30/11/2020 julesduvivier/PasswordFilterService

julesduvivier / PasswordFilterService

10 stars 0 forks

Star Watch

Code Issues 3 Pull requests Actions Projects Wiki Security

master

Jules Remove directory … on 22 Aug 2017 4

View code

README.md

PasswordFilterService

Introduction
PasswordFilterService is a password policy enforcement tool for Windows Active Directory.

Windows has a basic password complexity rule but no good controls to enforce the use of
reasonable passwords. This basic policy accepts many weak password like Password1 or
Company2017

PasswordFilterService checks new passwords for compliance with your custom password
policy and rejects non-compliant passwords.

Getting Started
PasswordFilterService.exe is a C#-based binary service that provide a simple UI to manage
your password policy. The service embedded the password filter DLL for 64 and 32 bit
We use optional third-party analytics cookies to understand how you use GitHub.com so we can build better
system.Learn more.
products.

Accept Reject

https://github.com/julesduvivier/PasswordFilterService 1/4
30/11/2020 julesduvivier/PasswordFilterService

The password filter DLL is coded in C and loaded by LSASS on boot and will be queried
every time a users try to change his password. For further information check the github
project at : https://github.com/julesduvivier/PasswordFilter

Download the last version of the executable from the release :

https://github.com/julesduvivier/PasswordFilterService/releases/latest.

When you first run the PasswordFilterService.exe, the binary will :

Extract the embedded DLL corresponding to your system and copy it to

%WINDIR%\System32 .

Edit the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages registry

key to add the DLL name.
Create HKLM\SOFTWARE\Wow6432Node\PasswordFilter registry key with your custom
pasword policy rules.

Then you just need to reboot your DC to start using your password policy.

Rules
PasswordFilterService.exe provide you a simple interface to custom your rules :

We use optional third-party analytics cookies to understand how you use GitHub.com so we can build better
products. Learn more.

Accept Reject

https://github.com/julesduvivier/PasswordFilterService 2/4
30/11/2020 julesduvivier/PasswordFilterService

Length

The Length rule rejects passwords that contain too few characters.

Complexity

the Complexity rule rejects passwords that do not contain characters from a variety of
character sets like lower, upper, digit and special characters

Consecutive letters

The Consecutive letters rule rejects password that contains too many consecutive
characters

Log file

The path where the log file will be written.

The PasswordFilter function is implemented by the PasswordFilter DLL. This function simply
replies with a TRUE or FALSE, as appropriate, to indicate that the password passes or fails
the test. Thereby, it's impossible to return the error message directly to the user so the log
file allow the admin of the domain to know the reason of a password rejection.

Example of log file :

29/11/16 03:41PM [Username] - The password doesn't meet the complexity

requirements : It must contain at least one uppercase letter
30/11/16 06:12PM [Username] - The password doesn't meet the complexity
requirements : It must contain at least one special letter
11/12/16 11:42PM [Username] - Password contains banned word : Company
11/12/16 11:43PM [Username] - Password can't exceed 3 consecutive characters

Wordlist

The Wordlist rule rejects password which contains a word from the dictonary. Your
dictonary must contain one forbidden word per line. There are many tools to generate
custom wordlist (e.g. based on your company name)

Example of wordlist :

We use optional third-party analytics cookies to understand how you use GitHub.com so we can build better
Company
products. Learn more.
COMPANY
c0mp4ny
Accept Reject
Password

https://github.com/julesduvivier/PasswordFilterService 3/4
30/11/2020 julesduvivier/PasswordFilterService

Passw0rd
...

The password PasswordMay2016 will be rejected because it contained the substring

Password which is in the wordlist

Tokens wordlist

The Tokens wordlist rule rejects password's token which match perfectly with this second
dictionnary. The password is tokenized based on the change of the characters types and
each tokens are compared with the tokens wordlist.

Example of Tokens wordlist :

123
May
2016
...

The password PasswordMay1 will be rejected because it contained the substring May but
PasswordMaya1 will not be rejected because the token Maya isn't in the Token wordlist.

Releases 3

v1.2 Latest
on 22 Aug 2017

+ 2 releases

Packages

No packages published

Languages

We
C# use optionalSmalltalk
96.9% third-party
2.8%analyticsBatchfile
cookies0.3%
to understand how you use GitHub.com so we can build better
products. Learn more.

Accept Reject

https://github.com/julesduvivier/PasswordFilterService 4/4