locked
Active Directory Password Stop List RRS feed

  • Question

  • I need to write a custom password filter for AD that will read a list of stop words from something like a file or a registry entry.

    My skills are really in .NET and in particular in C# but all the examples I've seen are in C++ obviously and are around RegEx rather than stop words.

    Does anyone have a basic .NET one that I can take and play with that presumably gets wrapped in a CCW or something?

    Thanks,

    Martin
    Friday, November 27, 2009 11:43 AM

Answers

  • Sorry for reponse late. Now I understand the question better. So we are trying to creating a password filter dll in C#, right?
    http://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspx
    http://msdn.microsoft.com/en-us/library/ms721766(VS.85).aspx

    Unfortunately, the password filter dll is only supposed to be implemented in native dll, not C# managed dll. From the second msdn link I post above, we can know, it is not registered as COM component. So COM interop does not work here. Registering it just requires add a password filter dll name in ControlSet->Lsa registry so that the system can find the native dll, load it in the lsass.exe process. Lsass.exe call GetProcAddress to know the address of the desired functions and do callbacks to implement the password filter jobs.

    This kind of dll extension task can only be achieved in native dll. So the answer is we cannot write it in C#.

     

    Ji Zhou

    MSDN Subscriber Support in Forum

    If you have any feedback on our support, please contact msdnmg@microsoft.com


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Marked as answer by Ji.Zhou Tuesday, December 15, 2009 6:48 AM
    Monday, December 14, 2009 2:48 AM

All replies

  • Hello Martin,


    I am not very sure if I understand the question correctly, so I want to clarify with you.

    Do you mean you want to store a list of words in a file or a registry. Then when users set their passwords, we compare their passwords with the list in our file. If the password is one of them or meet an condition, then the application stops the password setting. Is my understanding right?

    If that is the case, which part do you most need help on?

    As to the File read part, in C# we can achieve that using classes under System.IO.File. See the following document,

    How to: Read From a Text File
    http://msdn.microsoft.com/en-us/library/ezwyzy7b.aspx
     


    After that, we alreay have all lines in C# string array, then we can easily to compare them to the password and execute our logic.

    As to the compare logic, I think it really depends on how you want to implement. We cannot give more help without further information. But if you want to go with RegEx. C# also provide these functions.
    http://msdn.microsoft.com/en-us/library/30wbz966(VS.71).aspx

    Ji Zhou

    MSDN Subscriber Support in Forum

    If you have any feedback on our support, please contact msdnmg@microsoft.com


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Marked as answer by Ji.Zhou Friday, December 4, 2009 8:48 AM
    • Unmarked as answer by Ji.Zhou Thursday, December 10, 2009 10:03 AM
    Monday, November 30, 2009 10:48 AM
  • Hi,

    Sorry been swamped and only just got around to this again.

    I am an experienced .NET developer and know how to do stuff around file access.

    However I need to write a Custom Password Filter for AD. This is registered in the registry and all examples I have seen on how to write them are in C++ and not C#.

    My specific requirements for my filter are that it needs to use a list of words as stop words, i.e., you cannot choose them as passwords.

    Examples in C++ I have seen are based on the use of regular expressions to identify invalid passwords not based on using an explicit list of words.

    Custom Password Filters have to be fast so I wouldn't be reading the list from disk, I'd probably get them from a registry entry.

    So my question is, does anyone have a Custom Password Filter that uses a list of words written in C++ that I can just rip off?

    Or does anyone know whether if I created one in C# and used a CCW to give COM Interop whether this would actually work with the standard AD password pipeline?

    Not really sure how else to explain it...

    Thanks,

    Martin
    Friday, December 4, 2009 3:05 PM
  • First thing, I would say registry entries are going to be slower than reading from a file. Where do you think the registry is stored? It's on the disk somewhere, plus now you add the registry overhead.

    For the other stuff, try to explain better because it seems like what you are trying to do is pretty simple, I don't know why you would need to interop or anything.

    // Read in list of words
    string[] badWords = File.ReadAllLines(@"C:\badWords.txt");

    // Get password
    string password = GetProposedPassword();

    // Check password
    bool failed;
    foreach(string badWord in badWords)
        if (password == badWord) // Could also use if password.Contains(badWord)
        {
            failed = true;
            break;
        }

    // Handle it
    if (failed)
        HandleFailure();

    [Edit] And if your main concern is speed, you'll want to find a way to keep the list of stop words in memory because reading from file is the slowest part. This might mean storing it on a central server and all the clients ask the server to check it.

    Friday, December 4, 2009 3:29 PM
  • Hi,

    To explain this a bit further then, custom password filters in AD have a very specific signature and the DLL needs to export this...

    http://msdn.microsoft.com/en-us/library/ms721849(VS.85).aspx#password_filter_functions

    An actual function is here...

    http://msdn.microsoft.com/en-us/library/ms721878(VS.85).aspx

    However, this is all Win32 API stuff which I am really not very comfortable with, whereas I am extremely comfortable with C#.

    An example filter is here...

    http://www.devx.com/security/Article/21522/0/page/3

    However, like I say I am not really a C++ coder or indeed a coder who has done a lot of COM interop with C#, so I am just wondering how I would create a filter in C# that had the appropriate signature and exported methods.

    I don't know enough about CCWs to know whether the wrapper exposes the methods appropriately for the LSA to use and the real issue is if you tinker about with AD and break it, it's a complete re-install nightmare!

    Anyway, hopefully that sheds some more light on what I'm trying to achieve.

    Thx for the answers and comments so far...

    Martin
    Thursday, December 10, 2009 9:40 AM
  • Sorry for reponse late. Now I understand the question better. So we are trying to creating a password filter dll in C#, right?
    http://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspx
    http://msdn.microsoft.com/en-us/library/ms721766(VS.85).aspx

    Unfortunately, the password filter dll is only supposed to be implemented in native dll, not C# managed dll. From the second msdn link I post above, we can know, it is not registered as COM component. So COM interop does not work here. Registering it just requires add a password filter dll name in ControlSet->Lsa registry so that the system can find the native dll, load it in the lsass.exe process. Lsass.exe call GetProcAddress to know the address of the desired functions and do callbacks to implement the password filter jobs.

    This kind of dll extension task can only be achieved in native dll. So the answer is we cannot write it in C#.

     

    Ji Zhou

    MSDN Subscriber Support in Forum

    If you have any feedback on our support, please contact msdnmg@microsoft.com


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Marked as answer by Ji.Zhou Tuesday, December 15, 2009 6:48 AM
    Monday, December 14, 2009 2:48 AM