Utilizing DumpSec (formerly DumpACL) to Obtain PWAge and Scale Back to Conformity

DumpSec (formerly DumpACL) is an auditing tool for permissions, users, and groups that allows the domain administrator(s) to see specific actionable infomation in an easily readable format. This tool was created by a company called SomarSoft and has proved to be beneficial in Windows Active Directory (AD) environments across the globe.

The tool can be used to obtain a plethora of user account variables, including the last time the password was set and when the password expires. This information can be useful for auditing the environment while determining new practices and policies regarding password aging.

This image shows the password’s last set time and expiration time for the displayed users. This gives administrators an at-a-glance look at information for every user that falls within the search criteria pertaining to their environment’s security. Accounts with no logins, no expiration, or exceptionally old passwords pose a potential security threat to the network.

If an administrator changes their environment’s maximum password age from one year (365 days) to three months (90 days), many users will fall within the 90-365 day password age range and will be immediately flagged for an inconenient password change. Incremental implementation of more stringent policies allows fewer users to be impacted at the same time, reducing helpdesk support volume and giving users more time to change their password. Using nFront’s Password Expiration Service, administrators would be able to generate reports of users who have passwords expiring within a specified amount of time. Not only will the report generate for administrators, but users can also receive warnings at three specified intervals, such as 3, 7, and 14 days prior to a password change being forced due to password age. Using tools like DumpSec in collaboration with automated tools like nFront Password Expiration Service empowers businesses to have a secure and stress-free password policy that provides ample information and warning prior to being inconvenienced by a forced password change.

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.