⬆️ ⬇️

How to disable standard passwords and make everyone hate you

Man, as is known, is a lazy creature. And even more so when it comes to choosing a sustainable password.



I think each administrator has ever encountered the problem of using light and standard passwords. This phenomenon is often found among the top echelons of the company's management. Yes, it is among those who have access to secret or commercial information and it would be highly undesirable to eliminate the consequences of a password leak / hack and further incidents.



In my practice, there was a case when, in an Active Directory domain with password policy enabled, accountants on their own got the idea that a password like “Pas $ w0rd1234” perfectly rolls up to the requirements of the policy. The consequence was the widespread use of this password anywhere and everywhere. Sometimes he differed only in a set of numbers.



I really wanted to be able to not only include the password policy and determine the set of characters, but also filter by dictionary. To exclude the possibility of using such passwords.

')

Microsoft kindly informs us by reference that anyone who knows how to hold the compiler in their hands, the IDE, and who can correctly pronounce C ++, is able to compile and use the library itself according to its own understanding. Your humble servant is not capable of this, so I had to look for a ready-made solution.



After a long hour of searching, two solutions to the problem were revealed. I, of course, speak about OpenSource solution. After all, paid options - from and to.



Option number 1. OpenPasswordFilter



There are no kommites like 2 years ago. The native installer works one time, you have to tinker with your hands. Creates its own separate service. When updating the password file, the DLL does not automatically pick up the changed content, you need to stop the service, wait for a timeout, edit the file, start the service.



Not ice!



Option number 2. PassFiltEx



The project is active, alive and you don’t even have to kick a cold body.



Setting the filter consists of copying two files and creating several registry entries. The password file is not in lock, that is, it is editable and, according to the idea of ​​the author of the project, it is simply read once a minute. Also, with the help of additional registry entries, you can configure additional settings for both the filter itself and even the nuances of the password policy.



So.

Given: Active Directory domain test.local

Windows 8.1 test workstation (irrelevant for the task condition)

PassFiltEx password filter





You can also add the following registry entries, which gives you more flexibility in using this filter:



Section: HKLM \ SOFTWARE \ PassFiltEx - created automatically.





A number of rules when creating a template file:





For debugging in the archive there are batch files that allow you to create a log and then parse it using, for example, Microsoft Message Analyzer.



This password filter uses Event Tracing for Windows.



The ETW provider for this password filter is 07d83223-7594-4852-babc-784803fdf6c5 . For example, you can configure the event tracing after the next reload:



logman create trace autosession\PassFiltEx -o %SystemRoot%\Debug\PassFiltEx.etl -p "{07d83223-7594-4852-babc-784803fdf6c5}" 0xFFFFFFFF -ets 


Tracing will start after the next system reboot. To stop:

logman stop PassFiltEx -ets && logman delete autosession\PassFiltEx -ets

All these commands are listed in the StartTracingAtBoot.cmd and StopTracingAtBoot.cmd scripts .



For one-time testing of the filter operation, you can use StartTracing.cmd and StopTracing.cmd .



In order to conveniently read the exhaust debug of this filter in Microsoft Message Analyzer, it is recommended to use the following settings:











When you stop the log and parse in Microsoft Message Analyzer , everything looks like this:







Here you can see that there was an attempt to set a password for the user - the magic word SET in debug tells us about it. And the password was rejected due to its presence in the template file and more than 30% compliance in the input text.



When a successful attempt to change the password, we see the following:







There is some inconvenience for the end user. When trying to change a password that falls into the list of a template file, the message on the screen is not different in intelligence and wit from the standard message when the password policy does not pass.







Therefore, be prepared for calls and shouts: "I entered the password as it should, but it does not work."



Total



This library allows you to prohibit the use of simple or standard passwords in the Active Directory domain. Say "No!" To passwords of the form: "P @ ssw0rd", "Qwerty123", "ADm1n098".

Yes, of course, users will love you even more for such concern about their security and the need to invent furious passwords. And, perhaps, the number of calls and requests to help with the password you add. But you have to pay for security.



Links to used resources:



An article on Microsoft regarding the custom password filter library: Password Filters

PassFiltEx: PassFiltEx

Release Link: Latest Release

Password Lists:

DanielMiessler lists: Link.

Wordlist from weakpass.com: Link.

Wordlist from berzerk0 repo: Link.

Microsoft Message Analyzer: Microsoft Message Analyzer.

Source: https://habr.com/ru/post/446336/



All Articles