nFront Password Filter

Are you enforcing a good password policy?

Passwords. Everyone on your corporate network has one. How weak is the weakest password?

Having a good password policy that is enforced across all users is fundamental to good security practices. You are probably spending money on firewalls, anti-virus, encryption and data leakage products. However, if you are using the built-in Windows Password Policy you might as well burn the money you are spending for all the security software and devices.

What is nFront Password Filter?

nFront Password Filter is a password policy enforcement tool for Windows Active Directory that allows up to 6 different password policies in the same Windows domain. Each password policy has many granular settings and can be associated with one or more global or universal security groups. nFront Password Filter allows you to strengthen network security by preventing the use of weak, easily hacked passwords.

Can you benefit from nFront Password Filter?

• If a security auditor ran a password cracker on your network how many passwords would they crack?
• How can you be sure your employees are following your suggested password guidelines?
• How can you be sure your administrators are not creating accounts with blank or simple passwords?
• Are you using an identity management tool that has users change their password via a website but also allows them to bypass the website using CTRL-ALT-DEL and set weak passwords?

Why use nFront Password Filter?

• Protects from external hacking. IPSec is great. VPNs are great. 128-bit encryption is great. However, the correct username and password allows a hacker to use the 128-bit IPSec VPN tunnel and access your corporate data. All of your firewall devices and IDS devices have no way of distinguishing the compromised account from the actual legitimate user.
• Protects from internal hacking. How about the new engineer who would like to access to company financial data? How about the college student who would like the modify the student records database? How about all the free password sniffing and cracking tools on the Internet?
• Disallowing weak passwords is part of the SANS/FBI Top 20 List
• Users do not understand the need for strong passwords and will not follow formal password policies unless the policies are enforced.

How passwords are compromised:

Passwords can be compromised in a number of ways. There are software tools to "guess" passwords. There are DLL injection tools that can retrieve the database of hashed passwords. Please note that hashed passwords are not the same as encrypted passwords. Encrypted passwords can be decrypted given the shared secret or private key. However, hashed passwords cannot be reverse engineered. So what is the danger of a thief getting the hashes. A lot! There are tools like Rainbow Crackers which can crack any 14 character or less password in a matter of minutes if you can provide the password hash. There are even websites like Plain Text Info that will use their computing power to crack the LanMan or MD5 hash for you. Click here to read more...

What is wrong with the Windows Password Policy settings?

Windows gives you the tools to control password length, history and expiration, but no good controls to enforce the use of reasonable passwords that are not easily hacked. Without nFront Password Filter it is highly likely that weak, easily cracked passwords are allowed on your network.

Consider the following standard Windows policy:

THE WINDOWS PASSWORD POLICY ABOVE DOES NOT PREVENT ANY OF THE FOLLOWING PASSWORDS

aaaaaa	abcdef	123456
januarypw	februarypw	marchpw
myuserid	mydogsname	mywifesname

Now Consider The Robust Policy Capabilities With nFront Password Filter

To see a more exact comparison of settings see these links:
nFront Password Filter versus the Windows 2003 Password Policy
nFront Password Filter versus Windows 2008 Password Policies

Controlled by Group Policy

nFront Password Filter is controlled using a single Group Policy Object configuration. After installation of the software on all domain controllers, simply create a new GPO, load one of our provided templates and configure your policies. It's that easy!

Password Policies linked to Groups or Organizational Units

nFront Password Filter is controlled by a single GPO, not a bunch of confusing GPOs all over the place. You can associate any policy in the MPE version with one or more security groups or organizational units. Thus, you can easily use the same groups that you have created for resource security to control password security. No need to re-organize your OU structure to support your password policies. No need to run Resultant Set of Policy to see who gets what policy. No need to edit multiple GPOs all over the place or figure the best policy precedence order such that one policy does not negate the other.

Granular Password Policies

nFront Password Filter gives you granular control over your password policies. It can put min and max limits on specific types of characters, reject passwords that contain userids/usernames and even check a new password against a multi-language dictionary with over 2 million words in less than 1 second.

What about Windows 2008 and fine-grained password policies?

Windows 2008 does support multiple password policies in the same domain. However, the policy settings are the same basic policies that are in Windows 2000 and Windows 2003. The settings are not robust enough to prevent the use of weak and easily cracked passwords. The settings are also cumbersome to put in place.

Multiple Policies

nFront Password Filter MPE allows you to have up to 6 different password policies in the same Windows domain. Each policy can be associated with one or more global or universal security groups. You can have strong password polices for Domain Administrators and those with access to more privileged information (credit card data, tax information, etc.). You can also associate weaker policy with other groups like "Mainframe Users."

Policy rules to ensure password compatibility across other systems

Suppose you sync your Windows passwords with UNIX or AS/400 or other mainframe systems. You do not want a one-size fits-all password policy that has to be dumbed down to the least common denominator. System like UNIX or mainframes often truncate passwords longer than 8 or 12 characters. Furthermore, such systems often do not accept certain special characters. With nFront Password Filter you can control the special characters which are accepted or block the use of any special characters.

Password Policy Rules to Enforce the use of Passphrases

Passphrases are simply long passwords like "The dog ate my newspaper." or "I love Chocolate!" Such phrases make great passwords because they are long and long passwords are generally always superior to shorter ones. However, such phrases usually contain dictionary words and can be rejected by dictionary filtering. With nFront Password Filter you can skip dictionary filters for passwords over a specified number of characters. So long passwords may contain dictionary words but short passwords may not.

Policies that cannot be bypassed

nFront Password Filter is not some set of Java rules on a website that are easily bypassed. nFront Password Filter is integrated into the operating system and runs as a thread under the local security authority (the lsass.ese process). The polices you create cannot be bypassed with an alternative password change mechanism.

Why not write a custom Passfilt.dll (Password Filter)?

Writing a custom passfilt.dll is not a trivial process and is much more involved than a simple win32 application. The custom password filter must interface to the Local Security Authority (the lsass.exe process) and runs as a thread of the LSA. You cannot afford a bad line of code or an overlooked exception. A bad line of code can quickly mean a BSOD (blue screen of death). A memory leak or failure to use exception handing and secure coding techniques can deal to a security vulnerability and possible exploitation. A passfilt.dll works on the password in Unicode clear text and care must be taken to properly destroy the memory used by such buffers.

We got started in 2001 writing custom password filters for many different organizations. After noticing many similarities among the requests we decided to write a "configurable customer password filter." So we were the first to introduce a password filter controlled by a group policy. In 2005, we were the first to release a 64-bit password filter.

You should contemplate the following questions if you are considering the development of a custom passfilt:

• Will the code be written in house or by an external firm?
• Who will handle support issues?
• Who will maintain the code and update it (as in the case of 64-bit servers)?

Dictionary Checking

nFront Password Filter goes beyond giving you control over character types and includes a very fast dictionary check feature. In less than 1 second, nFront Password Filter can scan a 2 million word dictionary and ensure that the user's proposed new password is not contained in the dictionary file!

nFront Password Filter ships with a 27,000 word customizable, plain-text dictionary. The dictionary check feature looks for a case-insensitive exact match (instead of a substring match) between the proposed new password and each entry in the dictionary. The substring search feature can be enable to look for the dictionary word anywhere within the password. You can customize the dictionary by editing the file in Notepad or any other text editor of your choice.

Optional Client to help end users

nFront Password Filter comes with an optional client that you can deploy to end-user workstations. You can choose to include your own custom message to the end user or our default password rules or both. You can also display a password strength meter. All settings, of course, are controlled by GPO.

The client automatically works in multiple languages (like German, French, and Italian). It automatically reports the locale of the client workstation to the encrypted RPC service that supports the client. The service then formulates the password policy rules in the language appropriate to the language of the client operating system.

System Requirements

• Windows 2000, 2003, 2003R2, or 2008 (32 or 64-bit), or 2008 R2
• 2 MB free disk space
• 2 minutes of time per domain controller to install
• 5 minutes of time per domain to configure.