2. How DO Password Filters Work?
What is a Password Filter
Why use a Password Filter
The password change process
Programing a Password Filter
The nFront Password Filter solution
3. What is a Password Filter?
• A program that allows administration to
require users to follow certain rules when
creating a password.
• The first password filter, PASSFILT.DLL,
was provided by Microsoft for Windows
NT4.
Technically it is a DLL added to the
Windows OS via the registry.
4. Why use a Password Filter?
• The data on your network is only as
protected as the weakest user password.
• SANS and the FBI list weak passwords as
a top network vulnerability each year.
• Most industry regulations require more
granular password polices than what
Windows can provide.
5. Windows Password Policy
Even with the password complexity requirement
enabled, the standard Windows Password Policy still
allows weak passwords:
Password123
Company2014
January1
P@ssw0rd
LetMeIn2014
Photoshop1
6. How does a password change
work?
• The client (Windows PC, Mac joined to
domain, custom web page, etc.) sends a
password change request to a domain
controller.
• The Local Security Authority (LSA) handles
the password change request.
7. Password Change Overview
1. User submits password change. All password changes
go to a Domain Controller.
2. LSA checks the Windows Domain Password Policy. If the
password meets domain rules it calls password filter.
3. The password filter tells LSA if password is acceptable.
4. Password change accepted or rejected.
8. Are you Correctly Configuring
your Password Policies?
While all GPOs have a
Password Policy section,
unless the password policy is
on the Default Domain Policy
the settings are ignored.
Putting a policy solely on a
Domain Controller GPO will
have no effect.
** The Password Policy section of a GPO is used to control the local
password policy settings on any workstations or member servers in
the OU where the GPO is linked. For Domain Controllers there is no
“local” database so the policy settings are ignored.
9. Programming a Password Filter
• The code must be C or C++. No managed
code allowed.
• Since the code runs as a thread of the
LSA, any crash, memory leak or buffer
overflow quickly results in a BSOD.
• Not a simple win32 app. Mistakes easily
result in BSOD.
10. Password Filter API calls
A password filter can respond to 3 API calls from the LSA.
1. InitializeChangeNotify(void);
2. PasswordFilter(AccountName, FullName, Password, SetOperation );
3. PasswordChangeNotify(UserName, RelativeId, NewPassword );
The LSA calls PasswordFilter() when a password change reaches the DC
and the LSA has checked the password against the windows domain
password policy.
If PasswordFilter() says the password is OK the new password is
committed to the Active Directory Database and then the LSA will
call the PasswordChangeNotify() function for all DLLs listed on the
registry’s Notification Packages key. The purpose of this function is
to handle any password synchronization to other systems.
11. Filtering based on Groups or OUs
• Calls to traditional win32 API functions for user
and group information will BSOD the DC.
• To get group or OU information you must use
LDAP/ADSI.
• Some LDAP/ADSI group calls on the MSDN
website have memory leak problems in Windows
2003 and require engineering level hotfixes.
12. Loading the Password Filter DLL
• The DLL is only loaded during the boot cycle.
• On boot the OS reads
HKLMSystemCCSControlLsaNotification
Packages registry key and loads all DLLs listed
there.
• If there is a problem with the DLL you cannot
replace it without a couple of reboots (one to
clear the registry and one to load the new
version).
13. Troubleshooting Method
• Troubleshooting is time consuming and tedious.
• You must use a kernel debugger and 2 machines.
• Code should use structured exception handling
and should be compiled with code to test for
memory leaks.
15. What is nFront Password Filter
nFront Password Filter is a password policy
enforcement solution that provides multiple,
granular password policies for Windows domains.
The standard Windows password policy cannot
meet most industry compliance requirements.
Without nFront Password Filter your network likely allows
weak passwords that are an easy target for hackers and
malware.
16. nFront Password Filter Benefits
nFront Password is granular
Up to 6 different granular password policies in one Windows
Domain
A dictionary option to prevent millions of common passwords
is less than one second
One checkbox to meet password specific compliance
requirements
An optional client to clearly show the password rules and an
improved failure message
17. nFront Password Filter
Multi-Policy
Runs on Domain
Controller
Runs on Member
Server
Runs on Workstations
Max # of Policies
Microsoft SQL Sever
Compatible
Single Policy
18. NPF Multiple Policy Support
Up to 6 different policies linked to one or more groups or OUs.
19. NPF Optional Client – Windows 7
The client will display the password requirements and has an optional
strength meter. It can also tell the user the exact reason for failure.
20. NPF Optional Client – Windows XP
The client will display the password requirements and has an optional
strength meter. It can also tell the user the exact reason for failure.
21. Web Password Change Client
nFront Web Password Change is an IIS application that shows the
password requirements based on userID and also gives exact reasons
for a password change failure.
22. From the nFront Team, Thank You
Please visit
www.nfrontsecurity.com
to learn more about our
nFront Password Filter
solution.