Microsoft

Strengthening user passwords on your Windows NT servers

Your first step to a secure network is to have strong passwords. You can enforce strong passwords by using Passfilt.dll and making changes to your Account Policy. In this Daily Feature, John Sheesley shows you how.


Chances are unless you work in an organization where security isn’t important—say, for example, the nuclear test labs in Los Alamos, NM—you force your users to log on to the network using passwords. You may even have gone as far as to create a password policy as part of the security policies for your network to let users know what size passwords they should create and how to create passwords that are difficult to crack.

However, how do you enforce such a policy? Fortunately, you can make some changes on your Windows NT server that can strengthen passwords. In this Daily Feature, I’ll show you how.

Why do I need strong passwords?
Passwords can be a major point of contention between users and network administrators. If they’re forced to use passwords, users want something that’s easy to remember or short to type. Network administrators want passwords that are hard to crack.

If user passwords are too short or include things that are easy to guess, like parts of their name, then they can be easily hacked. A hacker can play “Guess The Password” and have access to the user’s system with little effort. Or they can employ cracking tools such as L0phtCrack that can do a brute force attack on the password.

Brute force attacks merely keep tossing passwords systematically at the server until they find a password that works. As you can guess, if a user only uses a three letter password like DOG, then a brute force cracker will quickly come up with the D O G sequence and access the system.

However, if you employ strong passwords, then the hacker’s task is made much more difficult. Windows NT gives you several tools you can use to make passwords stronger. First, you can lengthen the minimum number of characters users must use to create their passwords. Secondly, you can use Passfilt.dll, which as you’ll see in a bit, will force your users to create strong passwords.

Setting minimum password lengths
As I mentioned above, the longer a password is, the harder it is for a brute force cracker to crack. If a user only uses alphabetic characters, not including numbers or special characters, and only uses a three-lowercase-letter password, a brute force cracker only has to try 17,576 combinations before it will find the password. That’s a lot for you and me to keep trying to type, but a fast computer can come up with all of the combinations before you read this section.

However, let’s say that you want users to have at least a 10-letter password. What’s the effect? If a user only uses lowercase letters again, the combination increases to 141,167,095,653,376. Just a tad more.

By default, Windows NT allows you to create user accounts with no password. I hope you’ve fixed that. If not, the place where you turn passwords on is the same place where you increase the minimum password length—User Manager for Domains.

To access User Manager for Domains, click Start, select Administrative Tools (Common) from the Programs menu, and click User Manager For Domains. When User Manager For Domains starts, select Account from the Policies menu. When you do, you’ll see the Account Policy screen shown in Figure A.

Figure A
You can increase password length on the Account Policy screen.


To enable passwords, select the At Least radio button in the Minimum Password Length box. When you do, you’ll see the default value of 6 appear in the Characters field. You can change the minimum password length simply by increasing the value in this field.

Don’t go overboard when you increase the minimum password length. If you make the value too high, users will rebel by simply writing their passwords down and attaching them to their monitors with a sticky note.

Using Passfilt.dll
You don’t necessarily have to increase the default minimum value of 6 characters if your users choose the proper character combinations. Remember, NT can recognize the difference between upper and lowercase letters. Plus, you can include non-alphabetic characters in passwords, including numerals and special characters (, . ; : * % & !).

The difference between using just lowercase letters and the other possible combinations is astounding. If users only use lowercase letters, then the total possible combinations would be 308,915,776. However, using all possible characters, the total password combinations would explode to 117,649,000,000.

Back when Microsoft shipped Service Pack 2 for Windows NT, it included a program that you can use to force users to create stronger passwords by requiring them to change the ways they create them. This program is in the form of a single DLL file—Passfilt.dll.

Passfilt.dll creates and enforces a set of password rules on users. If a user attempts to create a password that violates the rules, Passfilt.dll causes NT to reject the password. Rules that Passfilt.dll enforces include:
  • Passwords must contain at least six characters.
  • Passwords must include character strings that contain at least three of these four character types:
  1. Uppercase letters
  2. Lowercase letters
  3. Numerals
  4. Nonalphanumeric characters: , . ; : * % & !
  • Passwords may not contain the user’s logon name.
  • Passwords can’t contain any portion of the user's full name.

When you install Service Packs later than version 2 on your Windows NT server, the Service Pack’s Setup program copies Passfilt.dll to your server’s %SystemRoot%\System32 directory. You should double-check this directory to make sure that Passfilt.dll is there. If it’s not, you must manually copy it there.

The Service Pack’s Setup program doesn’t activate Passfilt.dll. To do that, you must take a trip to your server’s registry.
Be very careful when working with your server’s Registry. If you accidentally make a change in this file or make a change without knowing its impact, you may render your server unbootable or lose data. You may even have to reinstall NT from scratch. Make sure you have full system backups of your server before making any changes to this or any system files.
Here be dragons
Because changes to user accounts are handled by the Primary Domain Controller (PDC), you don’t have to make the registry change to Backup Domain Controllers (BDCs) in the domain. However, it’s a very good idea to make the change on every domain controller in case you ever have to promote BDCs to PDCs.

To make the registry change, start RegEdit by selecting Run from the Start menu, typing Regedt32 in the Open box, and clicking OK. When the Registry Editor appears, navigate the tree in the left pane until you find the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key. Check the right pane to see if a value of Notification Packages exists in the right pane.

If it doesn’t exist, add it by selecting Add Value from the Edit menu. When the Add Value menu appears, enter Notification Packages in the Value Name field. Check to make sure that the Data Type list box contains the value of REG_SZ. Click OK when you’re done.

When you do, you’ll see the String Editor screen appear. Type PASSFILT in the String field and click OK.

If the Notification Packages value exists, all you have to do is highlight it and press [Enter]. You’ll then see the String Editor appear as mentioned above, and you can enter the message you want to appear.

If you use File and Print Services for NetWare, you may find a Notification Packages subkey already in the registry with a data value of FPNWCLNT. If so, don’t delete the key. Instead, add the PASSFILT data item below it.

When you’re done, close the Registry Editor. For the change to take effect, you must reboot your server. When the server comes back up, strong passwords will then be in effect for any new passwords created on your network.

Caveats
Be aware that strong password rules are only applied when users create a password over the network. You can create passwords that violate the rules by creating passwords at the server using User Manager for Domains. This will allow you to create easier-to-remember passwords for some users (like your CEO when your supervisor tells you that the CEO has complained about his password). Try not to do this too much.

Passfilt may cause some weird new error messages to appear when users change their passwords. If a user creates a new password that fails to meet the requirements, the user may see a message that says, "You do not have permission to change your password." Check the User Properties dialog box to make sure you haven't prevented the user from changing passwords. If you haven’t, then the message is a result of the user violating the rules. When the user enters a new password that matches the strong password rules, the message won’t appear.

The user may also see an error that says, “Your password must be at least 0 characters long.” This problem occurs when you don’t have password restrictions set in your Account Policy but you’ve enabled Passfilt. To fix this error, follow the procedure in the first section to enable passwords. Don’t forget to set the minimum length to six characters.

Conclusion
The first step to creating a secure network is to have secure passwords in place. Windows NT gives you the tools necessary to create strong secure passwords. In this Daily Feature, I’ve shown you how to accomplish this by making changes to your Account Policy and by using Passfilt.dll.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks