Tuesday, 20 July 2021

How to secure Active Directory accounts

 

 


Managing service accounts and service account passwords can become overwhelming even in small environments running a large number of Windows Services controlling business-critical applications.

Insecure practices in dealing with service accounts, such as passwords that do not expire and identical passwords, can create security risks. 


Authentication and password security is more important than ever. This tool audit scans your Active Directory and identifies password-related vulnerabilities. The collected information generates multiple interactive reports containing user and password policy information. Specops Password Auditor is a read-only program.

Specops Password Auditor is a great free tool that helps to gain visibility into Active Directory account security issues in the environment. It can help quickly identify accounts, including service accounts, that may have the password set not to expire flag and configured with identical passwords.

Specops Password Auditor scans your Active Directory and detects security related weaknesses, specifically related to password settings. The collected information is used to display multiple interactive reports containing user and password policy information. The reports include a summary of accounts using leaked passwords, comparisons of the password settings in your organization with industry standards and best practices according to multiple official standards.

Specops Password Auditor will only read information from Active Directory, it will not make any changes. It will read the Default Domain Password Policy, any Fine-Grained Password Policies, as well as any Specops Password Policies (if installed).

Note:
To be able to read Fine-Grained Password Policies, and the password hashes for the Breached Password Protection, Identical Passwords or Blank Password reports, you will need domain administrator privileges in Active Directory.

The following user account attributes will also be read:

    pwdLastSet
    userAccountControl
    lastLogonTimestamp 

Reports 

The following is a list of reports you can view/export from Specops Password Auditor tool.

  • Breached Passwords

Use this report to identify user accounts with passwords that are known to be leaked. The accounts in this list should be prompted to change their password.

Note: The Breached Passwords report does not use clear text passwords. The MD4 hashes of the leaked passwords is compared to the hashes of the passwords from the domain. The hashes are not stored, they are read and kept in memory by Specops Password Auditor.

  • Identical Passwords

Use this report to identify groups of user accounts that have the same password. Admin users who use the same password for their normal user accounts and their admin accounts increase their attack surface. The accounts in this list should be prompted to change their password.

  • Blank Passwords

Use this report to identify user accounts with blank passwords. These accounts are affected by a policy without a password requirement.

  • Admin Accounts

Use this report to identify whether admin privileges are used appropriately (granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions). Delete unnecessary admin accounts and consider a delegated Active Directory security model to follow best practice.

  • Stale Admin Accounts

Use this report to audit unused accounts. Dormant accounts should be deleted as they can be leveraged by attackers to access resources without being noticed.

  • Password Not Required

Use this report to identify user accounts with the control flag for not requiring a password, or those affected by a password policy without a minimum password length. The accounts in this list indicate serious security holes within your organization.

  • Expiring Passwords

Use this report to keep track of password expiration. Anticipating the expiration with a contingency plan can be effective for curbing password reset calls.

  • Password never expires

Use this report to keep track of accounts that have their passwords set to never expire. These can be more vulnerable to attack if the user is reusing this password elsewhere.

  • Expired Passwords

Use this report to identify user accounts with expired passwords. Password that have been expired for an extended period of time can indicate a stale account.

  • Password Policies

Use this report for an overview of your password policies including change interval, dictionary enforcement, as well as relative strength.

            *The following settings are used to determine the maximum strength.

               Minimum length= 16 characters
               At least one of each of the following:
                Lower
                Upper
                Digit
                Special Character

Any policy with as strong, or stronger settings will be displayed as having “maximum” strength.


  • Password Policy Usage

Use this report for a graphical overview of users affected by each password policy.

  • Password Policy Compliance

Use this report to measure your password policies against industry and compliance recommendations. 

 

Download link - https://specopssoft.com/product/specops-password-auditor/?utm_source=Petri&amp%3Butm_medium=Email&amp%3Butm_campaign=Petri%20SPA%20promo&_hsenc=p2ANqtz-9cOS1s1j1U4NecZ65SxW9zKcT3mu0sbvTtM1rjI9ajG_enrT_f7HRozFZ30-HJqLGlCRAKTaXenr2pua80dHIB7tqiWA

 

 

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Featured post

Top 10 Rare Windows Shortcuts to Supercharge Productivity

  Windows Key + X, U, U: This sequence quickly shuts down your computer. It's a great way to initiate a safe and swift shutdown without...