Eliminate shoddy codeword practices with this new product; but do it right the first time, because backing out is hard.
Password Enforcer
Eliminate shoddy codeword practices with this new product; but do it right the first time, because backing out is hard.
Product
Information |
Password Bouncer, $995 annually,
per server
MDD Inc.
San Ramon, California
925-831-4746
www.mddinc.com
|
|
|
When it comes to network security, the average
system administrator is burdened with setting up firewalls,
encrypting network traffic and logging security activity.
While all of these measures are good, any one of them
can be foiled by a compromised password. Because the world
has witnessed successful hacks into various banks, not
to mention Microsoft's own fortress, administrators must
seriously consider the threat posed by simple passwords.
Windows NT 4.0 doesn't provide much ability
to force complex user passwords; while Windows 2000 has
a simple algorithm that can be enabled, it doesn't do
a dictionary check. Thus, both OSes can be seen as vulnerable
from a security point of view.
Password Bouncer intends to address these
limitations, by allowing NT/2000 administrators to enforce
several additional password policies that go beyond the
abilities included within Windows OSes.
|
Figure 1. While some of the options
in Password Bouncer are familiar, it goes way beyond
the traditional NT and Windows 2000 abilities to enforce
password policies. |
I was pleasantly surprised at the simplicity
of installing Password Bouncer. I executed the program,
clicked "Next" and "Yes" a half-dozen
timesÑand it was done. One message popped up indicating
the "comctl32.dll" file was locked, but this
was remedied with a reboot. One note about this installation:
It doesnÕt have to be installed on a domain controller
(DC). These password requirements can be managed from
any NT/2000 server you choose.
After installation, the configuration screen
appeared, allowing me to select the Win2K domain to be
managed by Password Bouncer. Figure 1 shows the various
password options.
The top four password policy options are
the very familiar Windows NT/2000 policies, including
password expiration and password history. However, Password
Bouncer significantly expands those options. If all the
options in Password Bouncer were active, hacking a password
would be a monumental, if not impossible, task.
Password Bouncer includes a 300,000-word
English word list and 4,000 proper names, in contrast
to Win2K, which lacks a dictionary check. Custom wordlists
with wildcards are also available. For example, you could
exclude everything starting with "luv" by using
"luv*" as the filter text.
After selecting the domain and initial password
complexity requirements, Password Bouncer initializes
the policy in the domain. To complete the process, NT
PDCs can be automatically rebooted. Win2K DCs and NT BDCs
must be manually rebooted. The reboots occur only after
initial installation, and future changes to password policies
can be applied without restarting.
While implementing these new, complex requirements
was simple, it wasn't so easy to back out of them. After
several unsuccessful attempts to remove the password requirements,
I gave up. Previously, it was acceptable in my test domain
to use easy passwords like "dog," "password,"
and "love," but after de-selecting all the complex
requirements unique to Password Bouncer, these simple
passwords were still rejected. In fact, I couldn't get
"F1shing!" to be accepted. The other annoying
problem is that the error message reported doesn't explain
what criteria haven't been met, so it requires research
to determine why the password failed.
Password Bouncer is a powerful product that
allows system administrators to force more complex passwords
in NT and Win2K domains, and the functionality included
with Password Bouncer is sufficient for even the most
secure networks. The only word of caution is to be careful
about implementing changes. Proceed slowly, warn the users,
test the changes before implementing, and test rolling
back to ensure that you have a way out.
About the Author
Robert Pfeiffer, MCSE, MCT, works closely with Windows
NT and Win2K. Implementing Win2K in the enterprise is
currently one of Rob's major undertakings, and he enjoys
showing others how to take advantage of Windows networking
technologies. He also occasionally delves into development
work using Visual Basic.