SysAdmin MAGAZINE

Password Security:
Top Tips and Tactics
 Contents SysAdmin Magazine March 2022

SysAdmin

Magazine Contents

70
3 5 Top Local Administrator Password Solution (LAPS) Tips
March ‘22
№
9 How to Set and Manage Active Directory Password Policy

13 How to Create, Change and Test Passwords Using PowerShell

SysAdmin Magazine is a free
source of knowledge for IT Pros
who are eager to keep a tight 17 What Is Password Spraying, and How Can You Spot and Block Attacks?
grip on network security and do
the job faster.
20 How to: Get a List of Users with Password Never Expires

22 Tool of the Month: Netwrix Password Policy Enforcer

The Sysadmin Magazine team

[email protected]

2
 Contents
5 Top Local
Administrator
Password Solution
(LAPS) Tips
Jeremy Moskowitz
Founder & CTO of PolicyPak Software (now part of Netwrix)
The local Windows administrator account is a coveted tar-
get for hackers and malware. There are potentially a lot of
bad things that can happen if a hacker can crack the local
admin account of one of your servers.
Dreadful things usually occur when someone downloads a
malicious malware strain using the administrator account
as well. The magnitude of these problems is amplified even
more if you use the default administrator account for every
similar machine uses the same password.
3
You can have the most complex password in the world, but
once it is compromised on one machine, it is open season
for all other devices using the same local admin credentials.
Of course, you could customize the local admin creden-
tials for every Windows device, but that can prove highly
time-consuming not to mention the task of inventorying
the many credential sets. The process becomes virtually
unworkable when you enable password refreshes (which
you should of course). This is why many admins often just
disable it.
But it’s understandable to have some type of local admin
account to “walk up and fix the machine” like resetting it’s
domain trust relationship or hardcoding an IP address,
and so on.
If having the same local admin password on each machine
is a terrible idea, what can be done about it?
Tip 1: Use Microsoft Local
Administrator Password
Solution (LAPS)
SysAdmin Magazine March 2022
Microsoft Local Administrator Password Solution (LAPS) is
a Microsoft tool that gives AD administrators the ability to
manage the local account password of domain-joined com-
puters and store them in AD.
When implemented via Group Policy, LAPS creates a ran-
dom password of a defined length and complexity that is
cryptographically secure and different every time, on every
machine. It then applies the newly created password to the
Local Administrator account and records the password in
a secure field in your Active Directory schema. They can
then be retrieved when access is needed to the account.
The process is done automatically whenever a Group Policy
defined password refresh is due.
LAPS does have a few requirements to implement it:
• It only applies to Windows devices
• Devices must be domain joined
• It requires a free Group Policy client-side extension
• It requires a schema extension (don’t freak out.)
• It only works for the local admin account
• It only works for ONE local admin account (in case you
have more than one.)
 Contents SysAdmin Magazine March 2022

Make sure you at least select the GPO Editor Templates in

Tip 2: LAPS and Group order to access the necessary ADMX files. The fat client is

Policy a graphical user interface that gives a user with applicable

rights the ability to query the password for a designated
device. You only need to install the Management Tools,
As mentioned, LAPS is deployed using Group Policy, which
and not the “AdmPwd GPO Extension” on your machine
means it requires the creation of a GPO. You first need to
(the one with the GPMC.)
download LAPS which you can do here.

Then use the wizard to install it on your Group Policy

Next, we need to extend the AD Schema in order to accom-
Management machine. You’ll want to do this by hand, and
modate the local passwords.
typically NOT in some automated way.

The two required attributes are:

ms-Mcs-AdmPwd – Stores the password in clear text

ms-Mcs-AdmPwdExpirationTime – Stores the time to re-
set the password

To update the schema, simply import the AdmPwd Power-

Shell module and use the update-AdmPwdADSchema com-
mand as shown below.

You must then go into your local PolicyDefinitions folder

and copy the AdmPwd.admx and AdmPwd.adml files and
paste them into your AD central store. (Check this video on
this process).

4
 Contents SysAdmin Magazine March 2022

The next step is to create a computer side GPO. For this exam-
ple, I will call it LAPS Policy. The LAPS settings will now appear
under Computer Configuration > Administrative Templates >
LAPS where 4 settings are available as is shown below.
Once configured, simply deploy the LAPS client-side-ex-
tension software via your desired software deployment
method, like PDQ Deploy. You only need the “GPO Exten-
sion” part if you’re going to do an initial test by hand. You
can see this here.
Tip 3: Getting Passwords
when needed via LAPS
So, the day comes that you need to know what the current
generated password is for one of your Windows machines.
How do you do it? There are several ways. On is to use the
following PowerShell command.

You can use your LAPS GPO to manage the password for
Get-AdmPwdPassword -Computername “name of
either the default local admin or a custom local admin ac-
computer”
count. Below I have enabled the “Enable local admin pass-
word management ”setting.”

If you installed the LAPS Fat Client, you can access the LAPS
UI application in your start menu.

You can also use PolicyPak to gain more control over the
deployment process. More on that in just a minute.

If you have renamed the local admin account, (which you

should) you can then specify the updated name. Once the
admin account is selected, the final step is to enable the
Group Policy setting which configures the password set-
tings (that include password length and age.)

5
 Contents SysAdmin Magazine March 2022

The key benefit is that PolicyPak can utilize Item-level

Tip 4: Assign Granular LAPS Policies to Users via Item- Targeting for any Group Policy setting, including LAPS.

Level Targeting If you are familiar with Group Policy Preferences, then
you already know how ILT provides a lot more granularity
PolicyPak offers all of the ADMX template settings in its PolicyPak Admin Templates Manager and we update them at the time of
concerning policy assignment. For instance, let’s say that
every new ADMX release. There’s a lot of advantages to using Admin Templates Manager versus standard Group Policy.
all of the local admin accounts residing on your servers are
named ServAdm1n and you want to create a separate LAPS
PolicyPak uses Group Policy Editor as is shown below but adds a secret superpower.
policy for those admins. Since those aren’t admin domain
accounts, you can’t target them using group policy but you
can use ILT to target those machines running Windows
Server 2016.

6
 Contents SysAdmin Magazine March 2022

Now let’s make a LAPS policy for C-Level executive laptops. Naturally, we would want to have a strong password for those local
admin accounts. In this case, I want to enforce 20-character passwords using the strongest complexity. Then I will use ILT to
target the C-Level security group. As you can see in the screenshot below, there are many targetable options including computer As a bonus, while traditional GPOs created within the Group
name, OU Match, Site Match, computer form factor (Laptop vs. Desktop) and more! Policy Editor can normally only be deployed using Group
Policy, PolicyPak settings can be deployed using a number
of ways such as SCCM, KACE or your preferred MDM service.
You can learn more about that process by watching this video
that demonstrates the process of delivering Group Policy
settings, without the Group Policy engine itself.

7
 Contents SysAdmin Magazine March 2022

Tip 5: Pair LAPS with

PolicyPak Least Privilege
Manager FREE GUIDE
GUIDE

Local Administrator Password Solution is a great tool to

tighten administrative access to your most important
Top 12 Windows
machines. In fact, it also makes a great pairing with
PolicyPak Least Privilege Manager. PolicyPak Least
10 Settings for
Privilege Manager completely removes the need to have
local admin rights, enabling Standard Users to do special Managing and
Securing Work
functions like an admin… but without actual admin rights.

from Home
Together, you could enforce LAPS on all of your enterprise
machines … since you won’t be needing local admin access

Employees
any longer.

In the end, whatever you can do with Group Policy, you

can do it better with PolicyPak. Implement LAPS and add
PolicyPak and get more security, power, and agility.
Free Download

8
 Contents SysAdmin Magazine March 2022

How to Set How Attackers How to View and Edit

Compromise Corporate Active Directory Password
and Manage Passwords Policy
Active Directory Hackers use a variety of techniques to compromise To defend against these attacks, organizations need a strong

Password Policy
Jeff Melnick
IT Security Expert, Blogger
With cyberattacks exploding around the world, it’s more
important than ever for organizations to have a robust
password policy. Hackers often gain access to corporate
networks through legitimate user or admin credentials,
leading to security incidents and compliance failures. In this
article, we will explore how to create and maintain a strong
and effective Active Directory password policy.
corporate passwords, including the following:
▪ Brute force attack — Hackers run programs that enter
various potential password combinations until they hit
upon the right one.
▪ Dictionary attack — This is a specific form of brute force
attack that involves trying words found in the dictionary
as possible passwords.
▪ Password spraying attack — Hackers enter a known
username or other account identifier and try multiple
common passwords to see if they work.
▪ Credential stuffing attack — Hackers use automated
tools to enter lists of credentials against various company
login portals.
▪ Spidering — Malicious users collect as much information
as possible about a hacking target, and then try out
password combinations created using that data.
Active Directory password policy. Password policies define
different rules for password creation, such as minimum
length, details about the complexity (like whether a special
character is required), and the length of time the password
lasts before it must be changed.
Default Domain Policy is a Group Policy object (GPO) that
contains settings that affect all objects in the domain. To
view and configure a domain password policy, admins can
use the Group Policy Management Console (GPMC). Expand
the Domains folder and choose the domain whose policy
you want to access, and then choose Group Policy Objects.
Right-click the Default Domain Policy folder and select
Edit. Navigate to Computer Configuration -> Policies ->
Windows Settings -> Security Settings -> Account Policies
-> Password Policy.
Alternatively, you can access your domain password policy
by executing the following PowerShell command:

9
 Contents SysAdmin Magazine March 2022

Get-ADDefaultDomainPasswordPolicy
Remember, any changes you make to the default domain
password policy apply to every account within that domain.
You can create and manage fine-grained password policies
using the Active Directory Management Center (ADAC) in
Windows Server.
password expiration period. You can check this setting
through PowerShell by executing the command net user
USERNAME/domain. Keep in mind that forcing frequent
password changes can lead to users writing their
passwords down or adopting practices like appending
the month to a stem word they reuse, which actually
increase security risks. Setting “Maximum password
age” to 0 means that passwords never expire (which is
generally not recommended).
of at least 8; this makes it harder for brute force attacks
to succeed. Complexity requirements typically require
the password to include a mix of:
• Upper or lowercase letters (A through Z and a
through z)
• Numeric characters (0–9)
• Non-alphanumeric characters like $, # or %
• No more than two symbols from the user’s account
name or display name

▪ Minimum password age — Default is 1 day. This setting

Understanding AD
Password Policy Settings
Here are the six password policy settings and their default
values:
▪ Minimum password length — Default is 7. This
▪ Enforce password history — Default is 24. This setting
specifies the number of unique passwords users must
create before reusing an old password. Keeping the
default value is recommended to reduce the risk of
users having passwords that have been compromised.
• Store passwords using reversible encryption —
specifies how long a password must exist before the
user is permitted to change it. Setting a minimum age
Default is Disabled. This setting offers support for apps
that require users to enter a password for authentication.
keeps users from resetting their password repeatedly
to circumvent the “Enforce password history” setting
Admins should keep this setting disabled because
enabling it would allow attackers familiar with how
and reuse a favorite password immediately.
breaking this encryption to log into the network once
they compromise the account. As an exception, you can
enable this setting when using Internet Authentication
setting establishes the fewest number of characters a
Services (IAS) or the Challenge Handshake Authentication
password can have. While shorter passwords are easier
for hackers to crack, requiring really long passwords
can lead to lockouts from mistyping and to security
risks from users writing down their passwords.

▪ Maximum password age — Default is 42. This setting

▪ Complexity requirements — Default is Enabled. This
establishes how long a password can exist before the
setting details the types of characters a user must
system forces the user to change it. Users typically get
include in a password string. Best practices recommend
a pop-up warning when they reach the end of their
enabling this setting with a minimum password length

10
 Contents
Fine-Grained Policy and
How It’s Configured
Older versions of AD allowed the creation of just one
password policy for each domain. The introduction of fine-
grained password policies (FGPP) in later versions of AD has
made it possible for admins to create multiple password
policies to better meet business needs. For example, you
might want to require admin accounts to use more complex
passwords than regular user accounts. It’s important that
you define your organizational structure thoughtfully so it
maps to your desired password policies.
While you define the default domain password policy within
a GPO, FGPPs are set in password settings objects (PSOs). To
set them up, open the ADAC, click on your domain, navigate
to the System folder, and then click on the Password Settings
Container.
NIST SP 800-63 Password
Guidelines
The National Institute of Standards (NIST) is a federal agency
charged with issuing controls and requirements around
11
managing digital identities. Special Publication 800-63B
covers standards for passwords. Revision 3 of SP 800-63B,
issued in 2017 and updated in 2019, is the current standard.
These guidelines provide organizations with a foundation
for building a robust password security infrastructure. NIST
recommendations include the following:
• Require user-generated passwords to be at least 8
characters long (6 for machine-generated ones).
• Allow users to create passwords up to 64 characters long.
• Allow users to use any ASCII/Unicode characters in their
passwords.
• Disallow passwords with sequential or repeated
characters.
• Do not require frequent password changes. Although for
years, many organizations have required users to change
their passwords frequently, this policy often leads to
users making incremental changes to a base password,
writing their passwords down, or experiencing lockouts
because they forget their new passwords. Accordingly,
the latest NIST 800-63B standards call for using password
expiration policies carefully. More recent research
suggests that better alternatives include using banned
password lists, using longer passphrases and enforcing
multi-factor authentication for additional security.
SysAdmin Magazine March 2022
AD Password Policy Best
Practices
More broadly, administrators should make sure to:
• Set a minimum password length of 8 characters.
• Establish password complexity requirements.
• Enforce a password history policy that looks back at the
last 10 passwords of a user.
• Make the minimum password age 3 days.
• Reset local admin passwords every 180 days (consider
using the free Netwrix Bulk Password Reset tool for that).
• Reset device account passwords during maintenance
once per year.
• Require passwords for domain admin accounts to be at
least 15 characters long.
• Set up email notifications to let users know passwords
are set to expire (the free Netwrix Password Expiration
Notifier tool can help).
• Consider creating granular password policies to link up
with specific organizational units instead of editing the
Default Domain Policy settings.
• Use banned password lists.
• Use password management tools to store multiple
passwords.
 Contents SysAdmin Magazine March 2022

For more information, read our password policy best

practices for strong security in AD.

▪ Don’t write down passwords. Instead, pick strong

passwords or passphrases you can recall easily, and use
password management tools. GUIDE
FREE GUIDE
▪ Don’t type your password when anyone is watching.

▪ Understand that HTTPS:// addresses are more secure

than HTTP:// URLs. Password Policy
▪ Don’t use the same password for multiple websites that
provide access to sensitive information.
Best Practices
for Strong Security
in AD
Free Download

12
 Contents SysAdmin Magazine March 2022

How to Create,
Once RSAT is installed, start the PowerShell console as a
Windows 10 Version 1809
local administrator and enable the AD PowerShell module
If you are using Windows 10 version 1809, RSAT is included using this PowerShell command:

Change and Test as a Feature On Demand, so you don’t need to download

the RSAT package. To enable RSAT in Windows 10 version

Passwords Using
1809, run the following command in an elevated Power- Enable-WindowsOptionalFeature -Online
Shell console: -FeatureName RSATClient-Roles-AD-Power-
shell

PowerShell Add-WindowsCapability -Online -Name Rsat.

ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Russell Smith
IT Consultant, PowerShell Expert
Automation is the key to streamlining Active Directory man-
agement tasks. In this article, I’ll show you how to create,
change and test user passwords with PowerShell scripts.
Installing the AD
PowerShell module
Before you can use PowerShell to manage Active Directory,
you need to install the Active Directory PowerShell module.
If you are using Windows 10 to manage AD, first install the
Remote Server Administration Tools (RSAT).
Microsoft followed the same method for all following OS
versions, including Windows 11.
Earlier Versions of Windows 10
If you are using an earlier version of Windows 10, download
the appropriate RSAT package from Microsoft’s website:
▪ If you are managing Windows Server version 1803 or
1709, download and install the WS_1803 package.
▪ If you are managing Windows Server 2016 or earlier
versions of Windows Server, download and install the
WS2016 package.
Create credential
with password using
PowerShell
To create a new user account, use the New-ADUser cmdlet.
In the example below, I have hardcoded the ad.contoso.
com domain in the $UPN variable. You should change this
to match the UPN suffix you want to assign to users.
Provide the user’s first name and last name. The UPN and
SamAccountName will then be created by adding a period
between the first and last name. Use the following Power-
Shell script:

13
 Contents
$GivenName = (Read-Host -Prompt "First
Name")
$Surname = (Read-Host -Prompt "Last
Name")
$User = $GivenName+"."+$Surname
$UPN = $User+"@ad.contoso.com"
$Password = (Read-Host -Prompt "Pass-
word" -AsSecureString)
New-ADUser -Name $User -SamAccountName
$User -UserPrincipalName $UPN -Account-
Password $Password -GivenName $GivenName
-Surname $Surname -Enabled $True
Create new AD user
password using PowerShell
The following code will prompt you to specify a username
and password. You must enter a username that already
exists in AD and a password that meets the domain’s pass-
word complexity requirements.
$User = (Read-Host -Prompt "Username")
$NewPassword = (Read-Host -Prompt "New
14
SysAdmin Magazine March 2022
Password" -AsSecureString)
Set-ADAccountPassword -Identity $User
-NewPassword $NewPassword -Reset
Change a local user’s password
To change a local user’s password, you need to use the Force a user to change their
Get-LocalUser and Set-LocalUser cmdlets:
password at next logon
The Set-LocalUser cmdlet doesn’t support setting a local
$Password = (Read-Host -Prompt "New
user account to force a password change at next logon.
Password" -AsSecureString)
However, you can achieve the same goal by forcing the
$User = (Read-Host -Prompt "Username")
password to expire:
$UserAccount = Get-LocalUser -Name $User
$UserAccount | Set-LocalUser -Password
$Password $User = (Read-Host -Prompt "Username")
$Usrstring = "WinNT://localhost/"+$User
$usr=[ADSI] $Usrstring
Change an AD user’s password
$usr.passwordExpired = 1
$usr.setinfo()
To create a new AD user password using PowerShell, use
the following script. You will be prompted to specify the
username of an existing AD account and then a new pass- But you can force users to change their AD account pass-
word, which must meet the domain’s password complexity words using Set-ADAccountPassword:
requirements.
$User = (Read-Host -Prompt "Username")
$User = (Read-Host -Prompt "Username")
Set-Aduser -Identity $User -ChangePass-
$NewPassword = (Read-Host -Prompt "New
wordAtLogon $true
Password" -AsSecureString)
 Contents
Change an administrator password
To change the AD administrator password, type administra-
tor when you are prompted for a username using the code
below:
$User = (Read-Host -Prompt "Username")
$NewPassword = (Read-Host -Prompt "New Pass-
word" -AsSecureString)
Set-ADAccountPassword -Identity $User -New-
Password $NewPassword -Reset
To change a local administrator password, type administra-
tor when prompted for a username:
$Password = (Read-Host -Prompt "New Password"
-AsSecureString)
$User = (Read-Host -Prompt "Username")
$UserAccount = Get-LocalUser -Name $User
$UserAccount | Set-LocalUser -Password $Pass-
word
15
Change the “password never
expires” attribute
To set the “password never expires” attribute on a local user
account, use Set-LocalUser:
$User = (Read-Host -Prompt "Username")
Set-LocalUser -Name $User -PasswordNeverEx-
pires $true
To set the “password never expires” attribute on an Ac-
tive Directory user account, use Set-ADUser:
$User = (Read-Host -Prompt "Username")
Set-ADUser -Identity $User -PasswordNeverEx-
pires $true
Change the service account
password
To change the logon properties of a service, use the Get-Cre-
dential and Set-Service cmdlets. The following code chang-
es the AppReadiness service from using the Local System
SysAdmin Magazine March 2022
account to using the username and password that are en-
tered when prompted. Note that the Set-Service -Credential
parameter is supported only in PowerShell 6 and later.
$credential = Get-Credential
Set-Service -Name "AppReadiness" -Credential
$credential
Change a password’s expiration date
in Active Directory
If you need to extend the time a user can keep their current
password, set the pwsLastSet attribute to the current date,
giving them extra time until Active Directory forces them to
change their password. Clearing the attribute and then set-
ting it to -1 will set it to the current date and time.
$Username = (Read-Host -Prompt "Username")
$User = Get-ADUser $Username -Properties pwd-
lastset
$User.pwdlastset = 0
Set-ADUser -Instance $User
$User.pwdlastset = -1
Set-ADUser -Instance $User
 Contents SysAdmin Magazine March 2022

Bulk password reset

The best way to get users to change their AD passwords is
to force a password reset. You can do this in bulk by com-
bining the Get-ADUser and Set-ADUser cmdlets. The com-
mand below uses a filter to get users in the “Accounts” orga-
FREE EBOOK
nizational unit (OU) and pipes the results to the Set-ADUser
cmdlet to force all users in the OU to change their password
at next logon.
Windows
Get-ADUser -Filter * -SearchScope Subtree -Search- PowerShell
Scripting Tutorial
Base "OU=Accounts,DC=ad,DC=contoso,DC=com" |
Set-ADUser -ChangePasswordAtLogon $true

for Beginners
Testing a user’s credentials
Free Download
If you want to test if a user’s credentials are working, all you
need to do is start a process using their username and pass-
word. The code below starts cmd.exe using the credentials
entered when prompted.

Start-Process -FilePath cmd.exe /c -Credential (Get-Creden-

tial)

16
 Contents SysAdmin Magazine March 2022

What Is Password Citrix is far from the only enterprise that falls short with
password security. When a threat research team scanned
Password spraying flips the conventional strategy by
attempting to log on to multiple user accounts using many

Spraying, and
all Microsoft user accounts in early 2019, they discovered common passwords. Trying a single password on many
that 44 million users were using the same usernames and different accounts before attempting another password on
passwords that had already been leaked online after security the same accounts circumvents normal lockout protocols,

How Can You breaches at other online services. This tendency is alarming,
as the 2020 Data Breach Investigations Report reveals that
enabling the attacker to keep trying more and more
passwords.

Spot and Block

over 80 percent of hacking-related breaches involve either
stolen (or lost) credentials or brute-force attacks. Unfortunately, password spray attacks are frequently
successful because so many users fail to follow password

Attacks? Password spraying attacks cannot be prevented, but they

can be detected and even stopped in their tracks. In this
article, we explain how this type of attack unfolds, how you
can spot attacks in progress and how you can mitigate your
Jeff Melnick risk of becoming the next victim.
IT Security Expert, Blogger
best practices. In fact, the 200 most common passwords
leaked in data breaches in 2019 included obvious number
combinations such as “12345”, common female first names,
and the word “password” itself. Any attacker who targets a
sufficiently large number of usernames and works with a
large enough bank of common passwords is bound to be
able to compromise some accounts.

In 2019, a data heist at Citrix shook the cybersecurity world.
The attackers stole business documents from a shared
network drive and from a drive associated with a web-
based tool used in Citrix’s consulting practice. The hackers
gained this access to Citrix’s IT infrastructure through a
password spraying attack, a technique that exploits weak
passwords, leading to criticism that the software giant
needlessly compromised its clients by failing to establish a
sound password strategy.
What Is a Password
Spraying Attack?
Typical brute-force attacks target a single account,
testing multiple passwords to try to gain access. Modern
cybersecurity protocols can detect this suspicious activity
and lock out an account when too many failed login attempts
occur in a short period of time.
While casting a wide net is likely to return at least a few
successes, today’s savvy hackers rely on a more precise
approach. They set their sights on users who use single sign-
on (SSO) authentication, hoping to guess credentials that
will give them access to multiple systems or applications.
They also commonly target users that use cloud services
and applications utilizing federated authentication. This
approach can enable attackers to move laterally, since
federated authentication can help mask malicious traffic.

17
 Contents
Once an account has been compromised in a password
spraying attack, the victim may suffer temporary or
permanent loss of sensitive information. For organizations,
a successful attack might also mean disrupted operations,
significant revenue losses and reputational damage.
How to Detect a Password
Spraying Attack
Although conventional countermeasures might not
automatically detect password spraying attacks, there are
several reliable indicators to look for. The most obvious is
a high number of authentication attempts, especially failed
attempts due to incorrect passwords, within a short period
of time. Naturally, a closely related indicator is a spike in
account lockouts.
In many cases, password spraying leads to a sudden
spike in attempted logins involving SSO portals or cloud
applications. Malicious parties may use automated tools to
attempt thousands of logons within a brief period of time.
Often, these attempts come from a single IP address or a
single device.
18
How to Mitigate the Risk
of Falling Victim to a
Password Spraying Attack
While it’s critical to be able to promptly detect successful
attacks, allowing attackers even brief access to sensitive
data can prove devastating. A sound cybersecurity strategy
requires a comprehensive, proactive approach that ensures
layered protection to block as many attacks as possible. Be
sure to follow these best practices:
▪ Require multi-factor authentication for all users.
▪ Ensure all passwords abide by National Institute of
Standards and Technology (NIST) guidelines.
▪ Establish sound policies for resetting passwords after
account lockouts.
▪ Develop a defensible password strategy for shared
accounts.
▪ Conduct regular user training to ensure all users
understand the threat of password spraying and how
they can devise and maintain secure passwords.
SysAdmin Magazine March 2022
How Netwrix Solutions Can
Help
The best way to defend your organization against password
spraying attacks is to invest in an IT security tool that can
reliably detect and block these attacks with comprehensive
auditing, alerting and reporting.
Netwrix Auditor can alert you to a wide variety of suspicious
activity, including events indicative of a password spraying
attack, so you can respond immediately to protect your
systems and data. Moreover, it delivers powerful auditing
and reporting. Key features include:
▪ Active Directory auditing and alerting. Netwrix
Auditor tracks Active Directory logins and other user
activity, including all successful and failed logon
attempts. You can set up alerts on activity you deem
suspicious, including single actions like a user gaining
admin privileges or a sequence of actions within a
specified timeframe, such as more than 4 failed login
attempts within 1 minute. You can also easily review
the full logon history of any user.
▪ User behavior analytics. A consolidated view of
unusual activity and ranking of risk actors makes it
 Contents SysAdmin Magazine March 2022

easier to spot compromised accounts and malicious In short, with Netwrix Auditor, it’s possible to catch
insiders early, so you can take action to avoid security malicious players early on — and proactively block them
from getting into your network in the first place.
▪ User behavior and blind spot analysis. Spot
malicious actor sneaking around your environment
by easily scrutinizing user activity outside of standard
hours, logon attempts by multiple users from a single
endpoint, and logon attempts by a single user from HOW-TO GUIDE
multiple endpoints.

Netwrix Auditor also helps you fortify your security posture How to Monitor
User Logоns in a
so you are less vulnerable to password spraying attacks in
the first place. In particular, you can:

▪ Enforce password policy best practices with complete

visibility into policy settings and alerts on changes.
Domain
▪ Track Azure AD password resets to maintain strong
Learn more
security in the cloud.

▪ Discover and secure accounts that do not require

passwords or whose passwords are set to never expire.

▪ Identify and disable inactive accounts before they can

be exploited by attackers.

19
 Contents SysAdmin Magazine March 2022

How-to for IT Pro Specifies accounts where this value exceeded will be

emailed
)

begin {

.PARAMETER Subject function Write-Log($Message) {

HOW TO: GET A LIST OF USERS WITH PASSWORD Which subject shall be put into email $MyDateTime = Get-Date -Format 'MM-dd-yyyy H:mm:ss'
NEVER EXPIRES .PARAMETER From Add-Content -Path $LogFilePath -Value "$MyDateTime -

Which address shall be used as a FROM field in Email $Message"

.PARAMETER EmailServerAddress }
1. Copy, modify and save the following script by using
SMTP relay address try {
PowerShell ISE:
.PARAMETER FailoverEmail $MaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy

Emails address where all errors will be sent to -Server $Domain).MaxPasswordAge.Days

<# requires -module ActiveDirectory .PARAMETER LogFilePath Write-Log -Message "The max password age for the $Do-
.SYNOPSIS The path to where the informational log file is gener- main domain is $MaxPasswordAge"
Script will scan Active Directory for accounts with ated by this script. if ($PasswordExpirationThreshold -gt $MaxPasswordAge)
expiring passwords #> {
.DESCRIPTION [CmdletBinding()] throw "The value '$PasswordExpirationThreshold' spec-
Script will scan Active Directory for accounts with Param( ified as the password expiration threshold is greater
expiring passwords and will send customized email [string]$Domain = $env:USERDNSDOMAIN, than the max password age for the domain" }
to users [PSCredential]$cred, [string]$EmailTemplate = @'
.PARAMETER Domain [string]$SearchBase, <html> <body> <font SIZE="6" COLOR="#ff0000"> <p
.PARAMETER specifies which domain search will be [string]$UserSearchString = '*', ALIGN="CENTER" style='font-size:20.0pt;font-family:"-
performed against [int]$PasswordExpirationThreshold = 14, Times New Roman";color:#CC0000;mso-bidi-font-weight:
.PARAMETER Cred [string]$Subject = "Password Expiration Notification", bold'>Password Expiration Notice</p> </font><font
The PS credential to use to query AD (if not using [string]$From = "[email protected]", style='font-size:14.0pt;font-family:"Times New Ro-
the logged in credential) [string]$EmailServerAddress = "mail.enterprise.com", man";color:#1C1C1C;mso-bidi-font-weight:bold'>
.PARAMETER SearchBase [string]$FailoverEmail = "[email protected]", <p>Dear $FirstName $LastName,</p> <p>Your password in
The OU path to search for user accounts in. [string]$LogFilePath = 'D:\Temp\ServiceAccountExpira- <U> $domain </U> domain will expire in $DaysBeforeEx-
PARAMETER PasswordExpirationThreshold tions.log' piration days. Please change it as soon as possible to

20
 Contents SysAdmin Magazine March 2022

make sure your account does not get locked out. To } Days

change your password press CTRL+ALT+DEL and select } $FirstName = $User.GivenName

"Change Password". </p> <p>Please review the guide- process { $LastName = $User.Surname

lines below as they are necessary for successfully try { if ($DaysUntilExpire -le $PasswordExpirationThresh-

updating your password.</p> <p>PASSWORD MUST:</p> $GetAdUserParams = @{ old) {

<dir> <p>Be at least 8 total characters</p> <p>Con- 'Filter' = { (Enabled -eq $True) -and (Password- Write-Log -Message "The user $($User.samAccountNam-

tain at least one uppercase character</p> <p>Con- NeverExpires -eq $false) -and (samAccountName -like e)'s password will expire in $DaysUntilExpire days"

tain at least one numeral</p> <p>Not be the same or $UserSearchString)} $EmailBody = $EmailTemplate.Replace('$FirstName',

similar to the last 5 used passwords</p> <p>Be used 'Properties' = 'PasswordLastSet', 'PasswordExpired', $FirstName).Replace('$LastName', $LastName).Re-

for at least 24 hours before changing again</p> </ 'PasswordNeverExpires','EmailAddress' place('$DaysBeforeExpiration', $DaysUntilExpire).

dir> <p></p> <p>If you enter an incorrect password 5 } Replace('$domain', $Domain)

or more times, your account will be locked and you if ($SearchBase) { Send-MailMessage -To $User.EmailAddress -From $From

will need to contact the Help Desk for assistance. </ $GetAdUserParams.SearchBase = $SearchBase -Subject $Subject -BodyAsHtml $EmailBody -SmtpServer

p> </font><font SIZE="4" style='font-size:13.0pt;- } $EmailServerAddress -Priority High -UseSsl

font-family:"Times New Roman";color:#CC0000'> <p if ($Cred) { $ExpiringUsers.Add($User) | Out-Null

ALIGN="CENTER">*** Please do not respond to this $GetAdUserParams.Credential = $cred }

e-mail. <BR>Direct any questions or concerns regard- } }

ing this issue to the IT Help Desk. <BR> For infor- $Today = Get-Date Write-Log -Message "'$($ExpiringUsers.Count)' ac-

mation on how to contact the Help Desk, please visit $Users = Get-ADUser @GetAdUserParams | Where-Object counts found with expiring passwords within $Pass-

</font> <a HREF="http://helpdesk.enterprise.com"> { $_.PasswordLastSet -and !$_.PasswordExpired } wordExpirationThreshold days"

<font SIZE="4" COLOR="#0000ff"><u> http://helpdesk. Write-Log -Message "Found '$($Users.Count)' total } catch {

enterprise.com/ </u></font> </dir> </font></b> </ expirable AD user accounts" Write-Log -Message "$($_.Exception.Message) - $($_.

body> </html> $ExpiringUsers = [System.Collections.ArrayList]@() InvocationInfo.ScriptLineNumber)"

'@ foreach ($User in $Users) { }

} catch { $UserPwdExpireDate = $User.PasswordLastSet. }

Write-Log -Message $_.Exception.Message AddDays($MaxPasswordAge)

exit $DaysUntilExpire = ($UserPwdExpireDate - $Today).

2. Automate script execution with Task Scheduler.

21
 Contents SysAdmin Magazine March 2022

STOP WORRYING ABOUT Comply with regulatory requirements for user pass-
words

TOOL OF THE MONTH

WEAK PASSWORDS
Leaked and weak passwords remain a gaping hole in IT
networks, making it far too easy for attackers to gain the
foothold they need to steal sensitive data, damage sys-
tems and unleash ransomware.

Netwrix Netwrix Password Policy Enforcer strengthens the secu-

rity of your Microsoft Active Directory environment by

Password Policy enforcing the use of strong passwords. Easily strike the
right balance between password security and user pro-

Enforcer
ductivity for your organization.

Enforce strong passwords with flexible policies and

powerful rules Empower users to focus on their jobs, not their passwords

Downlload Free Trial

22
 Contents SysAdmin Magazine March 2022

[On-Demand Webinar]

Password123456: Hackers love it when we choose weak or leaked passwords for our most important accounts.
What if we could better protect our companies by preventing users from picking over 500

Protecting your million known bad passwords? And better yet, what if we could do this for free?

Active Directory ▪ Download and customize the popular Pwned Passwords list
▪ Incorporate Pwned Passwords into Active Directory for free using the open source

Castle
PwnedPasswordsDLL project
▪ Build customized lists of additional bad passwords

Daniel Goater Brian Johnson

Watch Now
Solution Engineer Security enthusiast/Podcaster

23

What did you think
of this issue?
What did you think of this content?
About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim control over
sensitive, regulated and business-critical data, regardless of where it resides.
Over 11500 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW