The nFront Password Filter download is a zip file and contains 3 MSI files:
The "filter" MSI package must be installed on all writable domain controllers. If you have read only DC (RODCs), you do not need to install it on them. However, if you plan to deploy the client, you should install the filter MSI package onto the RODCs. This is becuase the client selects a random DC to query for the password requirements and in such case the client may contact an RODC machine.
The installation takes only a minute. It copies 4 DLLs and 2 services files to Windows\system32 and modifies the registry so the filter DLL is loaded on the next boot cycle. At the end of instllation you are prompted for a reboot. You can say No and reboot at a time that is more convenient. A reboot is required for a first time installation but not needed for future upgrades. Traditionally, a password filter consisted of a single DLL. As a result, it could only be updated by cycling through 2 reboots. In 2006, we adopted an architecture of using a base DLL and a filter engine DLL. The base DLL is loaded on the boot cycle and calls the filter engine DLL. There is a security mechanism to ensure the filter engine is our DLL and not a malicious one.
The other 2 MSI files are optional.
The client MSI package is typically deployed to client workstations to modify the password change screen. It can show the password requirements on the password change screen and it can provide a more detailed failure message. It can even show up to 5 dictionary words that were detected in the new password. This helps eliminate user frustration and helpdesk calls.
The "expiration" package is also optional. If it is used, it is installed onto a single domain controller. The service runs on a periodic basis. You can configure the interval. Most customers run it daily. It allows the filter system to enforce different maximum password ages for different password policies. It also has the ability to email users warnings about upcoming max passowrd age. In 2017, we invented a feature that we call length-based password aging. The feature allows you to set up to 4 different ranges of password length and tie each range to a max password age. This allows you to reward users with longer passwords with a longer max password age.