Specops Password Policy

---

In the bottom left of the Domain Adminstration tool, you can see information on the signed in user. It will show the current user's name, as well as the role that user is running as (Domain Admin or Specops Password Policy Admin Group).

Roles and permissions

As Domain Admin you can perform all tasks in Specops Password Policy. The Specops Password Policy Admin Group permissions are restricted to the following:

• Enable/disable SPP in the domain
• Edit some of the Domain Settings:
  • Configure SMTP and sending test emails for the SMTP configuration
  • Configure custom user attributes
  • Select another DC for User counting
  • Enable/disable ”Save password with reversible encryption”
• Manage Arbiters
• Download Express list
• Start Express scan
• Update language files
• Update the license (First time add will still require Domain Admin)
• Get a limited view of the Sentinel status on the Password Policy Sentinel menu (Only if Web API is enabled on a DC, to get correct version status will still require Domain Admin)

---

The top menu, indicated by your domain name, includes the following sections:

• Change domains: switch between available domains.
• Change domain controller: switch between available domain controllers.
  NOTE

  Note that the list of domain controllers in the Name column can be sorted by clicking on the column header.
• Disable and enable Specops Password Policy: Applied to your entire domain and determines whether the Sentinel processes incoming password changes.
• License: provides an overview of the relevant information for the current license. It includes the following information:
  • Account name: the name of the account in the license file.
  • Used seats: number of seats currently in use.
  • Features: features included in the license.
  • Last periodic scan: date and time the last periodic scan was performed.
• Import license file: allows you to import new licesnses.

---

You can use the Password policies menu to perform the following tasks:

• Create a new Password Policy, or associate an existing policy with a new GPO.
• View the list of all Group Policy Objects in your domain that contain password policy settings.
• Get an overview of the password policy rules associated with each GPO listed.
• Edit an existing policy.
• Remove a policy from a GPO.

Creating a new Password Policy

1. Click Create New Password Policy
2. Select an existing GPO by clicking its name in the Group Policy Object list, or click New Group Policy Object… to create a new GPO to link to this OU and policy.Note that when you create a new GPO, you will get the option to name it, as well as associate it with an existing Organizational Unit. By default the GPO will apply to all users in the group. You can also filter which users the GPO applies to by adding security groups.
3. Click OK.
4. Select a template from the list, or choose Custom if you want to create a policy from scratch, then click Next.
5. Configure the policy, then click OK.

For more information on policy configuration, please refer to the Policy Settings section.

Editing an existing policy

1. Select the GPO whose policy you want to edit in the Password Policy column.
2. Click Edit Policy
3. Edit the policy, then click OK.

For more information on policy configuration, please refer to the Policy Settings section.

Removing a policy from a GPO

1. Select the GPO whose policy you want to remove in the Password Policy column.
2. Click Remove Policy.
3. In the confirmation pop-up, click Yes. The policy will be removed from the list.

---

You can use the Domain Settings menu to perform the following tasks:

• Check and edit security groups: check the Length based password aging reader group, and create or check the Specops Password Policy Admins Group (see below)
• SMTP Settings: Here the global SMTP settings for all email notifications can be configured. The following settings need to be configured:
  NOTE

  It is recommended to configure the SMTP settings in the Domain Administration tool before making any changes to the email templates in the Group Policy snap-in. If the SMTP settings have not been set in the Domain Administration tool, applying changes to the mail templates in the Group Policy snap-in will show a warning informing the administrator that the SMTP settings have to be configured in the Domain Administration tool.
  • Email Sending System: Sentinel Service or Arbiter
  • The SMTP Server
  • Use TLS: if enabled, communication between the client and the SMTP server are encrypted)
  • Port (port outgoing emails are to be sent through; default is port 25
  • Authentication: sets the method for authenticating with the SMTP server: Anonymous Access, Basic Authentication, or Integrated Windows Authentication
  • Default Sender Email Address
  • Default Sender Display Name
  • Admin Notification Email Address

  For more information on all notification settings, please refer to the Notifications page.

• Custom user attributes
  If email and telephone number in Active Directory are not stored in the standard email and mobile fields, respectively, they can be overridden here.
• Advanced security settings

  Save previous password with reversible encryption: Allows you to save the user’s previous password with reversible encryption in Active Directory.
  Reversible encryption is needed for the following settings:

  • Disallow reusing part of the current password
  • Minimum number of changed characters
    NOTE

    If the checkbox isn’t checked, the password is saved with one way encryption.

Creating the Specops Password Policy Admins Group

1. Cleck the Create button next to Specops Password Policy Admins Group.
2. You can accept the recommended name an location where the group is created, or change them. Location can be changed by entering the distinguished name of a container.
   NOTE

   The distinguished name can also be copied from the properties of the container in Active Directory. Note that the name and location of this security group can also be changed after creation. Changes after creation are made in Active Directory.
3. Click OK.

---

The Sentinel Service is always installed as part of Specops Password Policy. It is installed as part of the Specops Password Policy Sentinel MSI and should be installed on all writable domain controllers in the Active Directory Domain. It is responsible for user counting, password expiration and Breached Password Protection Complete. If Breached Password Protection Complete is used, the Sentinel Service is accessed from all writable domain controllers. Otherwise, it is accessed only on the DC used for user counting, which by default is the PDC emulator.

You can use the Password Policy Sentinel menu to verify that you have installed the Sentinel on all writable domain controllers. If you notice a domain controller is missing the Sentinel component, you can:

• Run the Setup Assistant again to install it, or
• Manually install the Sentinel Component on the affected domain controller

Checking the Sentinel status

Sentinel status can be checked both in the Setup Assistant, as well as in the Domain Administration Tool.

Checking the status in the Domain Administration Tool

1. Click on Password Policy Sentinels.
2. Click on the Domain Controller you want to check.
   NOTE

   The domain controllers column can be sorted by clicking on the column header.
3. In the table to the right, you can see two statuses: General status (whether the Sentinel is installed and up-to-date on this DC), and Service status (see status messages list below).

Checking the status in the Setup Assistant

1. Click on Domain Controller Sentinel.
2. Right-click on the Sentinel state column for the DC you want to check, and choose Show Details.
3. The pop-up message shows two statuses: General status (whether the Sentinel is installed and up-to-date on this DC), and Service status (see status messages list below).

Sentinel status messages

• Unreachable
• Access Denied
• Unknown error
• Not installed
• Old version
• Newer version installed
• Reboot required
• OK

Sentinel status sorting

In order to make Sentinels that require your attention more identifiable in long lists of Domain Controllers in the table, the list is displayed dynamically. Those sentinels whose status is not OK, will show up at the top of the table. The table sorts on Sentinel status first, then on name.

Enabling and disabling the Sentinel Web API

For information on how to to enable or disable the Sentinel Web API, please refer to the Password Policy Sentinel page.

---

The Specops Password Arbiter is used as part of Specops Password Policy. It is responsible for Breached Password Protection Complete and notifications through the cloud based Specops BPP API. It can also be used for sending SMTP email, if so configured. If you are using any of the features that requires an Arbiter, at least one Arbiter must be installed. The Arbiter requires internet connectivity to the Specops BPP API. It is recommended to install Arbiters on servers that are not domain controllers. While one Arbiter for the entire AD domain is sufficient in many cases, it is possible to install multiple Arbiters (e.g. to have one or two Arbiters per site in Active Directory) in order to minimize roundtrips.

The table in this section lists all installed Arbiters provides information on their status. The following information is available for all Arbiters:

• Server name: the name of the server the Arbiter is installed on.
• Sites: sites associated with this Arbiter.
• Online: shows if the Arbiter is reachable.
• Version: version number for the Arbiter.
• API Key: indicator showing if an API Key is associated with this Arbiter.
• Actions: button for additional actions performed on the Arbiter.

Actions

The Actions button (...), provides access to a number of operations that can be performed on any Arbiter.

Importing an API Key

1. Click on the Actions button for the Arbiter.
2. Choose Import API key from the dropdown.
3. Copy the API Key you received into your clipboard
   NOTE

   Make sure to include both the starting tag (--- BEGIN API KEY ---) as well as the end tag (--- END API KEY ---)
4. Paste the complete API Key in the Add API key window.
   NOTE

   If the API key was copied to the clipboard before the window was opened, the application will automatically paste the key into the window.
5. Click OK.

Showing Arbiter cloud information

Shows the cloud URL associated with the Arbiter.

1. Click on the Actions button for the Arbiter.
2. Choose Show cloud information from the dropdown.

Testing the Arbiter's cloud connection

Tests the Arbiter's connection to the Breach Protection API.

1. Click on the Actions button for the Arbiter.
2. Choose Test cloud connection from the dropdown.

Configuring sites

Active Directory sites are often used for managing organizations that have branches spread across geographical locations but fall under the same domain. It is a solution to geographically manage an Active Directory network without changing the logical structure of the environment. Sites are physical groupings of well-connected IP subnets that are used to replicate information among domain controllers.

In order to better control what Arbiter is accessed by each (geographical) location/site, you can associate sites in your structure with particular domain controllers. Arbiters can be configured for one or more sites in your structure. This means that the domain controllers in the site will connect to those Arbiters in the same site.

1. Click on the Actions button for the Arbiter.
2. Choose Configure sites from the dropdown.
3. Select the checkbox for the site(s) you want to set as preferred for this Arbiter.
   NOTE

   The Arbiter in the Select Arbiter preselected with the Arbiter whose Action button you clicked. You can also choose a different Arbiter in the dropdown.
4. Click Save

Unregistering an Arbiter

1. Click on the Actions button for the Arbiter.
2. Choose Unregister Arbiter from the dropdown.
3. Click Yes in the Unregister Arbiter window. The Arbiter will disappear from the list of Arbiters.

Registering a new Arbiter

You can have multiple Arbiters installed in your structure. While one Arbiter for the entire AD domain is sufficient in many cases, it is possible to install multiple Arbiters (e.g. to have one or two Arbiters per site in Active Directory) in order to minimize roundtrips. See also the section on Configuring sites above.

1. Make sure the Arbiter MSI you want to add is installed on the appropriate server.
2. Click the Register new Arbiter button.
3. In the Select computer window, type the name of the server where the Arbiter is installed. Use the Check names button to identify the correct computer.
4. Click OK.

---

Periodic Scanning is scheduled to be performed once a day by the selected domain controller. It checks license information, as well as flags accounts for some major policy events, such as password expiration and breached password protection.

Schedule

The schedule section shows when periodic scanning is set to run every day. Note that the time indicated is the local time zone of the selected domain controller.

Editing the Periodic scan domain controller and time

1. In the Periodic scan section, click the Edit button.
2. Click the Select Domain Controller button in the Selected domain controller section.
   1. Using the radio button, select either:
      • Select PDC Emulator
      • Select from writable Domain Controllers
   2. If Select from writable Domain Controllers was selected, Select your preferred domain controller in the list.
   3. Click OK.
3. In the Selected time section, select at which time the periodic scan should run.
   NOTE

   The default time for periodic scan is set to 12:05 AM.
4. Click OK.

Periodic Scanning in progress

This section indicates whether or not a periodic scan is currently in progress. When a periodic scan is in progress, it can be stopped by clicking the Abort button.

Whenever a periodic scan is running, a progress bar will be visible indicating how much of the scan has been performed.

Last Periodic Scan Result

The results of the last periodic scan performed can be viewed here.

Main

This section shows when and on which domain the periodic scan was performed. It also lists the number of accounts processed and whether this was a scheduled or a manual scan.

License Validation Job

Shows the total number of user accounts and how many of those are affected by a Specops Password Policy GPO.

Password Expiration Job

This section shows the number of accounts flagged to require changing their passwords, as well as the notifications associated with those password expiration events.

Breached Password Protection Express Job

This sections lists information regarding accounts that are affected by Breached Password Protection Express.

Breached Password Protection Complete Job

This sections lists information regarding accounts that are affected by Breached Password Protection Complete.

Initiating a manual periodic scan

1. Click the Start New button.
2. In the Compromised Password Scanning window, choose which jobs you want the scan to perform. The following jobs can be selected:
   • License Validation Job
   • Password Expiration Job
   • Breached Password Protection Express Job
   • Breached Password Protection Complete Job
   NOTE

   At least one job needs to be selected in order to start the scan.
3. Click the Start scanning button.
4. Click Close.
   NOTE

   The scan will continue even when you close this window.

---

You can use the Language files menu to update to new versions of language files. This will only update if there are new versions of language files available on the computer where the Domain Administration tool is installed after an upgrade.

Usage

The language files are used to display all text to users when they are trying to change their password. If a language file matching the language of the user's language settings (system) is detected, that language will be used for display purposes. If no matching language file exists, the default language, English, will be used.

The language files are stored on the domain controllers.

Available languages

The following languages are available:

• English (default)
• Azerbaijani
• Chinese (simplified)
• Chinese (traditional)
• Czech
• Danish
• Dutch
• Finnish
• French
• German
• Hindi
• Hungarian
• Italian
• Japanese
• Korean
• Norwegian
• Polish
• Portuguese
• Romanian
• Russian
• Serbian
• Slovak
• Slovenian
• Spanish
• Swedish
• Thai
• Turkish
• Ukranian
• Welsh

---

You can use the Password policy templates node to create a new password policy template, or view an existing template with NIST, NCSC, Microsoft, and NSA recommendations. A password policy template will help keep your policy settings consistent throughout your domain.

Viewing existing templates

1. Expand the Password policy template menu by clicking the plus icon.
2. Select an existing template in the list to view its settings.

Creating a new Password Policy Template

1. Click New Password Policy Template.
2. In the Template name field, enter a name for the template.
3. In the Description field, enter a description for the template.
4. Specify the settings, and click Save.

Using an existing password policy template

1. In the Group Policy Management Editor expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy.
2. Click Create New Password Policy from Template. Select a Password Policy Template to use for the Group Policy.
3. If the Microsoft or NSA templates are selected, you will be taken to the policy settings page for additional configuration options. If the NIST, and NCSC templates are selected, you will be prompted to:
   1. Create a list of disallowed words.
   2. Download the password dictionary for the template. The dictionary is a combination of password lists designed for penetration tests.
   3. Set a maximum password age for users affected by the policy to proactively check against password dictionaries, and prevent the creation of vulnerable passwords. This is a Specops recommendation that can help you stay protected against the latest dictionary lists.
   4. If the NCSC template is selected, you will be prompted to set a minimum password length for users affected by the policy.
   5. You will be taken to the policy settings page for additional configuration options. Click OK when you are done.

---

You can use Specops Password Auditor to scan your Active Directory and detect security related weaknesses, specifically related to password policies.

Click Start Specops Password Auditor to get started.

For more information about Specops Password Auditor, click here.

---

Breached Password Protection Complete

With Specops Breached Password Protection Complete you can make sure that users cannot use passwords that are known to be compromised.

Note that Specops Breached Password Protection Complete is handled by the Arbiter. Access the Password Policy Arbiters menu to view information and to import API keys.

In the Password Policy Arbiters menu in the Domain Administration Tool you can:

• Import API Key
• Test cloud connection
• Unregister
• Register a new Arbiter

Breached Password Protection Express

The Breached Password Express list is a large collection of compromised passwords that you can download in order to prevent users from using any passwords on the list. In the Domain Administration Tool you can:

• Download the latest version of the list