Password Notification Packages

Registry Tip #165: Password Notification Packages

Hits: Failed to execute CGI : Win32 Error Code = 3

Windows NT lets one install and register a custom built password filter DLL. Microsoft provides PASSFILT.DLL which is a password filter which enforces the following policies:

Passwords may not contain your user name or any part of your full name
Passwords must be at least six characters long
Passwords must contain elements from three of the four following types of characters:
Character types
1. English upper case letters A, B, C, ... Z
2. English lower case letters a, b, c, ... z
3. Westernized arabic numerals 0, 1, 2, ... 9
4. Non-alphanumeric characters (special characters $,!,%,^)

This PASSFILT functionality is built into Windows 2000 without having to add DLLs. Strong password enforcement can be enabled on Windows 2000 using the system administration tools.

In administration console locate Local Security Policy
Select Account Policy | Password Policy
Enable the Passwords must meet complexity requirements setting

This is managed via password filter DLLs and the following registry key which NT activates each time a password is changed, conveying the new password to the DLLs (or in PASSFILT's case, setting policy).

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: Notification Packages
Type: REG_MULTI_SZ
Value: list of DLL names without .DLL suffix that reside in the System32 directory that need to be enabled

It is essential that this registry entry only name trusted DLLs in the SYSTEM32 folder and that are read-only to other than admins. Arne Vidstrom has released an enhanced strong password filter dll. Strongpass works like the standard passfilt.dll, but enforces some extra password policies. The passwords must be at least 7 characters long, and if they are exactly 7 characters these must be picked from the three groups a-z/A-Z, 0-9, and special characters (other than the alphanumeric). If the password is longer than 7 characters but shorter than 14, the same rule applies to the first 7 characters. If the password is exactly 14 characters, the rule applies to either the first 7 or the last 7 characters (any group matching the rule will do). This policy will make it harder for a cracking program like L0phtcrack to crack the LANMAN hashes generated from the passwords.

Q151082 : HOWTO: Password Change Filtering & Notification in Windows NT

Q161990 : How to Enable Strong Password Functionality in Windows NT

Okuntseff's text is recommended for a programmers reference, not for administrators.

Good place to start.

Excellent!!!! Scary. Hack Win9x, NT, Netware, Unix, Web, ...