How a Windows Password Filters Works


Published on

See how Windows enforces a password policy

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How a Windows Password Filters Works

  1. 1. How a Windows Password Filter Works
  2. 2. How DO Password Filters Work?      What is a Password Filter Why use a Password Filter The password change process Programing a Password Filter The nFront Password Filter solution
  3. 3. What is a Password Filter? • A program that allows administration to require users to follow certain rules when creating a password. • The first password filter, PASSFILT.DLL, was provided by Microsoft for Windows NT4. Technically it is a DLL added to the Windows OS via the registry.
  4. 4. Why use a Password Filter? • The data on your network is only as protected as the weakest user password. • SANS and the FBI list weak passwords as a top network vulnerability each year. • Most industry regulations require more granular password polices than what Windows can provide.
  5. 5. Windows Password Policy Even with the password complexity requirement enabled, the standard Windows Password Policy still allows weak passwords: Password123 Company2014 January1 P@ssw0rd LetMeIn2014 Photoshop1
  6. 6. How does a password change work? • The client (Windows PC, Mac joined to domain, custom web page, etc.) sends a password change request to a domain controller. • The Local Security Authority (LSA) handles the password change request.
  7. 7. Password Change Overview 1. User submits password change. All password changes go to a Domain Controller. 2. LSA checks the Windows Domain Password Policy. If the password meets domain rules it calls password filter. 3. The password filter tells LSA if password is acceptable. 4. Password change accepted or rejected.
  8. 8. Are you Correctly Configuring your Password Policies? While all GPOs have a Password Policy section, unless the password policy is on the Default Domain Policy the settings are ignored. Putting a policy solely on a Domain Controller GPO will have no effect. ** The Password Policy section of a GPO is used to control the local password policy settings on any workstations or member servers in the OU where the GPO is linked. For Domain Controllers there is no “local” database so the policy settings are ignored.
  9. 9. Programming a Password Filter • The code must be C or C++. No managed code allowed. • Since the code runs as a thread of the LSA, any crash, memory leak or buffer overflow quickly results in a BSOD. • Not a simple win32 app. Mistakes easily result in BSOD.
  10. 10. Password Filter API calls A password filter can respond to 3 API calls from the LSA. 1. InitializeChangeNotify(void); 2. PasswordFilter(AccountName, FullName, Password, SetOperation ); 3. PasswordChangeNotify(UserName, RelativeId, NewPassword ); The LSA calls PasswordFilter() when a password change reaches the DC and the LSA has checked the password against the windows domain password policy. If PasswordFilter() says the password is OK the new password is committed to the Active Directory Database and then the LSA will call the PasswordChangeNotify() function for all DLLs listed on the registry’s Notification Packages key. The purpose of this function is to handle any password synchronization to other systems.
  11. 11. Filtering based on Groups or OUs • Calls to traditional win32 API functions for user and group information will BSOD the DC. • To get group or OU information you must use LDAP/ADSI. • Some LDAP/ADSI group calls on the MSDN website have memory leak problems in Windows 2003 and require engineering level hotfixes.
  12. 12. Loading the Password Filter DLL • The DLL is only loaded during the boot cycle. • On boot the OS reads HKLMSystemCCSControlLsaNotification Packages registry key and loads all DLLs listed there. • If there is a problem with the DLL you cannot replace it without a couple of reboots (one to clear the registry and one to load the new version).
  13. 13. Troubleshooting Method • Troubleshooting is time consuming and tedious. • You must use a kernel debugger and 2 machines. • Code should use structured exception handling and should be compiled with code to test for memory leaks.
  14. 14. nFront Password Filter Product Overview
  15. 15. What is nFront Password Filter  nFront Password Filter is a password policy enforcement solution that provides multiple, granular password policies for Windows domains.  The standard Windows password policy cannot meet most industry compliance requirements. Without nFront Password Filter your network likely allows weak passwords that are an easy target for hackers and malware.
  16. 16. nFront Password Filter Benefits nFront Password is granular  Up to 6 different granular password policies in one Windows Domain  A dictionary option to prevent millions of common passwords is less than one second  One checkbox to meet password specific compliance requirements  An optional client to clearly show the password rules and an improved failure message
  17. 17. nFront Password Filter Multi-Policy Runs on Domain Controller Runs on Member Server Runs on Workstations Max # of Policies Microsoft SQL Sever Compatible Single Policy
  18. 18. NPF Multiple Policy Support Up to 6 different policies linked to one or more groups or OUs.
  19. 19. NPF Optional Client – Windows 7 The client will display the password requirements and has an optional strength meter. It can also tell the user the exact reason for failure.
  20. 20. NPF Optional Client – Windows XP The client will display the password requirements and has an optional strength meter. It can also tell the user the exact reason for failure.
  21. 21. Web Password Change Client nFront Web Password Change is an IIS application that shows the password requirements based on userID and also gives exact reasons for a password change failure.
  22. 22. From the nFront Team, Thank You Please visit to learn more about our nFront Password Filter solution.