nFront Password Filter
Demo
Agenda
 Why filter passwords?
 What is nFront Password Filter
 Configuration
 Q & A
Why Prevent Weak Passwords?
• Weak passwords are still on the SANS/FBI top
20 yearly list of top vulnerabilities.
• Over 4...
Windows Password Policy
• The above policy allows passwords like:
aaaaa myusername qwerty
january mydogsname 123456
Conclu...
Compliance
• Sarbanes-Oxley section 404
• Payment Card Industry (PCI)
• HIPPA
• IRS 1075 Guidelines
nFront Password Filter
 Allows multiple granular password policies
in the same Windows domain.
 Runs on all domain contr...
Password Change Overview
1. User submits password change. All password changes
go to a Domain Controller.
2. LSA calls nFr...
Where NPF fits
NPF Group Policy
These settings are pushed to registry of all domain controllers and tell
the filter the policy rules.
NPF Configuration
• MPE has a Default Policy plus
5 others.
• Each policy has many
granular settings that cover
not only c...
DEMO - configuration
• Create GPO
• Configure GPO for one policy
Versions
• Multipolicy Edition
– Runs on Domain Controllers
– Up to 6 password policies in 1 domain
• Single Policy Editio...
Performance / Scalability
• DLL is only 150 KB in size!
• No Network API calls that leave the Domain Controller
and add la...
DEMO
• Two Policies
• Dictionary Scanning
Questions and Answers
Thank you.
Thank you for your time.
Upcoming SlideShare
Loading in …5
×

nFront Password Filter Overview

526 views
370 views

Published on

This presentation gives and overview of the nFront Password Filter software.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
526
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • SOX suggests the disallowance of weak passwords. PCI affects companies that accept credit cards. PCI explicity states that passwords must contain a numeric character. HIPPA affects healthcare companies and suggests the use of strong passwords and measures to protect people’s healthcare data. The IRS 1075 Guidelines contains 18 password management guidelines and is very descriptive of what is required in passwords.
  • nFront Password Filter Overview

    1. 1. nFront Password Filter Demo
    2. 2. Agenda  Why filter passwords?  What is nFront Password Filter  Configuration  Q & A
    3. 3. Why Prevent Weak Passwords? • Weak passwords are still on the SANS/FBI top 20 yearly list of top vulnerabilities. • Over 40% of people use passwords that contain the name of a spouse, child or pet. • Password compromise leads to data theft and not just denial of service. • Security Audits / Compliance.
    4. 4. Windows Password Policy • The above policy allows passwords like: aaaaa myusername qwerty january mydogsname 123456 Conclusion: The Windows Password Policy is not enough!
    5. 5. Compliance • Sarbanes-Oxley section 404 • Payment Card Industry (PCI) • HIPPA • IRS 1075 Guidelines
    6. 6. nFront Password Filter  Allows multiple granular password policies in the same Windows domain.  Runs on all domain controllers.  Tightly integrated with Windows OS.  Cannot be bypassed.  Easy to install and configure.
    7. 7. Password Change Overview 1. User submits password change. All password changes go to a Domain Controller. 2. LSA calls nFront Password Filter. NPF consults password policy. 3. nFront Password Filter may check dictionary. 4. nFront Password Filter tells LSA if password is acceptable. Password change accepted or rejected.
    8. 8. Where NPF fits
    9. 9. NPF Group Policy These settings are pushed to registry of all domain controllers and tell the filter the policy rules.
    10. 10. NPF Configuration • MPE has a Default Policy plus 5 others. • Each policy has many granular settings that cover not only character types but also rules like rejecting passwords with vowels, etc. • Each policy is linked to one or more security groups.
    11. 11. DEMO - configuration • Create GPO • Configure GPO for one policy
    12. 12. Versions • Multipolicy Edition – Runs on Domain Controllers – Up to 6 password policies in 1 domain • Single Policy Edition – Runs on Domain Controllers – 1 password policy per domain • Member Server Edition – runs on Member Servers – Filters local pw changes. Controlled via GPO that targets OU where servers are. – Can filter passwords for SQL users if you run SQL Server 2005 on Windows 2003.
    13. 13. Performance / Scalability • DLL is only 150 KB in size! • No Network API calls that leave the Domain Controller and add latency. • The PasswordFilter() routine completes in milliseconds. • Sprint tested the DLL with over 11,000 password changes per minute (dictionary not used). • Can check password against 2.5 million passwords in dictionary in less than 1 second.
    14. 14. DEMO • Two Policies • Dictionary Scanning
    15. 15. Questions and Answers
    16. 16. Thank you. Thank you for your time.

    ×