How to ban standard passwords and make everyone hate you
- Tutorial
Man, as you know, is a lazy creature. And even more so when it comes to choosing a strong password.
I think that each of the administrators has ever encountered the problem of using light and standard passwords. This phenomenon is often found among the upper echelons of company management. Yes, yes, it is among those who have access to classified or commercial information and it would be extremely undesirable to eliminate the consequences of password leakage / hacking and further incidents.
In my practice I was a case where in the Active Directory domain password policies enabledpeopleaccountants independently came to the idea that a password of the form “Pas $ w0rd1234” perfectly rolls to the requirements of the policy. The consequence was the widespread use of this password everywhere. He sometimes differed only in a set of numbers.
I really wanted to be able to not only include a password policy and define a character set, but also filter by dictionary. To exclude the possibility of using this kind of password.
Microsoft kindly informs us by reference that anyone who knows how to hold the compiler correctly, the IDE and knows how to pronounce C ++, is able to compile and use the library they need on their own. Your humble servant is not capable of this, so I had to look for a ready-made solution.
After alonghours of searching, two options for solving the problem were revealed. Of course, I'm talking about the OpenSource solution. After all, paid options - from and to.
Option number 1. OpenPasswordFilter No
commits as early as year 2. The native installer works every other time, you have to fix it by hand. Creates its own separate service. When updating the password file, the DLL does not automatically pick up the changed contents, you need to stop the service, wait for a timeout, edit the file, start the service.
Do not ice!
Option number 2. PassFiltEx
The project is active, alive and does not even need to kick a cold body.
Installing a filter involves copying two files and creating multiple registry entries. The password file is not in lock, that is, it is editable and, according to the idea of the author of the project, it is simply read out once a minute. Also, with the help of additional registry entries, you can additionally configure both the filter itself and even the nuances of the password policy.
So.
Given: Active Directory domain test.local
test workstation Windows 8.1 (for the condition of the task is not significant)
PassFiltEx password filter
You can also add the following registry entries, which gives great flexibility in using this filter:
Section: HKLM \ SOFTWARE \ PassFiltEx - is created automatically.
A number of rules when compiling a template file:
For debug, there are batch files in the archive that allow you to create a log and then parse it using, for example, Microsoft Message Analyzer.
This password filter uses Event Tracing for Windows.
The ETW provider for this password filter is 07d83223-7594-4852-babc-784803fdf6c5 . So, for example, you can configure event tracking after the next reboot:
Tracing will start after the next system reboot. To stop:
All these commands are indicated in the StartTracingAtBoot.cmd and StopTracingAtBoot.cmd scripts .
For a one-time check of the filter, you can use StartTracing.cmd and StopTracing.cmd .
In order to conveniently read the debug exhaust of this filter in Microsoft Message Analyzer, it is recommended to use the following settings:
When stopping the log and parsing in Microsoft Message Analyzer everything looks something like this:
Here you can see that there was an attempt to set a password for the user - this tells us magic word SETin debug. And the password was rejected due to its presence in the template file and more than 30% match in the entered text.
With a successful attempt to change the password, we see the following:
There is some inconvenience for the end user. When you try to change the password that falls into the template file list, the message on the screen does not differ inintelligence and acumen from the standard message when the password policy is not passed.
Therefore, be prepared for calls and screams: "I entered the password as it should, but it does not work."
This library allows you to prohibit the use of simple or standard passwords in the Active Directory domain. Say “No!” To passwords of the form: “P @ ssw0rd”, “Qwerty123”, “ADm1n098”.
Yes, of course, users will love you even more for such a concern for their security and the need to come up with furious passwords. And, perhaps, the number of calls and requests for help with the password you will add. But security comes at a price.
Links to resources used:
Microsoft article on custom password filter library: Password Filters
PassFiltEx: PassFiltEx Release
link: Latest Release
Password
lists: DanielMiessler lists: Link.
Wordlist from weakpass.com:Link
Wordlist from berzerk0 repo: Link.
Microsoft Message Analyzer: Microsoft Message Analyzer.
I think that each of the administrators has ever encountered the problem of using light and standard passwords. This phenomenon is often found among the upper echelons of company management. Yes, yes, it is among those who have access to classified or commercial information and it would be extremely undesirable to eliminate the consequences of password leakage / hacking and further incidents.
In my practice I was a case where in the Active Directory domain password policies enabled
I really wanted to be able to not only include a password policy and define a character set, but also filter by dictionary. To exclude the possibility of using this kind of password.
Microsoft kindly informs us by reference that anyone who knows how to hold the compiler correctly, the IDE and knows how to pronounce C ++, is able to compile and use the library they need on their own. Your humble servant is not capable of this, so I had to look for a ready-made solution.
After a
Option number 1. OpenPasswordFilter No
commits as early as year 2. The native installer works every other time, you have to fix it by hand. Creates its own separate service. When updating the password file, the DLL does not automatically pick up the changed contents, you need to stop the service, wait for a timeout, edit the file, start the service.
Do not ice!
Option number 2. PassFiltEx
The project is active, alive and does not even need to kick a cold body.
Installing a filter involves copying two files and creating multiple registry entries. The password file is not in lock, that is, it is editable and, according to the idea of the author of the project, it is simply read out once a minute. Also, with the help of additional registry entries, you can additionally configure both the filter itself and even the nuances of the password policy.
So.
Given: Active Directory domain test.local
test workstation Windows 8.1 (for the condition of the task is not significant)
PassFiltEx password filter
- Download the latest PassFiltEx release from the link
- Copy PassFiltEx.dll to C: \ Windows \ System32 (or % SystemRoot% \ System32 ).
Copy PassFiltExBlacklist.txt to C: \ Windows \ System32 (or % SystemRoot% \ System32 ). If necessary, complement it with our templates.
- We edit the registry branch: HKLM \ SYSTEM \ CurrentControlSet \ Control \ Lsa => Notification Packages
Add PassFiltEx to the end of the list. (No extension is required.) The complete list of packages used for verification will look like this " rassfm scecli PassFiltEx ".
- We reboot the domain controller.
- We repeat the above procedure for all domain controllers.
You can also add the following registry entries, which gives great flexibility in using this filter:
Section: HKLM \ SOFTWARE \ PassFiltEx - is created automatically.
- HKLM \ SOFTWARE \ PassFiltEx \ BlacklistFileName , REG_SZ, Default: PassFiltExBlacklist.txt
BlacklistFileName - allows you to specify a custom path to the file with password templates. If this registry entry is empty or does not exist, then the default path is used, namely % SystemRoot% \ System32 . You can even specify the network path, BUT you need to remember that the template file must have clear permissions to read, write, delete, change. - HKLM \ SOFTWARE \ PassFiltEx \ TokenPercentageOfPassword , REG_DWORD, Default: 60
TokenPercentageOfPassword - allows you to specify the percentage occurrence of the mask in the new password. The default value is 60%. For example, if a percentage occurrence of 60 is specified and the starwars line is in the template file, then the password is Starwars1! will be rejected, while the password starwars1! DarthVader88 will be accepted, since the percentage of occurrences of the line in the password is less than 60% - HKLM \ SOFTWARE \ PassFiltEx \ RequireCharClasses , REG_DWORD, Default: 0
RequireCharClasses - allows you to expand the password requirements compared to the standard ActiveDirectory password complexity requirements. Built-in complexity requirements require 3 out of 5 possible different kinds of characters: Upper case, Lower case, Digit, Special and Unicode. Using this registry entry, you can set your password complexity requirements. The value that can be specified is a set of bits, each of which is a corresponding power of two.
That is - 1 = lower case, 2 = upper case, 4 = digit, 8 = special character, and 16 = Unicode character.
Thus, with a value of 7, the requirements are “Upper case AND lower case ANDdigit ”, and with a value of 31 -“ Upper case AND lower case AND digit AND special character AND character Unicode character ”.
You can even combine - 19 = “Upper case AND lower case AND Unicode character”. 
A number of rules when compiling a template file:
- Patterns are case insensitive. Therefore, the entry in the starwars and StarWarS file will be determined as the same value.
- The blacklist file is re-read every 60 seconds, so you can easily edit it, after a minute the new data will already be used by the filter.
- There is currently no Unicode support for pattern validation. That is, you can use Unicode characters in passwords, but the filter will not work. This is not critical, because I have not seen users who use Unicode passwords.
- It is advisable not to allow blank lines in the template file. In the debug, an error is then visible when the data from the file is loaded. The filter works, but why the extra ones?
For debug, there are batch files in the archive that allow you to create a log and then parse it using, for example, Microsoft Message Analyzer.
This password filter uses Event Tracing for Windows.
The ETW provider for this password filter is 07d83223-7594-4852-babc-784803fdf6c5 . So, for example, you can configure event tracking after the next reboot:
logman create trace autosession\PassFiltEx -o %SystemRoot%\Debug\PassFiltEx.etl -p "{07d83223-7594-4852-babc-784803fdf6c5}" 0xFFFFFFFF -etsTracing will start after the next system reboot. To stop:
logman stop PassFiltEx -ets && logman delete autosession\PassFiltEx -etsAll these commands are indicated in the StartTracingAtBoot.cmd and StopTracingAtBoot.cmd scripts .
For a one-time check of the filter, you can use StartTracing.cmd and StopTracing.cmd .
In order to conveniently read the debug exhaust of this filter in Microsoft Message Analyzer, it is recommended to use the following settings:
When stopping the log and parsing in Microsoft Message Analyzer everything looks something like this:
Here you can see that there was an attempt to set a password for the user - this tells us magic word SETin debug. And the password was rejected due to its presence in the template file and more than 30% match in the entered text.
With a successful attempt to change the password, we see the following:
There is some inconvenience for the end user. When you try to change the password that falls into the template file list, the message on the screen does not differ in
Therefore, be prepared for calls and screams: "I entered the password as it should, but it does not work."
Total
This library allows you to prohibit the use of simple or standard passwords in the Active Directory domain. Say “No!” To passwords of the form: “P @ ssw0rd”, “Qwerty123”, “ADm1n098”.
Yes, of course, users will love you even more for such a concern for their security and the need to come up with furious passwords. And, perhaps, the number of calls and requests for help with the password you will add. But security comes at a price.
Links to resources used:
Microsoft article on custom password filter library: Password Filters
PassFiltEx: PassFiltEx Release
link: Latest Release
Password
lists: DanielMiessler lists: Link.
Wordlist from weakpass.com:Link
Wordlist from berzerk0 repo: Link.
Microsoft Message Analyzer: Microsoft Message Analyzer.