There are many ways to learn about new technologies, and this article explores one of the options: learning from video games. Spec Ops is a game in which you play an elite soldier who must take down terrorists on their own terms. It’s based off real life missions that soldiers have taken part in. The goal of the game is for players to understand how military forces deal with complex environments when faced with challenging enemies
Specops is a password auditor that can be used to help users find out if their passwords are safe. Specops will also tell you if your passwords have been compromised by hackers. Read more in detail here: specops password auditor.
Welcome back to the ATA Learn with Me series on using Specops to safely manage Active Directory (AD) credentials! If you’ve missed any of the prior posts, you can catch up right here. Today, we’ll look at how to use Specops’ Password Auditor tool to enforce AD password best practices.
Users will continue to supply their username and password to get into their AD domain-joined PCs until the industry gets around to deleting passwords for good. And system administrators and information security specialists will continue to be concerned about striking the right balance between convenience and security.
For many businesses, ensuring safe passwords for all important AD accounts is a huge challenge. As a company expands, the fight becomes more intense. Users keep their passwords written down in ‘password diaries,’ and they write them down on sticky notes.
A user may be utilizing the same domain admin password across several online services if the password isn’t put in plain language in Joe, HR Director’s password book. Regardless of how secure your AD credentials are, if they are stolen as a result of an assault on a more susceptible service, attackers will have a significant edge when entering your business.
To Stay Ahead of the Game, Audit Your Passwords
Enforcing rigorous password restrictions and regular password audits are two of the greatest methods to keep your AD credentials safe. Password restrictions prohibit unsafe passwords, while frequent audits verifies that the policies are working properly and may also compare your AD passwords to lists of passwords that have been known to be hacked.
During my first encounter with Specops’ Password Auditor tool, I noticed that it not only checks and reports on faulty password rules, but it can also match known-compromised passwords to your Active Directory credentials.
There are both free and paid options in Password Auditor. All of the features I discuss in this essay are entirely free.
This application seems to be an excellent resource for securing AD passwords, since it supports the National Cyber Security Centre’s (NCSC) hacked password list, as well as other sources.
Check out the video below if you’d rather learn about Password Auditor via a screencast.
Specops’ Password Auditor Tool Setup
One of the things I enjoy about Password Auditor is how easy it is to use. The first screen you see when you launch the tool, for example, is shown below. A one-button page is unbeatable! This tool immediately detects the domain and domain controller I’m using since I’m using it on my lab domain controller.
I’ll press the Start button and see what happens.
Specops’ Password Auditor Tool Setup
On the next page, I may immediately download the most recent list of credentials that have been compromised. These passwords were gathered from the NCSC’s extensive password database as well as other sources. I’ll choose to download the list of files, specify a place for the passwords to be downloaded, and then click Start Scanning.
One of the most important aspects of Password Auditor is its ability to match known-Passwords that have been compromised to your AD credentials and generate a report.
the ability to match known-Passwords that have been compromised to your Active Directory credentials
Password Issues in Active Directory are being investigated.
Password Auditor began scanning AD as soon as I completed the basic setup panels. You may view it below:
- Brings all user accounts together in one place.
- All Policies for Passwords are read.
- The password rules that apply to those users are discovered.
- Downloads the most recent password lists that have been hacked.
Make sure the disk you’re downloading the passwords to has at least 5GB of space. In that folder, Password Auditor downloads a large number of.bin files.
Password Issues in Active Directory are being investigated.
Depending on the size of your AD environment and the bandwidth speed of your Internet connection, the whole scan and breach list download will take a few minutes.
Examining Scan Results
When the scanning is finished, you’ll see a screen with the results of the numerous tests Password Auditor ran. Two of my user accounts are presently utilizing passwords discovered on a hacked password list, as seen in the picture below. I also noticed that several of my accounts do not have an expiration date.
I appreciate that Specops tools aren’t bloated with a sophisticated UI, based on what I’ve seen thus far. Each tool is designed to fulfill a certain function and does not contain capabilities that are seldom used.
Examining Scan Results
Passwords that have been compromised
I can then click into each of the groups to drill down for more information. For example, you’ll see that the users using the Passwords that have been compromised are in my Users AD container, they’ve never logged in, and the default domain policy currently applies to them.
Passwords that have been compromised
Compliance with the Password Policy
The Compliance with the Password Policy report was another interesting report I found. You’ll see below that for every password policy in AD, Password Auditor compares it with industry-standard security practices. By clicking on an organization, you can then see exactly where you’re out of compliance.
Password Auditor doesn’t merely search AD for weak passwords, contrary to my expectations. It reaches out to a wide range of people and organizations, offering recommendations for development. This application is ideal for capturing screenshots for management, auditors, or just assessing the effectiveness of password security activities.
Compliance with the Password Policy
Accounts for Admins
Coming from an organization with too many Accounts for Admins, the Accounts for Admins report sure would have come in handy. You must ensure that a limited number of Accounts for Admins exist in AD. You should never provide more permissions than what a user requires (least privilege).
You can see below by drilling into the Accounts for Admins report, Password Auditor provides a list of each user account with a high privilege.
Accounts for Admins
Policies for Passwords
Another interesting report you’ll find in Password Auditor is on Policies for Passwords. Password Auditor reads all domain policies (even fine-grained Policies for Passwords) and inspects them when performing a scan. You can see below that it tells you:
- How frequently is it required by policy to update passwords?
- If it uses a dictionary to prohibit specific passwords from being used,
- Password entropy measures how simple it is for an adversary to guess a password governed by the policy.
This program employs a clever idea called password entropy. This statistic, which is represented by a “strength bar,” indicates how long an attacker would need to guess the password.
Policies for Passwords
Creating a Report from Scan Results
The PDF report, on the other hand, is one of Password Auditor’s hidden jewels. When you click Get PDF Report, you’ll be sent to a professional-looking report that details every password security problem discovered throughout the scan. The report that I generated may be seen here.
SpecopsPasswordAuditorReport 8212021 447PM.pdf
Creating a Report from Scan Results
To be honest, I wasn’t anticipating such a comprehensive, professional-looking report. The data that Password Auditor collects and the report that it makes from that data may be comparable to that of much more costly software.
Conclusion
The Password Auditor from Specops is a simple but efficient tool for gathering information about your AD passwords. The tool’s UI is basic, leading you to feel there isn’t much value here at first. But it was only after I viewed the PDF file that the value became clear to me.
Password Auditor is much more than a basic password scanner. This program delivers relevant information not just from AD, but also from other industry-standard sources, which it compares to AD. Even better, it delivers the specifics and actions required to resolve the faults it discovers.
Specops is a command-line tool that allows users to search and download app packages from the iOS App Store. Specops also allows users to manage their apps, such as deleting them or downloading new versions of them. Reference: specops tools.
Related Tags
- specops login
- specops password policy
- specops logo
- spec ops
- special operations