nFront Password Filter

Are you enforcing a good password policy?

Passwords. Everyone on your corporate network has one. How weak is the weakest password?

Having a good password policy that is enforced across all users is fundamental to good security practices. You are probably spending money on firewalls, anti-virus, encryption and data leakage products. However, if you are using the built-in Windows Password Policy you might as well burn the money you are spending for all the security software and devices.

What is nFront Password Filter?

nFront Password Filter is a password policy enforcement tool for Windows Active Directory that allows up to 10 different password policies in the same Windows domain. Each password policy has many granular settings and can be associated with one or more global or universal security groups. nFront Password Filter allows you to strengthen network security by preventing the use of weak, easily hacked passwords.

Can you benefit from nFront Password Filter?

  • If a security auditor ran a password cracker on your network how many passwords would they crack?
  • How can you be sure your employees are following your suggested password guidelines?
  • How can you be sure your administrators are not creating accounts with blank or simple passwords?
  • Are you using an identity management tool that has users change their password via a website but also allows them to bypass the website using CTRL-ALT-DEL and set weak passwords?

Why use nFront Password Filter?

  • Users do not understand the need for strong passwords and will not follow formal password policies unless the policies are enforced.
  • Protects from external hacking. IPSec is great. VPNs are great. 128-bit encryption is great. However, the correct username and password allows a hacker to use the 128-bit IPSec VPN tunnel and access your corporate data. All of your firewall devices and IDS devices have no way of distinguishing the compromised account from the actual legitimate user.
  • Protects from internal hacking. How about the new engineer who would like to access to company financial data? How about the college student who would like the modify the student records database? How about all the free password sniffing and cracking tools on the Internet?
  • Disallowing weak passwords is part of the SANS/FBI Top 20 List

How passwords are compromised:

Passwords can be compromised in a number of ways. There are software tools to "guess" passwords. Essentially there are 4 categories of tools:

  1. Brute Force - go through every possible character combination incrementally starting with "a","b" and moving to "aa","ab", etc.
  2. Dictionary password crackers - try dictionary words and common sequences/patterns
  3. Hybrid - combine multiple dictionary words and patterns
  4. Rainbow Tables - use precalculated hashes for all passwords of 14 characters or less to find a match. Given a hash rainbow tables can be used to crack any password of 14 characters or less in about 2 minutes.

Here is a nice list of different password cracking tools

There are DLL injection tools that can retrieve the database of hashed passwords. Please note that hashed passwords are not the same as encrypted passwords. Encrypted passwords can be decrypted given the shared secret or private key. However, hashed passwords cannot be reverse engineered. So what is the danger of a thief getting the hashes. A lot! There are tools like Rainbow Crackers which can crack any 14 character or less password in a matter of minutes if you can provide the password hash. There are websites where you an paste a captured hash and they will use their computing power to crack the LanMan or MD5 hash for you. Click here to read more...

What is wrong with the Windows Password Policy settings?

Windows gives you the tools to control password length, history and expiration, but no good controls to enforce the use of reasonable passwords that are not easily hacked. Without nFront Password Filter it is highly likely that weak, easily cracked passwords are allowed on your network.

Consider the following standard Windows policy:

Windows Server 2012 R2 Active Directory Password Policy

THE WINDOWS PASSWORD POLICY ABOVE DOES NOT PREVENT ANY OF THE FOLLOWING PASSWORDS

aaaaaaaa

abcdefgh

123456

januarypw

februarypw

march123

myuserid

mydogsname

qwerty123

Windows Server 2012 R2 Active Directory Password Policy with complexity option

EVEN IF YOU ENABLE WINDOWS COMPLEXITY YOU HAVE PASSWORDS LIKE THIS:

Password1

Microsoft1

Summer2019

Welcome1

Company1

LetMeIn1


Now Consider The Robust Policy Capabilities With nFront Password Filter

nFront Password Filter Password Policy Example

Each policy in nFront Password Filter has over 40 settings. You can enforce specific requirements based on character types. There are several rules to break typical user patterns. The most effective rule is the dictionary checking rule. The filter can check million of words in less than one second.

To see a more exact comparison of settings see these links:
nFront Password Filter versus the Windows 2003 Password Policy
nFront Password Filter versus Windows 2008/2012/2016/2019 Password Policies

Controlled by Group Policy

nFront Password Filter is controlled using a single Group Policy Object configuration. After installation of the software on all domain controllers, simply create a new GPO, load one of our provided templates (ADM and ADMX templates provided) and configure your policies. It's that easy!

Password Policies linked to Groups or Organizational Units

nFront Password Filter is controlled by a single GPO, not a bunch of confusing GPOs all over the place. You can associate any policy in the MPE version with one or more security groups or organizational units. Nested groups are supported. Thus, you can easily use the same groups that you have created for resource security to control password security. No need to re-organize your OU structure to support your password policies. No need to run Resultant Set of Policy to see who gets what policy. No need to edit multiple GPOs all over the place or figure the best policy precedence order such that one policy does not negate the other.

Granular Password Policies

nFront Password Filter gives you granular control over your password policies. It can put min and max limits on specific types of characters, reject passwords that contain userids/usernames and even check a new password against a multi-language dictionary with over 2 million words in less than 1 second.

What about fine-grained password policies?

Windows 2008, Windows 2012, Windows 2016, and Windows 2019 support multiple password policies in the same domain. However, the policy settings are the same basic policies that are in Windows 2000 and Windows 2003. The only thing granular about fine-grained policies is the ability to apply them to different OUs. The policies do not have granular rules. You can set the minimum length, min/max age, history and complexity but still not stop passwords like Password1. The settings are not robust enough to prevent the use of weak and easily cracked passwords. The settings are also cumbersome to put in place with no GUI to manage the settings.

Multiple Policies

nFront Password Filter MPE allows you to have up to 10 different password policies in the same Windows domain. Each policy can be associated with one or more security groups and/or OUs. You can have strong password polices for Domain Administrators and those with access to more privileged information (credit card data, tax information, etc.). You can also associate weaker policy with other groups like "Mainframe Users."

Policy rules to ensure password compatibility across other systems

Suppose you sync your Windows passwords with UNIX or AS/400 or other mainframe systems. You do not want a one-size fits-all password policy that has to be dumbed down to the least common denominator. System like UNIX or mainframes often truncate passwords longer than 8 or 12 characters. Furthermore, such systems often do not accept certain special characters. With nFront Password Filter you can control the special characters which are accepted or block the use of any special characters.

Password Policy Rules to Enforce the use of Passphrases

Passphrases are simply long passwords like "The dog ate my newspaper." or "I love Chocolate!" Such phrases make great passwords because they are long and long passwords are generally always superior to shorter ones. You can configure nFront Password Filter to require a longer length for the password and require a minimimum number of spaces to be used in the password. This should get you well on your way to the correct horse battery staple passphrases you want to see on your network.

Since passphrases typically contain dictionay words, you can skip dictionary checking for passwords over a specified number of characters. So long passwords may contain dictionary words but short passwords may not.

The filter also supports a feature called Length Based Aging. You can use this to incentivize your users to use passphrases or longer passwords. For example, you may decide that users can keep passwords for one year if the passwords are over 20 characters but passwords that are 10-15 characters must be changed every 90 days.

Policies that cannot be bypassed

nFront Password Filter is not some set of Java rules on a website that are easily bypassed. nFront Password Filter is integrated into the operating system and runs as a thread under the local security authority (the lsass.ese process). The polices you create cannot be bypassed with an alternative password change mechanism.

Why not write a custom Passfilt.dll (Password Filter)?

Writing a custom passfilt.dll is not a trivial process and is much more involved than a simple win32 application. The custom password filter must interface to the Local Security Authority (the lsass.exe process) and runs as a thread of the LSA. You cannot afford a bad line of code or an overlooked exception. A bad line of code can quickly mean a BSOD (blue screen of death). A memory leak or failure to use exception handing and secure coding techniques can deal to a security vulnerability and possible exploitation. A passfilt.dll works on the password in Unicode clear text and care must be taken to properly destroy the memory used by such buffers.

We got started in 2001 writing custom password filters for many different organizations. After noticing many similarities among the requests we decided to write a "configurable customer password filter." We were the first to introduce a password filter controlled by a group policy. In 2005, we were the first to release a 64-bit password filter. We were the first company to put a password strength meter on the Windows change password screen. Currently we are the only company to offer rules for length-based password aging (e.g. longer passwords can be kept for a longer period of time).

You should contemplate the following questions if you are considering the development of a custom passfilt:

  • Will the code be written in house or by an external firm?
  • Who will handle support issues?
  • Who will maintain the code and update it (as in the case of 64-bit servers)?

Check passwords against breached/compromised password list

The filter can check a user's new password against over 700 million breached passwords in less than 60 milliseconds. Most customers use the HIBP (haveIBeenPwned) file of breached passwords. However, you can use any file of SHA1 hashes as long as the hashes are in order.

Dictionary Checking

nFront Password Filter goes beyond giving you control over character types and includes a very fast dictionary check feature. In less than 1 second, nFront Password Filter can scan a 2 million word dictionary and ensure that the user's proposed new password is not contained in the dictionary file!

nFront Password Filter ships with a 6,500 word customizable, plain-text dictionary. The dictionary check feature looks for a case-insensitive exact match (instead of a substring match) between the proposed new password and each entry in the dictionary. The substring search feature can be enable to look for the dictionary word anywhere within the password. You can customize the dictionary by editing the file in Notepad or any other text editor of your choice.

Optional Client to help end users

nFront Password Filter comes with an optional client that you can deploy to end-user workstations. You can choose to include your own custom message to the end user or our default password rules or both. You can also display a password strength meter. All settings, of course, are controlled by GPO.

The client automatically works in multiple languages (English, German, French, Spanish and Italian are supported). It automatically reports the locale of the client workstation to the encrypted RPC service that supports the client. The service then formulates the password policy rules in the language appropriate to the language of the client operating system.

The client is compatible with Windows XP, Windows 7, Windows 8, Windows 8.1 and Windows 10. On Windows XP it operates as a GINA stub DLL (which is the only method support my Microsoft). On Windows 7 and above it operates as a credential provider.

System Requirements for nFront Password Filter

  • Windows 2008, 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019, Server 2022
  • x64 supported for all OS
  • 5 MB free disk space (additional 30GB required if checking local breached password file)
  • 5 minutes of time per domain controller to install
  • 30 minutes of time per domain to configure and test.

System Requirements for nFront Password Filter Client

  • Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 11. It may also be installed on servers and DCs that are Windows 2008 and above.
  • x64 supported for all OS
  • 5 MB free disk space
  • We suggest an automated deployment using a software GPO or a tool like Microsoft System Center.