Thanks for the response and help.  I disabled the default Windows 2003 password complexity option because of the following password complexity requirements:

 

6 Characters long

2 Char

2 Numbers

Password does not contain employee id

 

We use our Employee ID as the user name.  How do I check if my password contains an employee id?  I used a string comparison function but it is not working.  I don�t know if I'm using the right function or not.  Is it possible to do that?  Here is the password filter code.  Any help would be greatly appreciated.

 
#include <windows.h>
#include <ntsecapi.h>
BOOL
NTAPI
PasswordFilter(PUNICODE_STRING UserName, PUNICODE_STRING FullName, PUNICODE_STRING Password, BOOL SetOperation)
{
   BOOL bComplex = FALSE;
   DWORD cchPassword;
   PWORD CharType;
   DWORD i;
   DWORD spChar = 0;
   DWORD dwPseudoValue = 0;
   DWORD dwNum = 0;
   DWORD dwUpper = 0;
   DWORD dwLower = 0;
   DWORD dwAlpha = 0;
   CharType = HeapAlloc(GetProcessHeap(), 0, Password->Length);
   if (CharType == NULL) return FALSE;
   cchPassword = Password->Length / sizeof(WCHAR);
   if (GetStringTypeW(CT_CTYPE1, Password->Buffer, cchPassword, CharType))
   {for (i = 0 ; i < cchPassword ; i++)
      {      if (CharType[i] & C1_DIGIT){dwNum++; continue;}
           if (CharType[i] & C1_UPPER){dwUpper++; continue;}
         if (CharType[i] & C1_LOWER){dwLower++; continue;}
           spChar++; continue;}
dwAlpha = dwUpper + dwLower;
dwPseudoValue = (strcspn(Password, UserName));
     if (dwPseudoValue != 0){     
          if ((dwNum >= 2) & (dwAlpha >=2)){bComplex = TRUE;}}
ZeroMemory( CharType, Password->Length );
   }
   HeapFree(GetProcessHeap(), 0, CharType);
   return bComplex;
}
 
 

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, December 05, 2004 10:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Custom Password Filter DLL

 

Do you feel there is a difference between a custom gina and hacked gina or

do you consider a hacked gina the same as a custom gina? By hacked I mean a

gina that is MS but has had pieces of the actual file binary tweaked and the

peheader recalculated and tweaked to account for the changes so the file is

still considered valid (i.e. no blown crc's etc). I know when people were

doing that to the IIS files a few years back to remove the MS headers from

the announcement strings MS specifically indicated that made IIS have no

support.

 

My experience is if you deviate, you enter the land of best effort or not at

all support. I have had several occasions where I have had leaks on Domain

Controllers where I was told by PSS Alliance to even remove all third party

software from the domain controller and see if the problem goes away let

alone worry about hacked binaries. None of them recently as I haven't had an

issue with it recently.

 

Even bolder, I have had occasions where I was told something didn't work

because the design wasn't per MS recommendations and the troubleshooting

process stopped dead right there as well with a statement to redesign. This

is especially prevalent in Exchange troubleshooting.

 

 

   joe

 

 

-----Original Message-----

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman

Sent: Saturday, December 04, 2004 9:02 PM

To: [EMAIL PROTECTED]; [EMAIL PROTECTED]

Subject: RE: [ActiveDir] Custom Password Filter DLL

 

I can't speak for the entire company, but I have debugged many custom

passfilt and gina issues before. Have you had problems? If so please let m

eknow, I'd be curious to hear what they were. You can ping me offline on

that if you would like.

 

I would point out that despite the fact that msgina.dll is upgraded during

hotfix/sp install at times, your ginadll reg value probably would not.

Therefore our upgrade of the gina would not be of great concern to you so

long as you don't depend upon something that changes in the internals of our

gina.

 

I can't recall seeing a hotfix or sp that overwrites the reg value if you

specify a custom gina, but if there was a time on that I'm sure someone will

step in and point it out. I just don't recall seeing it. :)

 

~Eric

 

 

________________________________

 

From: [EMAIL PROTECTED] on behalf of Glenn Corbett

Sent: Sat 12/4/2004 5:31 PM

To: [EMAIL PROTECTED]

Subject: RE: [ActiveDir] Custom Password Filter DLL

 

 

 

*shudder*

 

Don't forget however that if you go down this path, make sure you

 

A) Don't call Microsoft - they will laugh at you, charge your credit card,

then hang up

B) have a rollback plan to the standard GINA

C) remember that the gina will most likely be replaced during a service pack

(and sometimes) during hotfixes, so you may have to rehack and re-roll your

changes again

D) other vendors may replace / extend the gina (like smartcard / biometric

addons) which may not like you hacking the GINA (or put their own one in

which may negate your changes)

 

Apart from that, have fun

 

G.

 

________________________________

 

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Blair, James

Sent: Friday, 3 December 2004 12:29 PM

To: [EMAIL PROTECTED]

Subject: RE: [ActiveDir] Custom Password Filter DLL

 

 

http://www.users.on.net/johnson/resourcehacker/

 

________________________________

 

From: [EMAIL PROTECTED] on behalf of Santhosh Sivarajan

Sent: Fri 3/12/2004 11:13 AM

To: [EMAIL PROTECTED]

Subject: RE: [ActiveDir] Custom Password Filter DLL

 

 

Rhacker??  Where do I find that tool?

 

Matt Brown <[EMAIL PROTECTED]> wrote:

 

        You can use a program called Rhacker to modify the Gina, then rename

it, change the reg key and reboot.  All there is too it.

 

       

 

        We use it for our computer labs on campus to replace the Microsoft

logos with our own and to add an appropriate use alert.

 

       

 

        Thanks,

 

        --

 

        Matt Brown [EMAIL PROTECTED]

        Consultant for Student Technology Fee

        website: http://techfee.ewu.edu/

        +--------------------------------------+

        | 509.359.6972 ph. - 509.359.7087 fx

        | 307 MONROE HALL | Cheney, WA 99004

        +--------------------------------------+

 

        -----Original Message-----

        From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan

        Sent: Thursday, December 02, 2004 3:01 PM

        To: [EMAIL PROTECTED]

        Subject: [ActiveDir] Custom Password Filter DLL

 

       

 

        Hi all,

      

        I am in a process of writing a custom password filter DLL.  I

modified

        the DLL and implemented it.  Password filter is working according

our

        requirements but my problem is, it is still displaying the default

        password complexity message (7 char, 24 history..etc etc).  Is there

anyway

        I can modify the display message without modifying the GINA?   I

found

        GINA source code on MSDN but it looks so complicated to me.  Any

        suggestions or recommendations?

      

        Thanks in advance!

        Sen

 

 

 

List info   : http://www.activedir.org/mail_list.htm

List FAQ    : http://www.activedir.org/list_faq.htm

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 

 

List info   : http://www.activedir.org/mail_list.htm

List FAQ    : http://www.activedir.org/list_faq.htm

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 

List info   : http://www.activedir.org/mail_list.htm

List FAQ    : http://www.activedir.org/list_faq.htm

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to