Gaining password requirements flexibility pre-Server 2008
I realize that a number of readers of this column still run Windows Server 2003 and will therefore not be able to take advantage of Server 2008’s Fine-Grained Password Policies feature for some months or even years. If you fall into that group, and if you have an interest in varying password settings within a domain, you may want to investigate “custom password filters.” The way you typically use one of these filters in an Active Directory domain is to install a DLL file onto a domain controller (typically in the “System32” folder) and set the NTFS permissions on the DLL so that domain users have read access. Next, you’ll modify the system’s Registry, typically HKLMSystemCurrentControlSetControlLSA key. (LSA stands for Local Security Authority.) Following the directions that accompany the filter, which generally consists of adding the new DLL to the list of so-called “notification packages,” you basically change the circumstances in which Windows will advise the user that he or she has selected an insufficiently secure password and prompt for a better one. Some third-party filters let you customize a list of bad passwords. Microsoft’s password filter DLL is named PASSFILT.DLL and is available as part of the Platform Software Development Kit, but it’s just an example. You’ll need to find a C++ programmer to create your own password filter to meet your specific needs. Oh, and you’ll also need to turn on the “password complexity requirements” in Group Policy. If all this sounds rather complicated, well, yes; it involves programming and testing, and if you do it badly, it seems that you can seriously compromise the robustness of your AD environment. But if you don’t want to take on this much of a do-it-yourself project, have a look at third party solutions such as Anixis’ “Password Policy Enforcer.” I haven’t used it personally, but it looks like a reasonably flexible and painless solution to the problem.




