How to Enable Strong Password Functionality in Windows NT
ID: Q161990
|
This article discusses a Beta release of a Microsoft product. The
information in this article is provided as-is and is subject to change
without notice.
No formal product support is available from Microsoft for this Beta
product. For information about obtaining support for a Beta release,
please see the documentation included with the Beta product files, or
check the Web location from which you downloaded the release.
The information in this article applies to:
-
Microsoft Windows NT Server version 4.0
-
Microsoft Windows NT Workstation version 4.0
SUMMARY
Windows NT 4.0 Service Pack 2 introduces a new DLL file (Passfilt.dll) that
lets you enforce stronger password requirements for users. Passfilt.dll
provides enhanced security against "password guessing" or "dictionary
attacks" by outside intruders.
NOTE: While Windows 95 does not support case-sensitivity in its passwords,
the password change request is sent to the Primary Domain Controller (PDC)
in such a way that it can enforce the password filtering rules. For
example, if you change your domain password on a computer running Windows
95 to PassWord1, you can use password1, PASSWORD1, PassWord1, and so on to
log on to the domain from a computer running Windows 95. However, you must
use PassWord1 to log on to a computer running Windows NT.
NOTE: Passwords changed in Windows 3.x or Windows for Workgroups 3.x cannot
be enforced in this password policy.
MORE INFORMATION
Passfilt.dll implements the following password policy:
- Passwords must be at least six (6) characters long.
- Passwords must contain characters from at least three (3) of the
following four (4) classes:
Description Examples
-------------------------------------------------------------------
English upper case letters A, B, C, ... Z
English lower case letters a, b, c, ... z
Westernized Arabic numerals 0, 1, 2, ... 9
Non-alphanumeric ("special characters") such as punctuation symbols
- Passwords may not contain your user name or any part of your full name.
These requirements are hard-coded in the Passfilt.dll file and cannot be
changed through the user interface or registry. If you wish to raise or
lower these requirements, you must write your own .dll and implement it in
the same fashion as the Microsoft version that is available with Windows NT
4.0 Service Pack 2.
How to Install Strong Password Filtering
To ensure Strong Password functionality occurs throughout your domain
structure, make the following changes on all primary domain
controllers (or stand-alone servers, where needed).
PASSFILT.DLL is not necessary on backup domain controllers since the PDC is
the only machine where changes to the domain accounts database are made.
However, it should be installed on all BDCs because they can be promoted to
PDC. If a BDC without PASSFILT.DLL is promoted to PDC, then strong password
enforcement will be lost but there will be no other adverse effects.
WARNING: Using Registry Editor incorrectly can cause serious, system-wide
problems that may require you to reinstall Windows NT to correct them.
Microsoft cannot guarantee that any problems resulting from the use of
Registry Editor can be solved. Use this tool at your own risk.
- Install the latest Windows NT 4.0 service pack.
- Copy Passfilt.dll to the %SYSTEMROOT%\SYSTEM32 folder.
- Use Registry Editor (Regedt32.exe) to add the value "Notification
Packages", of type REG_MULTI_SZ, under the LSA key.
NOTE: If this key already exists, go to Step 4.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Double-click the "Notification Packages" key and add the following
value:
NOTE: If the value FPNWCLNT is already present, place the following
entry beneath the FPNWCLNT entry:
PASSFILT
- Click OK and then exit Registry Editor.
- Shut down and restart the computer running Windows NT Server.
For additional information, please see the following articles in the
Microsoft Knowledge Base:
ARTICLE-ID: Q151082
TITLE : Password Change Filtering & Notification in Windows NT
ARTICLE-ID: Q174075
TITLE : Strong Passwords With Passfilt.dll Are Not Enforced
ARTICLE-ID: Q174076
TITLE : Invalid Password Message When Strong Passwords Are Required
Microsoft Windows 2000
Strong Password Functionality Included with Microsoft Windows 2000
The functionality described above for the Passfilt.dll file for Windows NT 4.0 has been included in the operating system security components for Windows 2000. You can enable strong password enforcement in Windows 2000 by starting the Local Computer Policy snap-in and enabling the Passwords must meet complexity requirements
setting in Computer Configuration\Software Settings\Account Policy\Password Policy.
Additional query words:
Keywords : kbenv kbnetwork ntsecurity NTSrv
Version : winnt:4.0
Platform : winnt
Issue type : kbhowto
|