Man, as you know, is a lazy creature.
And even more so when it comes to choosing a strong password.
I think every administrator has ever faced the problem of using easy and standard passwords. This phenomenon is often found among the upper echelons of the company's management. Yes, yes, it is precisely among those who have access to classified or commercial information that it would be highly undesirable to eliminate the consequences of password leakage / cracking and further incidents.
In my practice, there was a case when, in an Active Directory domain with password policy enabled, accountants independently came up with the idea that a password like “Pas $ w0rd1234” perfectly rolls under the requirements of the policy. The consequence was the widespread use of this password everywhere and everywhere. He sometimes differed only in a set of numbers.
I really wanted to be able to not only enable the password policy and determine the character set, but also filter by dictionary. To exclude the possibility of using this kind of passwords.
Microsoft kindly informs us by reference that anyone who knows how to properly hold the compiler, IDE and knows how to pronounce C ++ correctly is able to compile and use the library he needs according to his own understanding. Your humble servant is not capable of this, so I had to look for a ready-made solution.
After a long hour of searching, two options for solving the problem were revealed to the eyes. I am, of course, talking about the OpenSource solution. After all, paid options - from and to.
Option number 1.
There have been no commits for about 2 years now. The native installer works every other time, you have to tweak it with your hands. Creates its own service. When updating the password file, the DLL does not automatically pick up the changed content, you need to stop the service, wait for a timeout, edit the file, start the service.
Don't ice!
Option number 2.
The project is active, alive and you don't even have to kick a cold body.
Installing the filter consists of copying two files and creating a few registry entries. The password file is not in the lock, that is, it is editable and, according to the idea of the author of the project, it is simply read out once a minute. Also, with the help of additional registry entries, you can additionally configure both the filter itself and even the nuances of the password policy.
So.
Given: Active Directory domain test.local
test workstation Windows 8.1 (not essential for the conditions of the task)
password filter PassFiltEx
- Download the latest release from the link
- Copy PassFiltEx.dll в C: WindowsSystem32 (or %SystemRoot%System32).
Copy PassFiltExBlacklist.txt в C: WindowsSystem32 (or %SystemRoot%System32). If necessary, we supplement it with our templates.
- Editing the registry branch: HKLMSYSTEMCurrentControlSetControlLsa => Notification Packages
Add PassFiltEx to the end of the list. (You do not need to specify the extension.) The complete list of packages used for verification will look like this:rassfm scecli PassFiltEx«.
- Reboot the domain controller.
- Repeat the above procedure for all domain controllers.
You can also add the following registry entries, which gives you more flexibility in using this filter:
Section: HKLMSOFTWAREPassFiltEx - is created automatically.
- HKLMSOFTWAREPassFiltExBlacklistFileName, REG_SZ, Default: PassFiltExBlacklist.txt
BlacklistFileName — allows you to specify a custom path to a file with password templates. If this registry entry has an empty value or does not exist, then the default path is used, namely − %SystemRoot%System32. You can even specify a network path, BUT you need to remember that the template file must have clear permissions for reading, writing, deleting, modifying.
- HKLMSOFTWAREPassFiltExTokenPercentageOfPassword, REG_DWORD, Default: 60
TokenPercentageOfPassword — allows you to specify the percentage occurrence of the mask in the new password. The default value is 60%. For example, if the percentage occurrence is 60 and the template file contains the line starwars, then the password is Starwars1! will be rejected while the password starwars1!DarthVader88 will be accepted because the percentage occurrence of the string in the password is less than 60%
- HKLMSOFTWAREPassFiltExRequireCharClasses, REG_DWORD, Default: 0
RequireCharClasses - Allows you to extend password requirements beyond the standard ActiveDirectory password complexity requirements. The built-in complexity requirements require 3 out of 5 possible different kinds of characters: Upper case, Lower case, Digit, Special and Unicode. You can use this registry entry to set your password complexity requirements. The value that can be specified is a set of bits, each of which is the corresponding power of two.
That is - 1 = lower case, 2 = upper case, 4 = digit, 8 = special character, and 16 = Unicode character.
Thus, with a value of 7, the requirements will be “Uppercase AND lower case AND digit ", and with a value of 31 -" Upper case AND lower case AND figure AND special character AND Unicode character".
You can even combine - 19 = "Uppercase AND lower case AND Unicode character". -
A number of rules when compiling a template file:
- Templates are case insensitive. Therefore, the entry in the file starwars и Star Wars will be defined as the same value.
- The blacklist file is reread every 60 seconds, so you can easily edit it, in a minute the new data will already be used by the filter.
- There is currently no Unicode support for pattern checking. That is, you can use Unicode characters in passwords, but the filter will not work. This is not critical, because I have not seen users who use Unicode passwords.
- It is advisable not to allow empty lines in the template file. In debugging, you can then see an error when data is loaded from a file. The filter works, but why the extra exceptions?
For debugging, there are batch files in the archive that allow you to create a log and then parse it using, for example,
This password filter uses Event Tracing for Windows.
ETW provider for this password filter − 07d83223-7594-4852-babc-784803fdf6c5. So, for example, you can configure event tracing after the following reboot:
logman create trace autosessionPassFiltEx -o %SystemRoot%DebugPassFiltEx.etl -p "{07d83223-7594-4852-babc-784803fdf6c5}" 0xFFFFFFFF -ets
Tracing will be started after the next system reboot. To stop:
logman stop PassFiltEx -ets && logman delete autosessionPassFiltEx -ets
All these commands are specified in scripts StartTracingAtBoot.cmd и StopTracingAtBoot.cmd.
For a one-time check of the filter operation, you can use StartTracing.cmd и StopTracing.cmd.
In order to conveniently read the debug output of this filter in Microsoft Message Analyzer it is recommended to use the following settings:
When stopping the log and parsing in Microsoft Message Analyzer everything looks like this:
Here you can see that there was an attempt to set a password for the user - this is what the magic word tells us SET in debug. And the password was rejected due to its presence in the template file and more than 30% match in the input text.
Upon successful attempt to change the password, we see the following:
There is some inconvenience for the end user. When you try to change the password, which falls into the list of the template file, the message on the screen does not differ in intelligence and ingenuity from the standard message when the password policy is not passed.
Therefore, be prepared for calls and screams: "I entered the password correctly, but it does not work."
Summary.
This library allows you to disable the use of simple or standard passwords in an Active Directory domain. Let's say "No!" passwords like: "P@ssw0rd", "Qwerty123", "ADm1n098".
Yes, of course, users will love you even more for taking such care of their security and the need to come up with furious passwords. And, perhaps, the number of calls and requests for help with the password will be added to you. But you have to pay for security.
Links to used resources:
Article on Microsoft regarding the custom password filter library:
PassFiltEx:
Release link:
Password lists:
DanielMiessler lists:
Wordlist from weakpass.com:
Wordlist from bezerk0 repo:
Microsoft Message Analyzer:
Source: habr.com