One of several significant advancements introduced in Windows Server 2008 domain functional level is the ability to configure multiple password policies targeting arbitrarily selected Active Directory users or global groups. While this new functionality, referred to as Fine-Grained Password Policies, brings long-awaited flexibility to rigid security structure that used to influence design of forest hierarchy (forcing the creation of additional domains whenever non-uniform rules governing password history, age, length, complexity or lockout behavior were required), its benefits remain somewhat limited. In particular, due to functional-level dependency, its implementation requires all domain controllers run Windows Server 2008. In addition, because Fine-Grained Password Policies lacks a friendly graphical interface, administrators must resort to a fairly cumbersome ADSIEdit console whenever a custom policy definition or configuration is needed.
Windows Server 2008: Need to go beyond fine-grained password policies available in Windows Server 2008? Consider Special Operations Software, software designed to fill functionality and manageability gaps in Microsoft-designed products.
Furthermore, the scope of these policies is determined based on global group membership, rather than the location of a target user within a designated Organizational Units, which further complicates their management (for more detailed overview of Fine-Grained Password Policies, refer to our ServerWatch article on this subject).
If these shortcomings are not acceptable to you or if you are looking for more advanced password-related capabilities (such as, automatic notifications to users whose password are about to expire or customizable rules governing password complexity), you might want to consider taking advantage of third-party offerings, which go beyond the limited set of features built into the operating system.
In this article, we will present an overview of one such solution developed by Special Operations Software. It consists of complementing each Password Policy and Password Reset combo to provide comprehensive password management in Active Directory domains.
Special Operations Software specializes in products targeting Windows environments with intention of filling functionality and manageability gaps existing in their original feature sets designed by Microsoft. In general, its portfolio can be grouped into several broader categories, such as system management, compliance or security, based on the type of need they address, with a certain degree of overlap between them.
This article will focus on the last of these groups, represented primarily by two of the vendor’s arguably best known products marketed as Specops Password Policy (available also in the free Basic flavor) and Specops Password Reset. We will exclude from our discussion Active Directory Janitor, which also falls in the same category. The first of them delivers granular, customizable management of password policies integrated fairly transparently into Active Directory Group Policy framework. The primary purpose of the latter is to allow end-users to reset their own passwords and unlock their accounts, limiting the need for Helpdesk involvement in resolving these types of incidents.
From the architectural standpoint, Specops Password Policy consists of several components. The most critical one, called Sentinel, runs on every domain controller in a target domain, ensuring compliance with custom policy rules whenever the password change or reset takes place. The custom policy is assigned from
designated administrative computers (with Password Policy Admin software installed)
via an extra snap-in for Group Policy Editor, appearing as a separate node (labeled Specops Password Policy) located under Windows Settings subnode of User Configuration node.
Unsure About an Acronym or Term?
Its settings can be assigned ad-hoc or derived from a template from which content has been previously defined via Specops Domain Administration console. The definition consists of a variety of options, such as password length requirements (minimum and maximum), character group requirements (minimum number of different character groups, including digits, lower and upper case alphabetic, special, and Unicode characters), match with an arbitrary regular expression, password content restrictions (disallowing use of portions of user name, digits as first or last character, or consecutive identical characters), dictionary words exclusions, password history (dictating the number of remembered passwords and minimum password age, as well as disallowing incremental passwords), password expiration (maximum password age and expiration warning delivered at either logon or via e-mail), password reset (requiring the user to change the password at next logon, allowing automatic unlocking of the account and ignoring current policy during password reset), as well as a custom client message displayed during password change.
Since the resulting restrictions become part of the User Configuration node of a Group Policy Object, they function in the same manner as other group policy settings. For this reason, they can be linked to individual Organizational Units and limited, if desired, based on security filtering to specific domain users or groups only. Note, however, that resulting passwords must comply not only with custom restrictions imposed by Specops password definitions but also with domain-wide, built-in password policy imposed via domain-level GPO. In addition, if you decide to install optional Active Directory Users and Computers extension, you will be able to determine password policies affecting individual user accounts (via
Specops Password Policy... entry in the context-sensitive menu of their objects displayed in the management console) from the administrative systems where Specops Password Policy Admin is present.
Finally, there is an optional client component (implemented as a Windows Installer package that can be deployed to arbitrary target computers via Group Policy), which enhances end-user experience by displaying notification about password complexity requirements in cases where an attempt to change it fails (stating explicitly which of them has not been satisfied).
Specops Password Reset is, in essence, a self-service Web portal that gives end users the ability to reset their passwords and unlock their accounts. Its security — besides standard SSL-based encryption, which protects network communication between Internet Explorer session running on a client and the ASP.NET Web application — relies on a confidential information provided by the account owner (in the form of answers to predefined or custom questions selected by that user during initial enrollment), an optional mobile verification code (delivered to the user’s mobile device in response to password change request), or a combination.
Its infrastructure consists of one or more (in larger, distributed environments) instances of Internet Information Service (containing the target web site with its ASP.NET code), a back-end server (referred to in Special Operations Software documentation as a remoting server) responsible for interaction with Active Directory and hosting Password Reset Admin tools, as well as (assuming that mobile verification code approach is used) a third-party messaging service.
The client module helps users navigate to Web locations assisting with enrollment and password changes. It also provides a shortcut to a web page intended for the Helpdesk staff, simplifying activities involved in password resets (in particular, verifying a user’s identity, sending verification code, or autogenerating a password that meets user’s password complexity requirements). Most importantly, the client software modifies the initial logon screen by including a
Reset Password... link, allowing users to access the corresponding Web page via securely configured browser without the need to log on, which obviously would be challenging without a valid set of credentials.
The possibility of unauthorized access via attempts to exploit this access method can be minimized by configuring an account lockout threshold, with each incorrectly answered questions counting toward its limit. Similar to Password Policy implementation, Password Reset settings are applied via Group Policy using the Specops Password Reset Group Policy Editor snap-in located under Windows Settings subnode of User Configuration node, and therefore can be linked to individual Organizational Units (and restricted to specific user accounts via security group filtering), limiting its impact to designated portions of your Active Directory domain.
Operations invoked through the Web interface on behalf of users and HelpDesk staff are carried out in the security context of a designated Specops Password Reset Server service account running on the remoting server. The vendor followed in this case is the principle of the least privilege refraining from the use of Domain Admin group and instead relying on a set of individual permissions, including membership in local Administrators as well as the ability to create and delete users’ classStore child objects and list all other child objects, read their userAccountControl attribute, reset their passwords, unlock them, force password change on the next logon, as well as read GPO objects defining Specops Password Reset setting.
Note that this step can be configured automatically for you as part of the installation process (further simplified by use of Setup Assistant, which is launched automatically following invocation of self-extracting executable available from the Special Operations Software Web site. This copies the source to the local drive).
Scalability and redundancy of the Specops Password Policy and Password Reset suite relies to large extent on the inherently distributed nature of Active Directory (since its Sentinel as well as respective Group Policy settings are present on every domain controller), eliminating the need for dedicated hardware. In addition, because of the Group Policy-based implementation, you have an option of specifying a distinct Password Reset URL designation in each Group Policy Object associated with different groups of target users, giving you ability to localize and load balance Web traffic.
Both products are licensed on per-user basis, in either ALL or AFFECTED modes (note that in either arrangement, disabled accounts are not taken into account), with the former well-suited for majority of deployments, and the latter geared toward environments where more stringent password requirements must be applied only to selected (and relatively few) user accounts. All software component are available in x32 and x64-bit version. Those installed on the server side require Windows Server 2003 or Windows Server 2008 (Windows XP and Vista are supported only for testing purposes), while the client programs expect computers running Windows 2000 (Server or Professional) SP 4 (inclusive) or newer.
In addition, you must install Microsoft Management Console 3.0 and Group Policy Management Console on every administrative workstation (to manage Specops Administrative tools and Specops GPO settings). .NET Framework 3.5 must be installed on your Password Reset Web server. In order to introduce custom menus in Active Directory Users and Computers, the products modify display specifiers in the Configuration partition of Active Directory (which, by the way is fully reversible); however, neither of them requires extending its schema. Besides relying on GUI-based utilities, you also have an option of leveraging .NET programming and vendor-provided PowerShell cmdlets to manage custom password policy and reset functionality.