Re: bypass default password filter passfilt.dll



GTD
07-09-2005, 10:51 PM
Following link says that in order to implement customize complex password
policy " Passwords must meet complexity requirements policy setting is
enabled. "
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/installing_and_registering_a_password_filter_dll.asp.

Now in order to implement our dll (Our own Customize password policy dll) I
have to enable complexity requirements policy setting enable. And if I enable
this setting, first it implements default complex settings of passfilt.dll,
and after that it applies our custom settings. How do I bypass passfilt.dll?
I do need complex settings from our dll"Joe Richards [MVP]" wrote:

> You need to disable password complexity in the domain policy. This does not mean
> undefine. It means disable.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> GTD wrote:
> > We wrote a password filter dll, which will be installed on win 2000 domain
> > controller. Passwords must meet complexity a requirement is on. But first it
> > takes default password complexity rules (rules of paassfilt.dll), after that
> > only it applies my complexity rules.
> > For example even if I don’t check for “Passwords must be at least six
> > characters long.” Or Passwords must contain elements from three of the four
> > following types of characters.
> > English uppercase letters A, B, C, ... Z
> > English lowercase letters a, b, c, ... z
> > Westernized Arabic numerals 0, 1, 2, ... 9
> > Non-alphanumeric characters (special characters) $,!,%,^
> >
> > These rules applied by default. How can I bypass these default rules and
> > apply only my policy?
> >
> >
>

Joe Richards [MVP]
07-09-2005, 10:51 PM
Ah, I think that documentation goes back to NT4 when the complexity filter was
an addon DLL you had to put into place. This functionality is built in now. I am
quite positive that you only have to register the notification package and that
password must meet complexity requirements is to be disabled if you don't want
the default filter running as well. I am running my own password filter on one
of my test VMs and it works great with the complexity requirement disabled.

If you haven't done it, put in debug statements into the password filter code
that outputs info to trace so you can see if your filter is being entered.

You would use

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/outputdebugstring.asp

to send the messages out and something like sysinternals dbgview to see the
messages.

Once you know if you are entering the functions, then start looking at the
parameters being sent in. A common mistake is to incorrectly handle the strings.

I will see if I can get the MSDN documentation corrected.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


GTD wrote:
> Following link says that in order to implement customize complex password
> policy " Passwords must meet complexity requirements policy setting is
> enabled. "
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/installing_and_registering_a_password_filter_dll.asp.
>
> Now in order to implement our dll (Our own Customize password policy dll) I
> have to enable complexity requirements policy setting enable. And if I enable
> this setting, first it implements default complex settings of passfilt.dll,
> and after that it applies our custom settings. How do I bypass passfilt.dll?
> I do need complex settings from our dll"Joe Richards [MVP]" wrote:
>
>
>>You need to disable password complexity in the domain policy. This does not mean
>>undefine. It means disable.
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>GTD wrote:
>>
>>>We wrote a password filter dll, which will be installed on win 2000 domain
>>>controller. Passwords must meet complexity a requirement is on. But first it
>>>takes default password complexity rules (rules of paassfilt.dll), after that
>>>only it applies my complexity rules.
>>>For example even if I don’t check for “Passwords must be at least six
>>>characters long.” Or Passwords must contain elements from three of the four
>>>following types of characters.
>>>English uppercase letters A, B, C, ... Z
>>>English lowercase letters a, b, c, ... z
>>>Westernized Arabic numerals 0, 1, 2, ... 9
>>>Non-alphanumeric characters (special characters) $,!,%,^
>>>
>>>These rules applied by default. How can I bypass these default rules and
>>>apply only my policy?
>>>
>>>
>>

GTD
07-09-2005, 10:51 PM
It works.
Thanks!

"Joe Richards [MVP]" wrote:

> Ah, I think that documentation goes back to NT4 when the complexity filter was
> an addon DLL you had to put into place. This functionality is built in now. I am
> quite positive that you only have to register the notification package and that
> password must meet complexity requirements is to be disabled if you don't want
> the default filter running as well. I am running my own password filter on one
> of my test VMs and it works great with the complexity requirement disabled.
>
> If you haven't done it, put in debug statements into the password filter code
> that outputs info to trace so you can see if your filter is being entered.
>
> You would use
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/outputdebugstring.asp
>
> to send the messages out and something like sysinternals dbgview to see the
> messages.
>
> Once you know if you are entering the functions, then start looking at the
> parameters being sent in. A common mistake is to incorrectly handle the strings.
>
> I will see if I can get the MSDN documentation corrected.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> GTD wrote:
> > Following link says that in order to implement customize complex password
> > policy " Passwords must meet complexity requirements policy setting is
> > enabled. "
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/installing_and_registering_a_password_filter_dll.asp.
> >
> > Now in order to implement our dll (Our own Customize password policy dll) I
> > have to enable complexity requirements policy setting enable. And if I enable
> > this setting, first it implements default complex settings of passfilt.dll,
> > and after that it applies our custom settings. How do I bypass passfilt.dll?
> > I do need complex settings from our dll"Joe Richards [MVP]" wrote:
> >
> >
> >>You need to disable password complexity in the domain policy. This does not mean
> >>undefine. It means disable.
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>GTD wrote:
> >>
> >>>We wrote a password filter dll, which will be installed on win 2000 domain
> >>>controller. Passwords must meet complexity a requirement is on. But first it
> >>>takes default password complexity rules (rules of paassfilt.dll), after that
> >>>only it applies my complexity rules.
> >>>For example even if I don’t check for “Passwords must be at least six
> >>>characters long.” Or Passwords must contain elements from three of the four
> >>>following types of characters.
> >>>English uppercase letters A, B, C, ... Z
> >>>English lowercase letters a, b, c, ... z
> >>>Westernized Arabic numerals 0, 1, 2, ... 9
> >>>Non-alphanumeric characters (special characters) $,!,%,^
> >>>
> >>>These rules applied by default. How can I bypass these default rules and
> >>>apply only my policy?
> >>>
> >>>
> >>
>


Re: bypass default password filter passfilt.dll