Thanks for the response and help. I disabled the default Windows 2003 password complexity option because of the following password complexity requirements:
6 Characters long
2 Char
2 Numbers
Password does not contain employee id
We use our Employee ID as the user name. How do I check if my password contains an employee id? I used a string comparison function but it is not working. I don�t know if I'm using the right function or not. Is it possible to do that? Here is the password filter code. Any help would be greatly appreciated.
#include <ntsecapi.h>
BOOL
NTAPI
PasswordFilter(PUNICODE_STRING UserName, PUNICODE_STRING FullName, PUNICODE_STRING Password, BOOL SetOperation)
{
BOOL bComplex = FALSE;
DWORD cchPassword;
PWORD CharType;
DWORD i;
DWORD spChar = 0;
DWORD dwPseudoValue = 0;
DWORD dwNum = 0;
DWORD dwUpper = 0;
DWORD dwLower = 0;
DWORD dwAlpha = 0;
CharType = HeapAlloc(GetProcessHeap(), 0, Password->Length);
if (CharType == NULL) return FALSE;
cchPassword = Password->Length / sizeof(WCHAR);
if (GetStringTypeW(CT_CTYPE1, Password->Buffer, cchPassword, CharType))
{for (i = 0 ; i < cchPassword ; i++)
{ if (CharType[i] & C1_DIGIT){dwNum++; continue;}
if (CharType[i] & C1_UPPER){dwUpper++; continue;}
if (CharType[i] & C1_LOWER){dwLower++; continue;}
spChar++; continue;}
dwAlpha = dwUpper + dwLower;
dwPseudoValue = (strcspn(Password, UserName));
if (dwPseudoValue != 0){
if ((dwNum >= 2) & (dwAlpha >=2)){bComplex = TRUE;}}
ZeroMemory( CharType, Password->Length );
}
HeapFree(GetProcessHeap(), 0, CharType);
return bComplex;
}
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, December 05, 2004 10:04 AM
To:
Subject: RE: [ActiveDir] Custom Password Filter DLL
Do you feel there is a difference between a custom gina and hacked gina or
do you consider a hacked gina the same as a custom gina? By hacked I mean a
gina that is MS but has had pieces of the actual file binary tweaked and the
peheader recalculated and tweaked to account for the changes so the file is
still considered valid (i.e. no blown crc's etc). I know when people were
doing that to the IIS files a few years back to remove the MS headers from
the announcement strings MS specifically indicated that made IIS have no
support.
My experience is if you deviate, you enter the land of best effort or not at
all support. I have had several occasions where I have had leaks on Domain
Controllers where I was told by PSS Alliance to even remove all third party
software from the domain controller and see if the problem goes away let
alone worry about hacked binaries. None of them recently as I haven't had an
issue with it recently.
Even bolder, I have had occasions where I was told something didn't work
because the design wasn't per MS recommendations and the troubleshooting
process stopped dead right there as well with a statement to redesign. This
is especially prevalent in Exchange troubleshooting.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, December 04, 2004 9:02 PM
To:
Subject: RE: [ActiveDir] Custom Password Filter DLL
I can't speak for the entire company, but I have debugged many custom
passfilt and gina issues before. Have you had problems? If so please let m
eknow, I'd be curious to hear what they were. You can ping me offline on
that if you would like.
I would point out that despite the fact that msgina.dll is upgraded during
hotfix/sp install at times, your ginadll reg value probably would not.
Therefore our upgrade of the gina would not be of great concern to you so
long as you don't depend upon something that changes in the internals of our
gina.
I can't recall seeing a hotfix or sp that overwrites the reg value if you
specify a custom gina, but if there was a time on that I'm sure someone will
step in and point it out. I just don't recall seeing it. :)
~Eric
________________________________
From: [EMAIL PROTECTED] on behalf of Glenn Corbett
Sent: Sat 12/4/2004 5:31 PM
To:
Subject: RE: [ActiveDir] Custom Password Filter DLL
*shudder*
Don't forget however that if you go down this path, make sure you
A) Don't call Microsoft - they will laugh at you, charge your credit card,
then hang up
B) have a rollback plan to the standard GINA
C) remember that the gina will most likely be replaced during a service pack
(and sometimes) during hotfixes, so you may have to rehack and re-roll your
changes again
D) other vendors may replace / extend the gina (like smartcard / biometric
addons) which may not like you hacking the GINA (or put their own one in
which may negate your changes)
Apart from that, have fun
G.
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Blair, James
Sent: Friday, 3 December 2004 12:29 PM
To:
Subject: RE: [ActiveDir] Custom Password Filter DLL
http://www.users.on.net/johnson/resourcehacker/
________________________________
From: [EMAIL PROTECTED] on behalf of
Sent: Fri 3/12/2004 11:13 AM
To:
Subject: RE: [ActiveDir] Custom Password Filter DLL
Rhacker?? Where do I find that tool?
Matt Brown <[EMAIL PROTECTED]> wrote:
You can use a program called Rhacker to modify the Gina, then rename
it, change the reg key and reboot. All there is too it.
We use it for our computer labs on campus to replace the Microsoft
logos with our own and to add an appropriate use alert.
Thanks,
--
Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--------------------------------------+
| 509.359.6972 ph. - 509.359.7087 fx
| 307
+--------------------------------------+
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Sent: Thursday, December 02, 2004 3:01 PM
To:
Subject: [ActiveDir] Custom Password Filter DLL
Hi all,
I am in a process of writing a custom password filter DLL. I
modified
the DLL and implemented it. Password filter is working according
our
requirements but my problem is, it is still displaying the default
password complexity message (7 char, 24 history..etc etc). Is there
anyway
I can modify the display message without modifying the GINA? I
found
GINA source code on MSDN but it looks so complicated to me. Any
suggestions or recommendations?
Thanks in advance!
Sen
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
