TUCoPS :: Password Security :: pwfilter.txt

Password Filtering

Password Filtering
Service Pack 3 includes a password filter (Passfilt.dll) that
allows system administrators to increase password strength. This
filter is copied to %system root%\SYSTEM32 when the Service Pack is
installed on the system. The password filter should be copied to
the primary domain controller for the domain, and to any backup 
domain controllers in the event the server role in the domain 
changes.
To use the password filter, the following registry entry must exist.
If it doesn't exist you must create it.
WARNING: Using the registry editor incorrectly can cause serious, 
system-wide problems that may require you to reinstall Windows NT.
Microsoft cannot guarantee that any problems resulting from the use 
of the registry editor can be solved. Use this tool at your own risk.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Value: Notification Packages
Type: REG_MULTI_SZ
Data: Passfilt.dll
Notification Packages contains a list of DLLs to be loaded and 
notified of password changes and password change requests. You can
audit the loading of Notification Packages by setting the audit policy
in User Manager. To do this, start User Manager and then click Audit
on the Policies menu. In the Audit Policy dialog box click Audit
These Events and then enable Restart, Shutdown, and System by 
selecting the Success and/or Failure check boxes.
Passfilt.dll implements the following password policy:
1. Passwords must be at least 6 characters long.
2. Passwords must contain characters from at least 3 of the following
   4 classes:
    Class				Examples
    -----				--------
    English Upper Case Letters          A, B, C, ... Z
    English Lower Case Letters          a, b, c, ... z
    Westernized Arabic Numerals         0, 1, 2, ... 9
    Non-alphanumeric characters		.,;:*&%!
3. Passwords may not contain your user name or any part of your full
   name.
Custom password filter DLLs can be written to implement different
password rules. For more information, see the Microsoft Knowledge Base
article Q151082 Password Change Filtering & Notification in Windows
NT. You can access the Knowledge Base at http://www.microsoft.com/kb/.
Restricting Anonymous User Access
Windows NT has a feature where anonymous logon users can list domain
user names and enumerate share names. Some customers who want enhanced
security have requested the ability to optionally restrict this
functionality. Service Pack 3 provides a mechanism for administrators
to restrict the ability for anonymous logon users (also known as NULL
session connections) to list account names and enumerate share names.  

In addition, Service Pack 3 has a feature that restricts anonymous 
logon users from connecting to the registry remotely. After
Service Pack 3 is installed, anonymous users cannot connect to the 
registry and cannot read or write any registry data. Also, a new 
built-in group known as Authenticated Users is created when you 
install Service Pack 3. The Authenticated Users group is
similar to the Everyone group, except for one important difference:
anonymous logon users (or NULL session connections) are never members
of the Authenticated Users group. 

For more information on these new features, including information 
on configuring the registry to restrict anonymous user access to 
list domain user names and enumerate share names, go to the Microsoft
Knowledge Base at http://www.microsoft.com/kb/ and search for the
following article: Q143474.

Using a System Key to Strongly Encrypt Password Information 

Service Pack 3 provides the capability to use strong encryption 
techniques to increase protection of account password information 
stored in the registry by the Security Account Manager (SAM).  
Windows NT stores user account information, including a derivative 
of the user account password, in a secure portion of the registry 
protected by access control and an obfuscation function. The 
account information in the registry is only accessible to members 
of the administrators group. Windows NT, like other operating 
systems, allows privileged users who are administrators access to 
all resources in the system. For users who require enhanced 
security, strong encryption of account password derivative 
information provides an additional level of security to prevent 
administrators from intentionally or unintentionally accessing 
password derivatives using registry programming interfaces.
The strong encryption capability in Service Pack 3 is an optional 
feature. Strong encryption protects private account information by 
encrypting the password data using a 128-bit cryptographically 
random key, known as a password encryption key. Administrators may 
choose to implement strong encryption by defining a system key for 
Windows NT. To do this, administrators can run a utility called
Syskey.exe. For more information on using Syskey.exe to configure
a system key, go to the Microsoft Knowledge Base at 
http://www.microsoft.com/kb/ and search for the following article:
Q143475.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH