Programming your own password filter .dll
(Last updated on March 23, 2021)
Organizations can increase the security of Active Directory passwords by filtering specific passwords from being used in their environment. Password filters help bolster the security protections of Active Directory Password Policy settings by ensuring that end-users cannot use passwords that may align with the password policy, but are still weak or easily guessed.
Microsoft has extended Active Directory to allow organizations to drop in custom password filter .dlls to restrict specific passwords from being used in the environment. What is a password filter .dll, and how are they used? What about programming your own password filter .dll? Let’s take a closer look at password filter .dlls in general and see how these extend the password protections in Active Directory.
What is a password filter .dll?
A password filter .dll is a dynamic link library, either custom-written or provided as a part of a commercial solution, that allows filtering specific passwords from use in an organization’s Active Directory environment. You might wonder why a password filter .dll would be needed if an organization already has an Active Directory Password Policy.
While Active Directory Password Policies can help bolster the security of Active Directory passwords in your environment, end-users may still use weak or easily guessed passwords. How is this possible? Let’s take a look at a standard Active Directory Password Policy configuration and see how weak passwords may still be able to get through this line of defense in your environment.
Below is an example of a reasonably standard Active Directory Password Policy. As you can see below, the password policy defines the following:
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
You may consider the above to prevent any weak passwords from being used in your environment. However, let’s take a look at a scenario of how weak or easily guessed passwords could make their way into your environment. As an example, attackers may guess passwords based on the name of your business. What if the name of your business is called “My Widgets.” If an end-user creates a password called Mywidgets1, this password would be in line with the above-listed password policy. It contains both capital and lower case letters and a number, meeting three out of the four complexity characteristics required. However, an attacker or anyone else could easily guess this password.
Password filters help curtail weak passwords that end-users can use when configuring passwords on their user accounts.
What about programming your own password filter .dll?
While password filter .dlls can be downloaded, organizations may consider programming their own custom password filter .dll to prevent specific passwords in their Active Directory environment. It is important to note, programming a custom password filter is not for the inexperienced. If not configured correctly, a custom password filter .dll can lead to exposing end-user passwords instead of protecting them. Consider the following custom password filter recommendations as outlined by Microsoft.
Microsoft has provided a framework for installing and registering a password filter .dll file on your Active Directory domain controllers.
In the Installing and Registering a Password Filter DLL KB provided by Microsoft, there are four steps outlined to install a custom password filter .dll file in your environment.
Easier approach to password filtering
Programming a custom password filter is doable with the right resources. For many organizations, including SMBs, this will not be something they will have the ability to do independently. Even if organizations have the expertise in-house, developers must give security best practices priority in its implementation. Specops Password Policy provides an easier way to implementing password filters in your environment. It provides a robust password policy solution for Active Directory, including custom password lists to prevent end-users from using specific keywords.
Specops Password Policy allows using both custom dictionaries and downloaded dictionaries as part of the overall password rules provided to ensure password security for your organization. Under the Specops Password Policy, the Dictionaries section allows managing both custom and downloaded dictionaries.
Specops Password Policy provides password filtering and password policies that allow organizations to have a full suite of password security tools, including breached password protection. Specops takes the heavy lifting out of developing a custom password .dll for organizations and allows them to implement this feature in very little time.
Preventing end-users from using specific keywords is critical to password security. Even with a traditional Active Directory Password Policy in place, end-users can still use combinations and password transformations that can be easily guessed. Using a password filter .dll is an excellent way to bolster password security by disallowing specific keywords and other common passwords. However, writing a custom password .dll requires development expertise and must be developed with security in mind. Specops Password Policy provides a much easier way for businesses to implement this functionality.