How a Windows Password Filter Works

How DO Password Filters Work?

What is a Password Filter Why use a Password Filter The password change process Programing a Password Filter The nFront Password Filter solution

What is a Password Filter?

• A program that allows administration to require users to follow certain rules when creating a password.

• The first password filter, PASSFILT.DLL, was provided by Microsoft for Windows NT4.

Technically it is a DLL added to the Windows OS via the registry.

Why use a Password Filter?

• The data on your network is only as protected as the weakest user password.

• SANS and the FBI list weak passwords as a top network vulnerability each year.

• Most industry regulations require more granular password polices than what Windows can provide.

Windows Password Policy

Even with the password complexity requirement enabled, the standard Windows Password Policy still allows weak passwords:

Password123 Company2014 January1P@ssw0rd LetMeIn2014 Photoshop1

How does a password change work?

• The client (Windows PC, Mac joined to domain, custom web page, etc.) sends a password change request to a domain controller.

• The Local Security Authority (LSA) handles the password change request.

Password Change Overview

1. User submits password change. All password changes go to a Domain Controller.

2. LSA checks the Windows Domain Password Policy. If the password meets domain rules it calls password filter.

3. The password filter tells LSA if password is acceptable.

4. Password change accepted or rejected.

Are you Correctly Configuring your Password Policies?

While all GPOs have a Password Policy section, unless the password policy is on the Default Domain Policy the settings are ignored. Putting a policy solely on a Domain Controller GPO will have no effect.

** The Password Policy section of a GPO is used to control the local password policy settings on any workstations or member servers in the OU where the GPO is linked. For Domain Controllers there is no “local” database so the policy settings are ignored.

Programming a Password Filter

• The code must be C or C++. No managed code allowed.

• Since the code runs as a thread of the LSA, any crash, memory leak or buffer overflow quickly results in a BSOD.

• Not a simple win32 app. Mistakes easily result in BSOD.

Password Filter API callsA password filter can respond to 3 API calls from the LSA.

1. InitializeChangeNotify(void);

2. PasswordFilter(AccountName, FullName, Password, SetOperation );

3. PasswordChangeNotify(UserName, RelativeId, NewPassword );

The LSA calls PasswordFilter() when a password change reaches the DC and the LSA has checked the password against the windows domain password policy.

If PasswordFilter() says the password is OK the new password is committed to the Active Directory Database and then the LSA will call the PasswordChangeNotify() function for all DLLs listed on the registry’s Notification Packages key. The purpose of this function is to handle any password synchronization to other systems.

Filtering based on Groups or OUs

• Calls to traditional win32 API functions for user and group information will BSOD the DC.

• To get group or OU information you must use LDAP/ADSI.

• Some LDAP/ADSI group calls on the MSDN website have memory leak problems in Windows 2003 and require engineering level hotfixes.

Loading the Password Filter DLL

• The DLL is only loaded during the boot cycle.

• On boot the OS reads HKLM\System\CCS\Control\Lsa\Notification Packages registry key and loads all DLLs listed there.

• If there is a problem with the DLL you cannot replace it without a couple of reboots (one to clear the registry and one to load the new version).

Troubleshooting Method

• Troubleshooting is time consuming and tedious.

• You must use a kernel debugger and 2 machines.

• Code should use structured exception handling and should be compiled with code to test for memory leaks.

nFront Password FilterProduct Overview

What is nFront Password Filter

nFront Password Filter is a password policy enforcement solution that provides multiple, granular password policies for Windows domains.

The standard Windows password policy cannot meet most industry compliance requirements.

Without nFront Password Filter your network likely allows weak passwords that are an easy target for hackers and

malware.

nFront Password Filter Benefits

nFront Password is granular

Up to 6 different granular password policies in one Windows Domain

A dictionary option to prevent millions of common passwords is less than one second

One checkbox to meet password specific compliance requirements

An optional client to clearly show the password rules and an improved failure message

nFront Password FilterMulti-Policy Single Policy

Runs on Domain Controller

Runs on Member Server

Runs on Workstations

Max # of Policies

Microsoft SQL Sever Compatible 6 1

NPF Multiple Policy Support

Up to 6 different policies linked to one or more groups or OUs.

NPF Optional Client – Windows 7

The client will display the password requirements and has an optional strength meter. It can also tell the user the exact reason for failure.

NPF Optional Client – Windows XP

The client will display the password requirements and has an optional strength meter. It can also tell the user the exact reason for failure.

Web Password Change Client

nFront Web Password Change is an IIS application that shows the password requirements based on userID and also gives exact reasons for a password change failure.

From the nFront Team, Thank You

Please visit www.nfrontsecurity.comto learn more about our nFront Password Filter

solution.