PassFilt.dll and Windows Password Policies

Windows NT 4.0 systems provide a method for enforcing pseudo-complex passwords among its users. The PassFilt.dll tool, which appeared with Service Pack 2, enables administrators to establish some rudimentary rules for users’ passwords. Implementing password construction rules is usually a good security measure. After all, you can apply the latest security patches and impose the strictest of server configurations, but a poor password can lead to a compromise just as quickly as a buffer overflow.

Implementation

PassFilt.dll may already be present on an NT system, but it requires some registry modifications before it will function:

1. Make sure PassFilt.dll is in the C:\WINNT\System32 directory (or wherever the %SYSTEMROOT% resides).

2. Use the Registry Editor (regedt32.exe works better than regedit.exe, in this case) to open the location: HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\Lsa.

3. In the right pane, click the Notification Packages key to highlight it.

4. Choose Edit | Multi String.

5. If a data value already exists for FPNWCLNT, remove it unless Novell compatibility is required.

6. Enter the value passfilt.

If all goes well, subsequent password changes by any user except Administrator will be subject to specific rules. The restrictions applied by PassFilt.dll are only a small step toward strong passwords. So, Windows checks each new password for compliance using the following rules:

• Does not contain part of the user’s account name

• Minimum of six characters

  • Contains characters from three of the following four categories:

  • English uppercase (A through Z)

  • English lowercase (a through z)

  • Digits (0 through 9)

  • Nonalphanumeric (punctuation, shift key combinations, and so on)

These rules cannot be modified. Technically, the dynamic-link library (DLL) can be replaced by a custom file written to Microsoft’s password application programming interface (API), but, as you shall see in the “L0phtCrack” section, NT’s encryption scheme cripples even “strong” passwords. Therefore, PassFilt.dll should not be considered a panacea. A user can still create an insecure password that could be easily guessed by a password cracker or brute-force script worth its salt. Consider these examples of poor passwords that satisfy the PassFilt.dll restrictions:

• Passw0rd

• Password!

• p4ssw0rd!

• Pa55werd

What seems to happen in reality (at least, from what we’ve seen from more than 10,000 cracked passwords) is that users like to substitute numbers for vowels (a is 4, e is 3, i is 1, o is 0) and append an exclamation point to their passwords to bypass these types of restrictions or create “good” passwords. A good password dictionary, which most password crackers possess, contains permutations of common words that contain letters and symbols. In the end, passwords that are based on sports teams, cities, expletives, and names are always going to be the weakest set of passwords because users tend to make passwords that are easy to remember. Consequently, you’ll want to focus lots of effort on protecting the password list and protecting the services (such as e-mail, Secure Shell, Windows NetBIOS) that rely on passwords.

Windows 2000 and Windows XP Local Security Policy

NT’s successors abstracted the PassFilt.dll setting from the registry and moved it into the graphical user interface (GUI). They do not introduce additional rules or methods of modifying current rules. To enable complex-password enforcement, access the Local Security Policy in Administrative Tools on the Control Panel. The Local Security Settings window is shown in Figure 8-1.

Figure 8-1: Increasing password complexity