none
Adding Banned Passwords to Password Policy in AD

Answers

  • Further to proposing me a solution, please advise if tweaking the password filter is supported by Microsoft?

    It is supported , but note that, since these hook or SHIM into Lsass, there will always be a small chance of someone coding the password filter badly and you might have issues. I have personally seen issues with certain stuff which hooks into lsass the wrong way and cause problems.

    You are at the mercy of the developer and pray that he has written the code properly :) , but with proper testing anything can be overcome :)

    Is it risky and could updates or upgrades to the domain controllers could replace the customized password filter?

    It is definitely risky. plan to test it properly in the LAB , before going to production. Yes upgrades can replace the password filter. Since the hook has to be present.

    Friday, March 24, 2017 4:34 AM

All replies

  • Hi Navs

    The support for password filtering by third party tools would need to be provided by the third party vendor

    hth
    Marcin

    Thursday, March 23, 2017 1:09 PM
  • Hello Marcin,

    Is there a native way to implement this within the Microsoft stack? Is it supported in Windows Server 2008 R2 Active Directory? OR are you saying that I have to use the 3rd party tool to achieve banned passwords.

    Thank you,

    Navs 

    Friday, March 24, 2017 4:17 AM
  • Further to proposing me a solution, please advise if tweaking the password filter is supported by Microsoft?

    It is supported , but note that, since these hook or SHIM into Lsass, there will always be a small chance of someone coding the password filter badly and you might have issues. I have personally seen issues with certain stuff which hooks into lsass the wrong way and cause problems.

    You are at the mercy of the developer and pray that he has written the code properly :) , but with proper testing anything can be overcome :)

    Is it risky and could updates or upgrades to the domain controllers could replace the customized password filter?

    It is definitely risky. plan to test it properly in the LAB , before going to production. Yes upgrades can replace the password filter. Since the hook has to be present.

    Friday, March 24, 2017 4:34 AM
  • @ Narayan - Thank you very much for your input on those elements. Do you or anyone in the forum have a guide on how to code the password filter (step by step for banning certain passwords)?
    Friday, March 24, 2017 5:09 AM
  • I haven't tried this, but this may be of some help: https://github.com/jephthai/OpenPasswordFilter (it includes source in C++)

    And then once compiled, install using: Installing and Registering a Password Filter DLL https://msdn.microsoft.com/en-us/library/ms721766.aspx


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, March 24, 2017 5:21 AM
  • I should add that without modifying the code, you can simply edit the .txt files that are part of the project and put your blacklisted passwords in.

    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


    Friday, March 24, 2017 5:31 AM
  • Hi Georg, Thanks very much for these resources. We will research into it and feedback if the solution worked.
    Friday, March 24, 2017 5:59 AM
  • i would never recommend coding it step by step, because of the intricacies with LSASS and how a single wrong code can bring weird issues into the environment. Earlier times microsoft had a downloadable platform sdk with functions and tons of code etc like for passfilt.dll. But due to other people messing the code and breaking stuff , they stopped it.. Although i am not recommending any vendor, having a good vendor do the POC and implementation will help you through any issues you have and that way they can work with Microsoft as well incase of coding issues.


    Friday, March 24, 2017 5:36 PM