Browse DevX
Sign up for e-mail newsletters from DevX


Enforce Custom Password Policies in Windows : Page 4

Most people take the easy way out and use the default filter in order to validate passwords. But did you know you can employ authentication modules to customize your password policies to reflect your organization's unique security requirements? Find out how in this article.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Installing the Password Filter
Figure 3. Editing "Notification Packages": Add the PasswordFilterRegEx string.
Note: In order to filter passwords for domain users, you should use the "Domain Security Policy" console on domain controller machine and install there your password filter. In this example, the entire configuration is done on the local machine. Hence, Password Filter will validate passwords for my local machine accounts. Follow this procedure to activate your fresh Password Filter (the same procedure is applicable for the domain controller):
  • Enable the "Password must meet complexity requirements" rule of the Password Policy.
  • Copy the Password Filter DLL to the %SystemRoot%\system32 folder on your machine.
  • Open the Registry Editor (regedit.exe) and locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  • Modify the "Notification Packages" multi-string value of the above key and add your Password Filter file name without the ".dll" extension. Add the PasswordFilterRegEx string as shown in Figure 3.
  • Close Registry Editor and restart your machine.
Your Password Filter in Action
After you've installed Password Filter and restarted your machine, you're ready for testing. The source code includes a simple regular expression for testing purposes. Find it in the RegEx value of the HKLM\Software\DevX\PasswordFilter key (the PasswordFilter.reg file is provided with the code for your convenience):


In other words, start with letters, have some digits in the middle and end up with letters again. This regular expression is not recommended as a strong Password Regular expression, but it is useful for assessing whether your Password Filter does its job.
Figure 4. Creating a New User: Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item.
Remember that this filter stands after the default Windows filter in the chain. So, in order to have any effect, you'll need tougher requirements than the default. The Paris2003 password will validate against the default filter, but the test regular expression won't match it. To check this, create a new user. If you use Domain Controller, create a user with Active Directory. On the stand-alone Workstation machine, right-click on My Computer and choose the Manage item from the context menu. Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item as shown in Figure 4.

Fill-in the new user's details and assign a password. Try a simple one (e.g.: Paris2003) and you will get an error message from LSA (Figure 5). Try a different, more complex password (e.g.: Paris2003A) and it will be accepted.

The Secret Is Out
While there are several commercial products that implement Password Filters, it isn't really all that difficult. Now, that you understand how they work, you can provide your own, customized solution.

Figure 5. Error!: This password doesn't meet the complexity requirements.

Yevgeny Menaker is an author, software engineer and Linux consultant. Yevgeny currently works for Vidius developing security product for content analysis and preventing leakage of sensitive information through electronic mail.
Thanks for your registration, follow us on our social networks to keep up-to-date