Specops Password Policy

Introduction

Specops Password Policy™ is a product that is designed to overcome one of the major security issues in Active Directory regarding password management, namely the limitation that only one rule for password complexity settings can be used per Active Directory domain. This problem results in a least common denominator solution when it comes to password settings, where security normally has to stand back for the usability needs of end users. Specops Password Policy adds the ability to combine the usability needs of end users while still enforcing complex password rules for accounts that require a stronger protection. Examples of accounts where complex passwords need to be enforced are:

Administrative accounts that are not used in day-to-day operations. These accounts should have extremely complex password, so complex that they are impossible to remember after they have been used, these passwords are normally written down and locked away and only used when needed, an example of such accounts are the members of Enterprise Admins or Domain Admins for a root domain.
Service Accounts that run on servers and workstations in the security context of a user account. These types of accounts are normally very powerful, for example if the Exchange service account is compromised, all information stored in Exchange is available to the attacker. These accounts should have passwords of the same complexity as the most powerful administrative accounts.
Administrative accounts that are used in day-to-day operations, for example to edit Group Policy Objects, add/manage/delete user accounts etc. These account need passwords that are complex but it must be possible to remember them without having to write them down.
End users with access to sensitive information stored in databases, files etc. This type of accounts needs to have passwords that resemble those of the operational administrators.

Protecting important accounts by using complex passwords is becoming more and more important as the performance of the hardware steadily increases. The more powerful the hardware the easier it is to perform so called brute force or hybrid crack attacks. Such attacks can retrieve non-complex passwords in minutes.

Background

In a Windows Server 2000/2003 domain the password policy for all domain users are implemented at the domain level, hence a Windows Server 2000/2003 domain can have only one single password policy for all users in the domain. Configuring these policy settings at any other level in Active Directory will only affect local user accounts on member servers and workstations. If there are groups that require separate password policies, they must be segmented into another domain or forest, based on any additional requirements.

By default, workstations and servers joined to a domain — the domain member computers — also receive the same account policy for their local accounts. However, local account policies for member computers can be differentiated from the domain account policy by defining an account policy for the organizational unit that contains the member computers.

Licensing

There are three types of licenses for Specops Password Policy. The different license types are Trial, Affected and All. An Affected or All license can be purchased from Specops Software, a Specops Software Reseller or Partner. These license types uses a per domain and user model.

Trial

The trial license has all the features of the product enabled. The license has no limit on the “number of seats” it can be used for, but it has an expiration date. When that date has passed the product will stop working.

Affected

The affected license has no expiration date but is limited to the “number of seats” that have been purchased.

The number of purchased licenses is compared to the number of users that are affected by a password policy.

All

The all license has no expiration date but is limited to the “number of seats” that have been purchased.

The number of purchased licenses is compared to the total number of normal user accounts that are enabled in the domain.

Current version

4.6
Updated: November 21st 2011

Specops Password Policy

Introduction

Background

Licensing

Trial

Affected

All

Current version

Documentation

Related

Products

Resources

References

News

Windows IT Pro Review: 5 out of 5 for Specops Password Policy and Specops Password Reset

Press Release: Specops Announces Release of Specops Deploy 4.5

Islip School District Deploys 175 Applications with Specops

Press Release: Specops Announces Enhancements to Password Management Products

Events

Seminar: Password Security & Desktop Deployment Best Practices Using The Latest In Group Policy

2012 EduCause Mid Atlantic Conference - Baltimore

2012 RSA Conference San Francisco

2012 MS TechEd - Orlando