{"id":648,"date":"2016-11-22T21:36:54","date_gmt":"2016-11-23T02:36:54","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=648"},"modified":"2020-04-29T22:49:54","modified_gmt":"2020-04-30T03:49:54","slug":"active-directory-custom-password-filtering","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=648","title":{"rendered":"Active Directory: Custom Password Filtering"},"content":{"rendered":"

At work, we’ve never used the “normal” way of changing Windows passwords. Historically, this is because computers were not members of the domain … so you\u00a0couldn’t<\/em> use Ctrl-Alt-Del to change your domain password. Now that computers are members of the domain, changing Active Directory passwords\u00a0using an external method creates a\u00a0lot<\/em> of account lockouts. The Windows workstation is logged in using the old credentials,\u00a0the password gets changed without it knowing (although you\u00a0can<\/em> use ctrl-alt-del, lock the workstation unlock with the new password and update the local workstation creds), and the workstation continues using the old credentials and locks the account.<\/p>\n

This is incredibly disruptive to business, and quite a burden on the help desk … so we are going to hook the AD-initiated password changes and feed them into the Identity Management platform. Except … the password policies don’t match. But AD doesn’t\u00a0know<\/em> the policy on the other end … so the AD password gets changed and then the new password fails to be committed into the IDM system. And then the user gets locked out of something\u00a0else<\/em> because they keep trying to use their new password (and it isn’t like a user knows which directory is the back-end authentication source for a web app to use password n in AD and n-1 in DSEE).<\/p>\n

A\u00a0long<\/em> time ago, back when I knew some military IT folks who were migrating to Windows 2000 and needed to implement Rainbow series compliant passwords in AD – which was\u00a0possible using a custom password filter. This meant a custom coded DLL that accepted or rejected the proposed password based on custom-coded rules. Never got into the code behind it – I just knew they would grab the DLL & how to register it on the domain controller.<\/p>\n

This functionality was\u00a0exactly<\/em> what we needed — and Microsoft still has a provision to use a custom password filter.<\/a>\u00a0Now all\u00a0we needed was, well, a custom password filter. The password rules prohibit the use of your user ID, your name, and a small set of words that are globally applied to all users.\u00a0Microsoft’s passfilt.dll<\/a> takes care of the first two —\u00a0although with subtle differences from the IDM system’s\u00a0rules.\u00a0So my requirement became a custom password filter that prohibits passwords containing case insensitive substrings\u00a0from a list of words.<\/p>\n

I based my project on\u00a0OpenPasswordFilter on GitHub<\/a> — the source code prohibits exact string matches. Close, but not quite \ud83d\ude42\u00a0I modified the program to check the proposed password for case insensitive substrings. I also changed the application binding to localhost from all IP address since there’s no need for the program to be accessed from outside the box. For troubleshooting purposes, I removed the requirement that the binary be run as a service and instead allowed it to be run from a\u00a0command prompt\u00a0or<\/em> as a service<\/a>. \u00a0I’m still adding some more robust error handling, but we’re ready to test! I’ve asked them to baseline changing passwords without the custom filter, using a custom filter that has the banned word list hard coded into the binary, and using a custom filter that sources its banned words list from a text file. Hopefully we’ll find there isn’t a significant increase in the time it takes a user to change their password.<\/p>\n

My updated code is available at\u00a0http:\/\/lisa.rushworth.us\/OpenPasswordFilter-Edited.zip<\/a><\/p>\n

 <\/p>\n\n\n

\n
\n \n \n \n \n \n \n \n \n \n \"\"\n <\/div>\n<\/form>\n\n\n","protected":false},"excerpt":{"rendered":"

At work, we’ve never used the “normal” way of changing Windows passwords. Historically, this is because computers were not members of the domain … so you\u00a0couldn’t use Ctrl-Alt-Del to change your domain password. Now that computers are members of the domain, changing Active Directory passwords\u00a0using an external method creates a\u00a0lot of account lockouts. The Windows …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,30],"tags":[68,367,366,45,365,75,69],"class_list":["post-648","post","type-post","status-publish","format-standard","hentry","category-coding","category-system-administration","tag-active-directory","tag-active-directory-password-filter","tag-ad-password-filter","tag-coding","tag-custom-password-filter","tag-passfilt-dll","tag-security"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=648"}],"version-history":[{"count":5,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/648\/revisions"}],"predecessor-version":[{"id":6345,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/648\/revisions\/6345"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}