Announcement

Collapse
No announcement yet.

Prohibit certain passwords in AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Prohibit certain passwords in AD

    Hi

    I've been tasked with prohibiting certain passwords in AD, Like a blacklist of passwords such as Password1234 etc.

    I had looked online but the explanations are too complex and I need a more layman's understanding initially so I can see if I need to research or go 3rd party

    From what I understand so far I need to create a group policy - default domain policy. then have a program compiled only using C with the banned passwords that runs as a thread of the LSA from what I can see this is the only path.

    Is this a complex operation ? Is it worth taking the risk doing this? What could be typical negative outcomes ? e.g. blue screening the DC.

    Are 3rd party solutions preferable or Is that a waste of money for something that can implement myself ?

    Id appreciate any info, big picture overview so I can consider an approach

    I can rustle up a Powershell script but C if that is the only option is beyond me presently

    Thanks for reading

    Confuseis




  • #2
    As far as I know you need a program which will examine the passwords and reject unsuitable ones. You will need to write the program.
    You have probably followed these links: https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx

    There are examples of the code, but unless you are a good programmer, you risk totally messing up security if you aren't careful! I would not bother!!!!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      I was trying to educate using the horse battery staple correct theme and for a couple of places I was gaining ground. Passwords became instantly easy to remember and they were all 12+ characters long. Me was happy until a Mac user with the surname Virk came along and couldn't figure out why vik wasn't a suitable password and virk was the root one. Wasn't even going to waste my breath on this one; his mind was already configured.

      In answer to Confuseis, do not walk through a shower door sideway otherwise you are going to Bangkok. (sorry, someone had to)

      There are multiple 3rd party options but the prices looked a tad frightening. I think this is going to revolve around a couple of factors. One is the number of Users in the company (this has to apply to management as well, NO EXCEPTIONS!). The other is User education. You will also need a Password Policy written and have each staff member read and sign it so when (not if) they break the rules and get caught they get an official warning. I would suggest find the most disliked and laziest staff member and wait for them to fail the policy and then have them sacked as a result of that. The others my then take notice that management are serious about the passwords and the Users may just start to toe the line. It also depends on how secure your data has to be. Is it confidential, medical, proprietary, secret etc? If the Users understand the need for the more secure passwords it may help with the implementation but this falls more under User Education.
      1 1 was a racehorse.
      2 2 was 1 2.
      1 1 1 1 race 1 day,
      2 2 1 1 2

      Comment


      • #4
        I find no matter how much you try and influence a strict password policy user education beats it hands down. The more complex and harder to remember the more chance of the user writing it down on a post it note and hiding it behind the screen or under the keyboard - those seem to be the most common hiding places I've found (you do however get the odd person with a post it note on the laptop keyboard)

        Comment


        • #5
          Ah... post it notes.... I worked for a company where the PA to the CEO needed his password, so she kept it on a post it on her monitor (no, she was not hired on her intellectual abilities, but did improve the scenery immensely). After a while I gave up removing it when the post it now said "Chief Execs Password in Top Desk Drawer"
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X