as strong, or stronger settings will be displayed as having “maximum” strength.

See our blog post on password entropy for more information.

Password Policy Usage

Report providing a graphical overview of users affected by each password policy.

Password Policy Compliance

Use this report to measure your password policies against industry and compliance recommendations. The report provides a table with one row per domain and GPO, with indicators for every major industry standard, such as MS Research, NIST and NCSC. Three compliance levels are identified (Non Compliant, Partially Compliant, and Fully Compliant). Clicking on the compliance icon will allow you to compare your individual policy rules with the rules in the standard.