Hi guys,
Joe - thanks for the P-Synch plug. :-)
There are good reasons for our password filter DLL to connect into a central
server, or cluster of servers:
* It makes it possible to enforce infinite password history (which we do).
* It makes it easy for an administrator to control policy centrally,
with built-in rules, regular expressions, plugins, etc., without
having to revisit the DCs.
A central point of failure is definitely an issue you should think about
when doing this. That said, keep in mind: this potential point of failure
only applies to password changes, not to the AD authentication process.
As such, the worst-case mode of failure is not too bad (users can't
change passwords until you figure out what's up).
As a vendor, we're pretty nervous about causing trouble on our customers'
DCs, as you can imagine. There is one customer I can think of off-hand
that has our DLL installed on 400+ DCs globally. Others may be larger.
If there was a problem with the architecture, you can bet I'd be hearing
about it.
To minimize the potential negative impact of all these DCs going to one
central server to validate password quality, we:
* Cluster the P-Synch server, behind a load balancer.
* Code the password filter DLL to be fail-safe. e.g., it
has short timeouts on connections, and reasonable behaviour,
such as "let the password change go through" in the event of a
failure to connect to the central P-Synch server cluster.
Note that P-Synch is licensed per user. $1500/DC would be nasty with
400+ DCs. I know that our customer with 400 DCs paid less than that,
and got much more functionality than just AD password quality control.
Anyways, enough commercial chatter. Your points are all valid: it's
doable, there are commercial products to do it, and it should not be
undertaken lightly, since a minor screwup will cause DCs to die.
Cheers,
-- Idan
On Tue, 25 Nov 2003, Joe wrote:
> There are third party products that do this stuff. The last one that I saw
> that was decent and standalone ran around $1500 per domain controller
> though. It is touchy high security stuff and you need to be careful. I think
> one of MS's reasons for hesitation for putting something comprehensive out
> is because the feedback mechanism for bad password choices is horrendous and
> the next thing people would ask for is for that to be corrected.
>
> MTEC's PSYNCH has the capability to do some serious password filtering as
> well but when I last looked I did not like how it was implemented as it
> required coming back to a central PSYNCH server which is a horrible way to
> handle this.
>
> Compared to my usual Exchange 2000 issues, I am thrilled with my
> capabilities with the OS in regards to this specific issue since it is
> actually heavily documented and the documentation is right so someone CAN
> actually do something.
>
> joe
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
> Sent: Tuesday, November 25, 2003 8:30 AM
> To: [EMAIL PROTECTED]
>
> Nice to know that MS allow us "manager" types to tailor our password setup
> with ease !!!
>
> Cheers:)
>
> -----Original Message-----
> From: Joe [mailto:[EMAIL PROTECTED]
> Sent: 25 November 2003 13:17
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Password filters for AD 2003 (v2)
>
> It isn't something I recommend to programmers who don't regularly code in
> c/c++. You are injecting code into LSASS which is touchy at best. If you
> have any memory leaks or other obscure code issues you could really hurt
> yourself. When I initially started playing with them I was really good with
> the Win32 API and the various pointer based data structures and had been
> coding in c/c++ for years and was blue screening servers left and right
> initially. You could get lucky and hit one right off that works well, on the
> other hand you could introduce some real hokey issues that take forever to
> troubleshoot or you could just completely blow your machines up.
>
>
> joe
>
>
> ________________________________
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
> Sent: Tuesday, November 25, 2003 7:50 AM
> To: [EMAIL PROTECTED]
>
>
> Anyone had any experience creating password complexity filters for use with
> the Password Policies in AD 2003 ? I'm thinking of creating one here that is
> more complex than "more than 6 characters" but not so complex as "Must have
> either A) B) c) or D)" as users keep phoning me up and cant be bothered to
> adhere to them. Is it something a non VC++ guru can do ?
>
> Olly
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
