Installing the Password Filter
|Figure 3. Editing "Notification Packages": Add the PasswordFilterRegEx string.|
Note: In order to filter passwords for domain users, you should use the "Domain Security Policy" console on domain controller machine and install there your password filter. In this example, the entire configuration is done on the local machine. Hence, Password Filter will validate passwords for my local machine accounts.
Follow this procedure to activate your fresh Password Filter (the same procedure is applicable for the domain controller):
Your Password Filter in Action
- Enable the "Password must meet complexity requirements" rule of the Password Policy.
- Copy the Password Filter DLL to the %SystemRoot%\system32 folder on your machine.
- Open the Registry Editor (regedit.exe) and locate the following registry key:
- Modify the "Notification Packages" multi-string value of the above key and add your Password Filter file name without the ".dll" extension. Add the PasswordFilterRegEx string as shown in Figure 3.
- Close Registry Editor and restart your machine.
After you've installed Password Filter and restarted your machine, you're ready for testing. The source code includes a simple regular expression for testing purposes. Find it in the RegEx
value of the HKLM\Software\DevX\PasswordFilter
key (the PasswordFilter.reg
file is provided with the code for your convenience):
In other words, start with letters, have some digits in the middle and end up with letters again. This regular expression is not recommended as a strong Password Regular expression, but it is useful for assessing whether your Password Filter does its job.
|Figure 4. Creating a New User: Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item.|
Remember that this filter stands after the default Windows filter in the chain. So, in order to have any effect, you'll need tougher requirements than the default. The Paris2003 password will validate against the default filter, but the test regular expression won't match it. To check this, create a new user. If you use Domain Controller, create a user with Active Directory. On the stand-alone Workstation machine, right-click on My Computer and choose the Manage item from the context menu. Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item as shown in Figure 4
Fill-in the new user's details and assign a password. Try a simple one (e.g.: Paris2003
) and you will get an error message from LSA (Figure 5
). Try a different, more complex password (e.g.: Paris2003A
) and it will be accepted.
The Secret Is Out
While there are several commercial products that implement Password Filters, it isn't really all that difficult. Now, that you understand how they work, you can provide your own, customized solution.
|Figure 5. Error!: This password doesn't meet the complexity requirements.|