SlideShare una empresa de Scribd logo

How a Windows Password Filters Works

Descargar como PPTX, PDF
nFront Security
nFront Security

See how Windows enforces a password policy

Tecnología
1 de 22
How a Windows Password Filter Works
How DO Password Filters Work?      What is a Password Filter Why use a Password Filter The password change process Programing a Password Filter The nFront Password Filter solution
What is a Password Filter? • A program that allows administration to require users to follow certain rules when creating a password. • The first password filter, PASSFILT.DLL, was provided by Microsoft for Windows NT4. Technically it is a DLL added to the Windows OS via the registry.
Why use a Password Filter? • The data on your network is only as protected as the weakest user password. • SANS and the FBI list weak passwords as a top network vulnerability each year. • Most industry regulations require more granular password polices than what Windows can provide.
Windows Password Policy Even with the password complexity requirement enabled, the standard Windows Password Policy still allows weak passwords: Password123 Company2014 January1 P@ssw0rd LetMeIn2014 Photoshop1
How does a password change work? • The client (Windows PC, Mac joined to domain, custom web page, etc.) sends a password change request to a domain controller. • The Local Security Authority (LSA) handles the password change request.
Password Change Overview 1. User submits password change. All password changes go to a Domain Controller. 2. LSA checks the Windows Domain Password Policy. If the password meets domain rules it calls password filter. 3. The password filter tells LSA if password is acceptable. 4. Password change accepted or rejected.
Are you Correctly Configuring your Password Policies? While all GPOs have a Password Policy section, unless the password policy is on the Default Domain Policy the settings are ignored. Putting a policy solely on a Domain Controller GPO will have no effect. ** The Password Policy section of a GPO is used to control the local password policy settings on any workstations or member servers in the OU where the GPO is linked. For Domain Controllers there is no “local” database so the policy settings are ignored.
Programming a Password Filter • The code must be C or C++. No managed code allowed. • Since the code runs as a thread of the LSA, any crash, memory leak or buffer overflow quickly results in a BSOD. • Not a simple win32 app. Mistakes easily result in BSOD.
Password Filter API calls A password filter can respond to 3 API calls from the LSA. 1. InitializeChangeNotify(void); 2. PasswordFilter(AccountName, FullName, Password, SetOperation ); 3. PasswordChangeNotify(UserName, RelativeId, NewPassword ); The LSA calls PasswordFilter() when a password change reaches the DC and the LSA has checked the password against the windows domain password policy. If PasswordFilter() says the password is OK the new password is committed to the Active Directory Database and then the LSA will call the PasswordChangeNotify() function for all DLLs listed on the registry’s Notification Packages key. The purpose of this function is to handle any password synchronization to other systems.
Filtering based on Groups or OUs • Calls to traditional win32 API functions for user and group information will BSOD the DC. • To get group or OU information you must use LDAP/ADSI. • Some LDAP/ADSI group calls on the MSDN website have memory leak problems in Windows 2003 and require engineering level hotfixes.
Loading the Password Filter DLL • The DLL is only loaded during the boot cycle. • On boot the OS reads HKLMSystemCCSControlLsaNotification Packages registry key and loads all DLLs listed there. • If there is a problem with the DLL you cannot replace it without a couple of reboots (one to clear the registry and one to load the new version).
Troubleshooting Method • Troubleshooting is time consuming and tedious. • You must use a kernel debugger and 2 machines. • Code should use structured exception handling and should be compiled with code to test for memory leaks.
nFront Password Filter Product Overview
What is nFront Password Filter  nFront Password Filter is a password policy enforcement solution that provides multiple, granular password policies for Windows domains.  The standard Windows password policy cannot meet most industry compliance requirements. Without nFront Password Filter your network likely allows weak passwords that are an easy target for hackers and malware.
nFront Password Filter Benefits nFront Password is granular  Up to 6 different granular password policies in one Windows Domain  A dictionary option to prevent millions of common passwords is less than one second  One checkbox to meet password specific compliance requirements  An optional client to clearly show the password rules and an improved failure message
nFront Password Filter Multi-Policy Runs on Domain Controller Runs on Member Server Runs on Workstations Max # of Policies Microsoft SQL Sever Compatible Single Policy
NPF Multiple Policy Support Up to 6 different policies linked to one or more groups or OUs.
NPF Optional Client – Windows 7 The client will display the password requirements and has an optional strength meter. It can also tell the user the exact reason for failure.
NPF Optional Client – Windows XP The client will display the password requirements and has an optional strength meter. It can also tell the user the exact reason for failure.
Web Password Change Client nFront Web Password Change is an IIS application that shows the password requirements based on userID and also gives exact reasons for a password change failure.
From the nFront Team, Thank You Please visit www.nfrontsecurity.com to learn more about our nFront Password Filter solution.

Recomendados

PCI Password Policy Compliance
PCI Password Policy CompliancePCI Password Policy Compliance
PCI Password Policy Compliance
nFront Security
 
nFront Password Filter Overview
nFront Password Filter OverviewnFront Password Filter Overview
nFront Password Filter Overview
nFront Security
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
nFront Security
 
Psdot 6 web based security analysis of opass authentication schemes using mob...
Psdot 6 web based security analysis of opass authentication schemes using mob...Psdot 6 web based security analysis of opass authentication schemes using mob...
Psdot 6 web based security analysis of opass authentication schemes using mob...
ZTech Proje
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
Uniface
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
Gabriel Villa
 
Password management
Password managementPassword management
Password management
PortalGuard dba PistolStar, Inc.
 
Be Storm - Automated Application/Software Vulnerability Testing
Be Storm - Automated Application/Software Vulnerability TestingBe Storm - Automated Application/Software Vulnerability Testing
Be Storm - Automated Application/Software Vulnerability Testing
Amit Shirolkar
 

Recomendados

PCI Password Policy Compliance
PCI Password Policy CompliancePCI Password Policy Compliance
PCI Password Policy Compliance
nFront Security
 
nFront Password Filter Overview
nFront Password Filter OverviewnFront Password Filter Overview
nFront Password Filter Overview
nFront Security
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
nFront Security
 
Psdot 6 web based security analysis of opass authentication schemes using mob...
Psdot 6 web based security analysis of opass authentication schemes using mob...Psdot 6 web based security analysis of opass authentication schemes using mob...
Psdot 6 web based security analysis of opass authentication schemes using mob...
ZTech Proje
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
Uniface
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
Gabriel Villa
 
Password management
Password managementPassword management
Password management
PortalGuard dba PistolStar, Inc.
 
Be Storm - Automated Application/Software Vulnerability Testing
Be Storm - Automated Application/Software Vulnerability TestingBe Storm - Automated Application/Software Vulnerability Testing
Be Storm - Automated Application/Software Vulnerability Testing
Amit Shirolkar
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
bryns
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Sathyanarayana Panduranga
 
Capstone build it break it fix it
Capstone build it break it fix itCapstone build it break it fix it
Capstone build it break it fix it
Matt Vieyra
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Analyzing internetsecurity
Analyzing internetsecurityAnalyzing internetsecurity
Analyzing internetsecurity
Dr. TJ Wolfe
 
Better Passwords = Better Security
Better Passwords = Better SecurityBetter Passwords = Better Security
Better Passwords = Better Security
nFront Security
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
Amazon Web Services
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
Amazon Web Services
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
Amazon Web Services
 
Systems Administration
Systems AdministrationSystems Administration
Systems Administration
Mark John Lado, MIT
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3
Truong Minh Yen
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with Sparrow
Jason Sohn
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
dotnetcode
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answer
mandarshetye45
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Hitachi ID Systems, Inc.
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
Pradeep Kapkoti
 
Windows 7 AppLocker: Understanding its Capabilities and Limitations
Windows 7 AppLocker: Understanding its Capabilities and LimitationsWindows 7 AppLocker: Understanding its Capabilities and Limitations
Windows 7 AppLocker: Understanding its Capabilities and Limitations
Lumension
 
Online Examination System in .NET & DB2
Online Examination System in .NET & DB2Online Examination System in .NET & DB2
Online Examination System in .NET & DB2
Abhay Ananda Shukla
 

Más contenido relacionado

La actualidad más candente

Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
bryns
 
Analyzing internetsecurity
Analyzing internetsecurityAnalyzing internetsecurity
Analyzing internetsecurity
Dr. TJ Wolfe
 

La actualidad más candente (7)

Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Capstone build it break it fix it
Capstone build it break it fix itCapstone build it break it fix it
Capstone build it break it fix it
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Analyzing internetsecurity
Analyzing internetsecurityAnalyzing internetsecurity
Analyzing internetsecurity
 
Better Passwords = Better Security
Better Passwords = Better SecurityBetter Passwords = Better Security
Better Passwords = Better Security
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 

Similar a How a Windows Password Filters Works

Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Windows 7 AppLocker: Understanding its Capabilities and Limitations
Windows 7 AppLocker: Understanding its Capabilities and LimitationsWindows 7 AppLocker: Understanding its Capabilities and Limitations
Windows 7 AppLocker: Understanding its Capabilities and Limitations
Lumension
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
Timothy Chen
 

Similar a How a Windows Password Filters Works (20)

Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Systems Administration
Systems AdministrationSystems Administration
Systems Administration
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with Sparrow
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answer
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
 
Windows 7 AppLocker: Understanding its Capabilities and Limitations
Windows 7 AppLocker: Understanding its Capabilities and LimitationsWindows 7 AppLocker: Understanding its Capabilities and Limitations
Windows 7 AppLocker: Understanding its Capabilities and Limitations
 
Online Examination System in .NET & DB2
Online Examination System in .NET & DB2Online Examination System in .NET & DB2
Online Examination System in .NET & DB2
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
Server 2008 Project
Server 2008 ProjectServer 2008 Project
Server 2008 Project
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

How a Windows Password Filters Works

  • 1. How a Windows Password Filter Works
  • 2. How DO Password Filters Work?      What is a Password Filter Why use a Password Filter The password change process Programing a Password Filter The nFront Password Filter solution
  • 3. What is a Password Filter? • A program that allows administration to require users to follow certain rules when creating a password. • The first password filter, PASSFILT.DLL, was provided by Microsoft for Windows NT4. Technically it is a DLL added to the Windows OS via the registry.
  • 4. Why use a Password Filter? • The data on your network is only as protected as the weakest user password. • SANS and the FBI list weak passwords as a top network vulnerability each year. • Most industry regulations require more granular password polices than what Windows can provide.
  • 5. Windows Password Policy Even with the password complexity requirement enabled, the standard Windows Password Policy still allows weak passwords: Password123 Company2014 January1 P@ssw0rd LetMeIn2014 Photoshop1
  • 6. How does a password change work? • The client (Windows PC, Mac joined to domain, custom web page, etc.) sends a password change request to a domain controller. • The Local Security Authority (LSA) handles the password change request.
  • 7. Password Change Overview 1. User submits password change. All password changes go to a Domain Controller. 2. LSA checks the Windows Domain Password Policy. If the password meets domain rules it calls password filter. 3. The password filter tells LSA if password is acceptable. 4. Password change accepted or rejected.
  • 8. Are you Correctly Configuring your Password Policies? While all GPOs have a Password Policy section, unless the password policy is on the Default Domain Policy the settings are ignored. Putting a policy solely on a Domain Controller GPO will have no effect. ** The Password Policy section of a GPO is used to control the local password policy settings on any workstations or member servers in the OU where the GPO is linked. For Domain Controllers there is no “local” database so the policy settings are ignored.
  • 9. Programming a Password Filter • The code must be C or C++. No managed code allowed. • Since the code runs as a thread of the LSA, any crash, memory leak or buffer overflow quickly results in a BSOD. • Not a simple win32 app. Mistakes easily result in BSOD.
  • 10. Password Filter API calls A password filter can respond to 3 API calls from the LSA. 1. InitializeChangeNotify(void); 2. PasswordFilter(AccountName, FullName, Password, SetOperation ); 3. PasswordChangeNotify(UserName, RelativeId, NewPassword ); The LSA calls PasswordFilter() when a password change reaches the DC and the LSA has checked the password against the windows domain password policy. If PasswordFilter() says the password is OK the new password is committed to the Active Directory Database and then the LSA will call the PasswordChangeNotify() function for all DLLs listed on the registry’s Notification Packages key. The purpose of this function is to handle any password synchronization to other systems.
  • 11. Filtering based on Groups or OUs • Calls to traditional win32 API functions for user and group information will BSOD the DC. • To get group or OU information you must use LDAP/ADSI. • Some LDAP/ADSI group calls on the MSDN website have memory leak problems in Windows 2003 and require engineering level hotfixes.
  • 12. Loading the Password Filter DLL • The DLL is only loaded during the boot cycle. • On boot the OS reads HKLMSystemCCSControlLsaNotification Packages registry key and loads all DLLs listed there. • If there is a problem with the DLL you cannot replace it without a couple of reboots (one to clear the registry and one to load the new version).
  • 13. Troubleshooting Method • Troubleshooting is time consuming and tedious. • You must use a kernel debugger and 2 machines. • Code should use structured exception handling and should be compiled with code to test for memory leaks.
  • 15. What is nFront Password Filter  nFront Password Filter is a password policy enforcement solution that provides multiple, granular password policies for Windows domains.  The standard Windows password policy cannot meet most industry compliance requirements. Without nFront Password Filter your network likely allows weak passwords that are an easy target for hackers and malware.
  • 16. nFront Password Filter Benefits nFront Password is granular  Up to 6 different granular password policies in one Windows Domain  A dictionary option to prevent millions of common passwords is less than one second  One checkbox to meet password specific compliance requirements  An optional client to clearly show the password rules and an improved failure message
  • 17. nFront Password Filter Multi-Policy Runs on Domain Controller Runs on Member Server Runs on Workstations Max # of Policies Microsoft SQL Sever Compatible Single Policy
  • 18. NPF Multiple Policy Support Up to 6 different policies linked to one or more groups or OUs.
  • 19. NPF Optional Client – Windows 7 The client will display the password requirements and has an optional strength meter. It can also tell the user the exact reason for failure.
  • 20. NPF Optional Client – Windows XP The client will display the password requirements and has an optional strength meter. It can also tell the user the exact reason for failure.
  • 21. Web Password Change Client nFront Web Password Change is an IIS application that shows the password requirements based on userID and also gives exact reasons for a password change failure.
  • 22. From the nFront Team, Thank You Please visit www.nfrontsecurity.com to learn more about our nFront Password Filter solution.