nFront Password Filter Overview


Published on

This presentation gives and overview of the nFront Password Filter software.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • SOX suggests the disallowance of weak passwords. PCI affects companies that accept credit cards. PCI explicity states that passwords must contain a numeric character. HIPPA affects healthcare companies and suggests the use of strong passwords and measures to protect people’s healthcare data. The IRS 1075 Guidelines contains 18 password management guidelines and is very descriptive of what is required in passwords.
  • nFront Password Filter Overview

    1. 1. nFront Password Filter Demo
    2. 2. Agenda  Why filter passwords?  What is nFront Password Filter  Configuration  Q & A
    3. 3. Why Prevent Weak Passwords? • Weak passwords are still on the SANS/FBI top 20 yearly list of top vulnerabilities. • Over 40% of people use passwords that contain the name of a spouse, child or pet. • Password compromise leads to data theft and not just denial of service. • Security Audits / Compliance.
    4. 4. Windows Password Policy • The above policy allows passwords like: aaaaa myusername qwerty january mydogsname 123456 Conclusion: The Windows Password Policy is not enough!
    5. 5. Compliance • Sarbanes-Oxley section 404 • Payment Card Industry (PCI) • HIPPA • IRS 1075 Guidelines
    6. 6. nFront Password Filter  Allows multiple granular password policies in the same Windows domain.  Runs on all domain controllers.  Tightly integrated with Windows OS.  Cannot be bypassed.  Easy to install and configure.
    7. 7. Password Change Overview 1. User submits password change. All password changes go to a Domain Controller. 2. LSA calls nFront Password Filter. NPF consults password policy. 3. nFront Password Filter may check dictionary. 4. nFront Password Filter tells LSA if password is acceptable. Password change accepted or rejected.
    8. 8. Where NPF fits
    9. 9. NPF Group Policy These settings are pushed to registry of all domain controllers and tell the filter the policy rules.
    10. 10. NPF Configuration • MPE has a Default Policy plus 5 others. • Each policy has many granular settings that cover not only character types but also rules like rejecting passwords with vowels, etc. • Each policy is linked to one or more security groups.
    11. 11. DEMO - configuration • Create GPO • Configure GPO for one policy
    12. 12. Versions • Multipolicy Edition – Runs on Domain Controllers – Up to 6 password policies in 1 domain • Single Policy Edition – Runs on Domain Controllers – 1 password policy per domain • Member Server Edition – runs on Member Servers – Filters local pw changes. Controlled via GPO that targets OU where servers are. – Can filter passwords for SQL users if you run SQL Server 2005 on Windows 2003.
    13. 13. Performance / Scalability • DLL is only 150 KB in size! • No Network API calls that leave the Domain Controller and add latency. • The PasswordFilter() routine completes in milliseconds. • Sprint tested the DLL with over 11,000 password changes per minute (dictionary not used). • Can check password against 2.5 million passwords in dictionary in less than 1 second.
    14. 14. DEMO • Two Policies • Dictionary Scanning
    15. 15. Questions and Answers
    16. 16. Thank you. Thank you for your time.