Enforce Strong Passwords in NT 4.0

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

platlogo

Windows Tips & Secrets
1998 PLATINUM technology, Inc.

Reprinted with permission from Platinum Technology, Inc.

There's a Catch-22 regarding passwords. The simpler they are, the easier they are to guess. The more complex they are, the more likely you need to write them down. Either of these results in the electronic equivalent of hiding the key under the mat. Still, reluctant users can be coerced to maintain passwords that are hard to break. NT lets you do it at least three ways

Several new utilities allow hackers to get a list of your user's names and even the hash values for their passwords. A program called RedButton demonstrates that you can find the name of the Administrator account, even if it has been renamed. Once a hacker has the user name they can assault your system. A brute-force attack tries every conceivable combination of letters, numbers, and symbols until it succeeds. By complicating the password, you increase the odds against the password being hacked. By locking out the user after failed attempts, you shut down brute force attacks altogether (unless they guess correctly the first few tries).

Should a hacker gain access to your system, and be able to download the hash values from your SAM database, they can effectively take their brute-force attack off-line. Now they have more time and they can't be locked out. Later, they can log onto your system by impersonating the user unless that user has changed their password. By forcing the user to change passwords often, you protect yourself from off-line, brute-force attacks. The more complicated the password, the longer the interval between new passwords.

Implement one of the following methods to protect passwords from attacks:

Method #1: NT default. In the User ManagerPoliciesAccount, you can enforce a policy where users have to use passwords of a certain length, change them regularly and not reuse them too often.

Method #2: PASSPROP.EXE. This file, on the NT Resource kit in \I386\NETADMIN, enforces a stronger password policy. Run PASSPROP.EXE from the command line. You have four available switches:

/simpleRestores simple passwords (NT default)

/complexForces passwords to have a mixture of upper and lower-case, symbols or numbers.

/adminlockoutAllows the Administrator account to be locked out except for interactive sessions at a Domain Controller.

/noadminlockoutRestores NT default when Administrator account can't be locked out.

Method #3: Service Pack 2. Installing a new DLL lets you enforce very strong passwords that are at least 6 characters long, with three out of four of the following: upper case, lower case, numbers, or symbols. Additionally, you won't be able to use your user name or any part of your full name. The drawback to this DLL is that you can't modify the requirements unless you write your own DLL. Here's how to implement the password filter on each domain controller.

  • Copy PASSFILT.DLL from SP2 to \WINNT\SYSTEM32.

  • [Start]RunType REGEDT32[Enter].

  • Create (or edit) the following Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa

  • Add a REG_MULTI_SZ value called "Notification Packages" with a value of PASSFILT (If the value FPNWCLNT already exists, then edit the value and add PASSFILT under FPNWCLNT).

  • Click OK then exit the Registry Editor [Alt+F4].

  • Restart the server.

For More Information

For more information, go to the Platinum Technology, Inc. web site at: https://www.cai.com/.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.