Home

Writing Password Filter For Windows (Active Directory)

2007, June 12 - 14:28 — shijith

Password Filter plays a primary role in decision-making regarding user passwords. Microsoft supports Writing custom password filter. By definition, a Password Filter is a system DLL that works with LSA service to ensure the password requirements while password reset.

Password Filter is a system DLL that exports three functions with the following prototypes

BOOLEAN __stdcall InitializeChangeNotify ();
NTSTATUS _stdcallPasswordChangeNotify (
        PUNICODE_STRING UserName,
        ULONG RelativeId,
        PUNICODE_STRING NewPassword
);
BOOLEAN __stdcall PasswordFilter (
      PUNICODE_STRING AccountName,
      PUNICODE_STRING FullName,
      PUNICODE_STRING Password,
    BOOLEAN SetOperation
);

How does LSA interact with Custom Password Filters?

On the system startup, LSA loads all the available Password Filters and calls the InitializeChangeNotify() function. When LSA receives TRUE as a return value, this means that the Password Filter loaded successfully and functions properly. Upon this call, LSA also builds a chain of available Password Filters (those that returned TRUE). When you're giving a password to a new user or modifying an existing user's password, LSA assures that every link in Password Filters Chain is satisfied with a new password. LSA invokes the PasswordFilter() function of each filter in the chain. If one filter in a chain returned FALSE, LSA does NOT continue calling the next filter. Instead, it asks the user to provide another password. If every call to PasswordFilter() function on every filter returns a TRUE value, a new password is approved and each filter is notified about it through the PasswordChangeNotify() function.

Keep following things in mind before implementing

  • The PasswordFilter and PasswordChangeNotify functions receive passwords in clear-text format. These passwords should be processed fast and shouldn't leave any trails in your memory for malicious applications to capture. Introduced in Windows 2003, the SecureZeroMemory Win32 API cleans specified memory. Traditional ZeroMemory may be not enough.
  • Make your filters fast and efficient. When LSA calls into the Password Filter function, most Windows processing stops, so make sure you don't perform any lengthy operations.
  • Password Filters run in the context of the lsass.exe process. I don't recommend debugging this process, because after you close the debugger and end the process, your system will shutdown. The best way to debug your already-running filter is to write the log files to disk and follow them to fix the bugs.

Installing the Password Filter

  • Copy the Password Filter DLL to the %SystemRoot%\system32 folder on your machine.
  • Open the Registry Editor and locate the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
  • Modify the "Notification Packages" multi-string value of the above key and add your Password Filter file name without the ".dll" extension.
Syndicate content