Password complexity - improvement

Is there a way to improve the password complexity
requirements in
Windows 2000/2003 servers

The default will enforce 3 of the following 4 properties -
Uppercase,
smallercase, numbers, special-characters.

Is there a way to enforce all 4 properties. I donot want to
install
third-party software

I have read about customising passfilt.dll . Is that
recommended. Does
MS provide a customised passfilt.dll for download and
install.

Are there any support issues if I go for something like this
?

It is my understanding that your request to enforce all four
properties
can only be enforced on the domain level.  There is no way
to have one
password complexity policy on the domain level and a second
more
password complexity policy on a child OU.

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of dubaisans dubai
Sent: Tuesday, August 14, 2007 11:15 PM
To: focus-mssecurityfocus.com
Subject: Password complexity - improvement

Is there a way to improve the password complexity
requirements in
Windows 2000/2003 servers

The default will enforce 3 of the following 4 properties -
Uppercase,
smallercase, numbers, special-characters.

Is there a way to enforce all 4 properties. I donot want to
install
third-party software

I have read about customising passfilt.dll . Is that
recommended. Does
MS provide a customised passfilt.dll for download and
install.

Are there any support issues if I go for something like this
?

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft has source code available for creating your own
version of
passfilt.dll. I will highly recommend doing this if you do
not want
to purchase third-party software. Additionally you should
implement
the various recommendations given by Microsoft and others
concerning
issues like LM/NTLM hash storage, using LM/NTLMNTLMv2 across
the
network, the saving of cached logon credentials on servers
and
workstations etc.

Regards,
Per Thorsheim
CISA, CISM, CISSP-ISSAP

 

- -----Opprinnelig melding-----
Fra: listbouncesecurityfocus.com
[mailto:listbouncesecurityfocus.com] På vegne av dubaisans
dubai
Sendt: 15. august 2007 08:15
Til: focus-mssecurityfocus.com
Emne: Password complexity - improvement

Is there a way to improve the password complexity
requirements in
Windows 2000/2003 servers

The default will enforce 3 of the following 4 properties -
Uppercase,
smallercase, numbers, special-characters.

Is there a way to enforce all 4 properties. I donot want to
install
third-party software

I have read about customising passfilt.dll . Is that
recommended.
Does MS provide a customised passfilt.dll for download and
install.

Are there any support issues if I go for something like this
?



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRsM+A7F5fmPQ0K72EQIyHQCgkSXkESbIfgf5Th3vHQDtfL8VcwQA
oMAJ
qRAuos+bDoWV+MQAY0Xsvbsd
=y0Kh
-----END PGP SIGNATURE-----

I'm pretty sure that the Windows 2000 or 2003 SDK includes
the source
code for passfilt.dll, which will allow you to implement a
more granular
policy tailored to your needs.  You would simply need to
edit and
recompile.

 

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of dubaisans dubai
Sent: Wednesday, August 15, 2007 1:15 AM
To: focus-mssecurityfocus.com
Subject: Password complexity - improvement

Is there a way to improve the password complexity
requirements in
Windows 2000/2003 servers

The default will enforce 3 of the following 4 properties -
Uppercase,
smallercase, numbers, special-characters.

Is there a way to enforce all 4 properties. I donot want to
install
third-party software

I have read about customising passfilt.dll . Is that
recommended. Does
MS provide a customised passfilt.dll for download and
install.

Are there any support issues if I go for something like this
?

The preceding email message may be confidential or protected
by the attorney-client privilege. It is not intended for
transmission to, or receipt by, any unauthorized persons. 
If you have received this message in error, please (i) do
not read it, (ii) reply to the sender that you received the
message in error, and (iii) erase or destroy the message. 
Legal advice contained in the preceding message is solely
for the benefit of the Foley & Lardner LLP client(s)
represented by the Firm in the particular matter that is the
subject of this message, and may not be relied upon by any
other party.      

  
Internal Revenue Service regulations require that certain
types of written advice include a disclaimer. To the extent
the preceding message contains advice relating to a Federal
tax issue, unless expressly stated otherwise the advice is
not intended or written to be used, and it cannot be used by
the recipient or any other taxpayer, for the purpose of
avoiding Federal tax penalties, and was not written to
support the promotion or marketing of any transaction or
matter discussed herein.

On 2007-08-15 dubaisans dubai wrote:
> Is there a way to improve the password complexity
requirements in
> Windows 2000/2003 servers
> 
> The default will enforce 3 of the following 4
properties - Uppercase,
> smallercase, numbers, special-characters.
> 
> Is there a way to enforce all 4 properties.

Enforcing passwords that MUST consist of uppercase letters,
lowercase
letters, numbers AND special characters reduces the total
number of
possible passwords, which in consequence has a negative
impact on your
security.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior
to patches
becoming available."
--Jason Coombs on Bugtraq

Correct- GPO allows you to specify whether "passwords
must meet
complexity requirements" or not. But the actual
"complexity requirement"
itself is dictated by passfilt.dll, which lives on the DC
that the user
authenticates against when a password is set or changed. If
you don't
push out your custom passfilt.dll to all controllers, then
the "default"
passfilt.dll will be used when users change or set passwords
on those
controllers (the ones not customized).  So, in that respect,
it's not
actually at the "domain level," but rather, at the
"controller level." 

t

------------
veni, vidi, veni denuo







> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com] On Behalf Of Bean, John
(DSHS)
> Sent: Wednesday, August 15, 2007 9:25 AM
> To: dubaisans dubai; focus-mssecurityfocus.com
> Cc: Knowlton, Jay (DSHS/ISSD)
> Subject: RE: Password complexity - improvement
> 
> 
> 
> It is my understanding that your request to enforce all
four
properties
> can only be enforced on the domain level.  There is no
way to have one
> password complexity policy on the domain level and a
second more
> password complexity policy on a child OU.
> 
> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com]
> On Behalf Of dubaisans dubai
> Sent: Tuesday, August 14, 2007 11:15 PM
> To: focus-mssecurityfocus.com
> Subject: Password complexity - improvement
> 
> Is there a way to improve the password complexity
requirements in
> Windows 2000/2003 servers
> 
> The default will enforce 3 of the following 4
properties - Uppercase,
> smallercase, numbers, special-characters.
> 
> Is there a way to enforce all 4 properties. I donot
want to install
> third-party software
> 
> I have read about customising passfilt.dll . Is that
recommended. Does
> MS provide a customised passfilt.dll for download and
install.
> 
> Are there any support issues if I go for something like
this ?
> 

How?

26*26*10*(however many special characters you want to allow)
> 26*26*10


-----Original Message-----
From:	listbouncesecurityfocus.com on behalf of Ansgar
-59cobalt- Wiechers
Sent:	Wed 8/15/2007 2:39 PM
To:	focus-mssecurityfocus.com
Cc:	
Subject:	Re: Password complexity - improvement

On 2007-08-15 dubaisans dubai wrote:
> Is there a way to improve the password complexity
requirements in
> Windows 2000/2003 servers
> 
> The default will enforce 3 of the following 4
properties - Uppercase,
> smallercase, numbers, special-characters.
> 
> Is there a way to enforce all 4 properties.

Enforcing passwords that MUST consist of uppercase letters,
lowercase
letters, numbers AND special characters reduces the total
number of
possible passwords, which in consequence has a negative
impact on your
security.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior
to patches
becoming available."
--Jason Coombs on Bugtraq

On 2007-08-15 Adrian Marsden wrote:
> On Wed 8/15/2007 2:39 PM Ansgar -59cobalt- Wiechers
wrote:
>> On 2007-08-15 dubaisans dubai wrote:
>>> Is there a way to improve the password
complexity requirements in
>>> Windows 2000/2003 servers
>>> 
>>> The default will enforce 3 of the following 4
properties -
>>> Uppercase, smallercase, numbers,
special-characters.
>>> 
>>> Is there a way to enforce all 4 properties.
>> 
>> Enforcing passwords that MUST consist of uppercase
letters, lowercase
>> letters, numbers AND special characters reduces the
total number of
>> possible passwords, which in consequence has a
negative impact on
>> your security.
> 
> How?
> 
> 26*26*10*(however many special characters you want to
allow) > 26*26*10

That's true, but your basic assumption is wrong. I'm not
talking about
passwords consisting of uppercase/lowercas letters, digits
and special
characters compared to passwords consisting of
uppercase/lowercase
letters and digits only. I'm talking about passwords that
MUST consist
of uppercase/lowercase letters, digits AND special
characters compared
to passwords that may consist of ANY combination of those
characters
(even combinations that don't consist of characters from ALL
groups).

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when
it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

On 2007-08-15 Thor (Hammer of God) wrote:
> On Wednesday, August 15, 2007 11:39 AM Ansgar
-59cobalt- Wiechers wrote:
>> On 2007-08-15 dubaisans dubai wrote:
>>> Is there a way to improve the password
complexity requirements in
>>> Windows 2000/2003 servers
>>>
>>> The default will enforce 3 of the following 4
properties -
>>> Uppercase, smallercase, numbers,
special-characters.
>>>
>>> Is there a way to enforce all 4 properties.
>> 
>> Enforcing passwords that MUST consist of uppercase
letters, lowercase
>> letters, numbers AND special characters reduces the
total number of
>> possible passwords, which in consequence has a
negative impact on
>> your security.
> 
> er?  Care to share? ;)

Assume we have four groups of characters:

  u = 26    (uppercase letters)
  l = 26    (lowercase letters)
  d = 10    (digits)
  s = k     (special characters)

Further assume we have a fixed-lenght password of n
characters (for
simplicity). The total number of passwords in this scenario
amounts to:

  n^(u+l+d+s)

However, if you enforce that the password MUST consist of
characters
from each group, you effectively exclude certain passwords
from this
total amount:

  n^u       (passwords consisting of u characters only)
  n^l       (passwords consisting of l characters only)
  n^d       (passwords consisting of d characters only)
  n^s       (passwords consisting of s characters only)
  n^(u+l)   (passwords consisting of u and l characters
only)
  n^(u+d)   (passwords consisting of u and d characters
only)
  n^(u+s)   (passwords consisting of u and s characters
only)
  n^(l+d)   (passwords consisting of l and d characters
only)
  n^(l+s)   (passwords consisting of l and s characters
only)
  n^(d+s)   (passwords consisting of d and s characters
only)
  n^(u+l+d) (passwords consisting of u, l and d characters
only)
  n^(u+l+s) (passwords consisting of u, l and s characters
only)
  n^(l+d+s) (passwords consisting of l, d and s characters
only)

Thus the total amount of passwords in a scenario where the
password must
consist of characters from each group would be reduced to:

  n^(u+l+d+s) - n^u - n^l - n^d - n^s - n^(u+l) - n^(u+d) -
n^(u+s)
    - n^(l+d) - n^(l+s) - n^(d+s) - n^(u+l+d) - n^(u+l+s) -
n^(l+d+s)

I suppose you'll agree that this *is* a significant decrease
in the
number of potential password, which an attacker may use to
his own
advantage, e.g. when bruteforcing passwords.

How serious the impact turns out to be is another story, but
that
doesn't make it go away.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when
it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

I know we've wandered a little of topic here, but to expand
on Thor HoGs
point:

If you apply a password policy GPO to the domain, it will
apply only to
accounts authenticated on the domain.

If you apply a password policy GPO to an OU (that contains
machine
accounts), it will apply only to local user accounts created
on the machines
in that, and subordinate OUs.

It has always been said that if you want different password
policies for
different users you need to put them in different domains,
either in the
same, or different forests. I believe (but can't test it at
the moment) that
this annoyance has been addressed in Windows 2008 such that
password
policies can be applied per OU that will only affect the
users accounts in
those OUs.

Cheers

James

James D. Stallard, MIoD
Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard





 

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Thor (Hammer of God)
Sent: 15 August 2007 21:45
To: Bean, John (DSHS); dubaisans dubai; focus-mssecurityfocus.com
Cc: Knowlton, Jay (DSHS/ISSD)
Subject: RE: Password complexity - improvement

Correct- GPO allows you to specify whether "passwords
must meet complexity
requirements" or not. But the actual "complexity
requirement"
itself is dictated by passfilt.dll, which lives on the DC
that the user
authenticates against when a password is set or changed. If
you don't push
out your custom passfilt.dll to all controllers, then the
"default"
passfilt.dll will be used when users change or set passwords
on those
controllers (the ones not customized).  So, in that respect,
it's not
actually at the "domain level," but rather, at the
"controller level." 

t

------------
veni, vidi, veni denuo







> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com] On Behalf Of Bean, John
(DSHS)
> Sent: Wednesday, August 15, 2007 9:25 AM
> To: dubaisans dubai; focus-mssecurityfocus.com
> Cc: Knowlton, Jay (DSHS/ISSD)
> Subject: RE: Password complexity - improvement
> 
> 
> 
> It is my understanding that your request to enforce all
four
properties
> can only be enforced on the domain level.  There is no
way to have one 
> password complexity policy on the domain level and a
second more 
> password complexity policy on a child OU.
> 
> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com]
> On Behalf Of dubaisans dubai
> Sent: Tuesday, August 14, 2007 11:15 PM
> To: focus-mssecurityfocus.com
> Subject: Password complexity - improvement
> 
> Is there a way to improve the password complexity
requirements in 
> Windows 2000/2003 servers
> 
> The default will enforce 3 of the following 4
properties - Uppercase, 
> smallercase, numbers, special-characters.
> 
> Is there a way to enforce all 4 properties. I donot
want to install 
> third-party software
> 
> I have read about customising passfilt.dll . Is that
recommended. Does 
> MS provide a customised passfilt.dll for download and
install.
> 
> Are there any support issues if I go for something like
this ?
>