logo
banner
Download the FREE 5-IP version of the GFI LANguard network vulnerability scanner!
line
HOME
TOOLBOX
ON MY MIND RIGHT NOW
MISC
ABOUT
line
forest

StrongPass

Download v1.0 (for Windows NT 4.0)


Introduction


StrongPass works like the standard passfilt.dll but enforces some extra password policies. The passwords must be at least 7 characters long, and if they are exactly 7 characters these must be picked from the three groups a-z/A-Z, 0-9, and special characters (other than the alphanumeric). If the password is longer than 7 characters but shorter than 14, the same rule applies to the first 7 characters. If the password is exactly 14 characters, the rule applies to either the first 7 or the last 7 characters (any group matching the rule will do). This policy will make it harder for a cracking program like L0phtcrack to crack the LANMAN hashes generated from the passwords.

Usage instructions


Download the file, unzip it, and copy it into %SystemRoot%\system32 (often c:\winnt\system32). Make sure to restrict access to it so it isn't writeable by any other users than Administrators. Then go to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

and add "strongpass" (without the quotes) to the value Notification Packages. Make sure that "passfilt" is also in place there, because strongpass.dll only complements it.

Q&A


Q: That file of yours may catch my password and send it over the Internet to you, right?

A: That's right, it could. All I can do is promise that I haven't included any code like that. Also, a good idea for your part would be to download it and then look through the import table to see if there are any suspicious imports.

Q: Ok, but how do I install the DLL then?

A: Copy it into %SystemRoot%\system32 (often c:\winnt\system32). Make sure that it isn't writeable by any other users than Administrators. Then go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and add "strongpass" (without the quotes) to the value Notification Packages. Make sure that "passfilt" is also in place there, because strongpass.dll only complements it.

Q: What extra password policies does StrongPass enforce?

A: The passwords must be at least 7 characters long, and if they are exactly 7 characters these must be picked from the three groups a-z/A-Z, 0-9, and special characters (other than the alphanumeric). If the password is longer than 7 characters but shorter than 14, the same rule applies to the first 7 characters. If the password is exactly 14 characters, the rule applies to either the first 7 or the last 7 characters (any group matching the rule will do). This policy will make it harder for a cracking program like L0phtcrack to crack the LANMAN hashes generated from the passwords.

Q: That's all fine, but I have a whole domain with NT systems. Do I have to put strongpass in every one of them?

A: No, StrongPass (and passfilt) should be in those systems which have the accounts in their SAM databases. If you only want the policy to be enforced on domain accounts you should add the DLL's to the PDC and BDCs.

Q: We're dealing with plaintext passwords here, have you been careful enough when writing this thing?

A: I sure hope so. I've taken all precautions I know of, but I'm not at all perfect. If you find a bug or anything suspicious, please send me a mail to arne.vidstrom@ntsecurity.nu and tell me about it.

Q: Can StrongPass lock me out of my system?

A: Logically it shouldn't be able to, because it is only invoked when you change passwords. However, it resides inside the LSA process and if it starts overwriting stuff there you could have a problem. The DLL won't be invoked before you try to change a password for the first time since the system has booted. Say that something goes wrong then, and the LSA process is damaged in some way. That process will remain in memory when you log out of the system and back in again - so, you may be locked out temporarily. But when rebooting the system the LSA process will be created from scratch in memory and you will be able to log on again.

Q: I can't delete the strongpass.dll, why is that?

A: That is because strongpass.dll (and also passfilt.dll) is constantly loaded by the LSA process. You can't delete a file that is in use, so just remove StrongPass from the registry, reboot your system to release the file and you will be able to delete it.

Q: I have a question that is not covered here. Where can I get help?

A: Send me your question. I can't promise that I will have time to answer, but I'll do my best.



© Arne Vidstrom. All rights reserved.