The document summarizes nFront Password Filter, which allows organizations to implement multiple granular password policies within a single Windows domain. It runs on all domain controllers and tightly integrates with Windows to filter passwords during change requests. The document outlines why weak passwords should be prevented, how nFront Password Filter works during password changes, and its capabilities like supporting multiple password policies and password dictionaries. It also notes nFront Password Filter's performance, scalability, and compliance with standards like PCI, HIPAA, and SOX.

1. nFront Password Filter
Demo

2. Agenda
 Why filter passwords?
 What is nFront Password Filter
 Configuration
 Q & A

3. Why Prevent Weak Passwords?
• Weak passwords are still on the SANS/FBI top
20 yearly list of top vulnerabilities.
• Over 40% of people use passwords that
contain the name of a spouse, child or pet.
• Password compromise leads to data theft and
not just denial of service.
• Security Audits / Compliance.

4. Windows Password Policy
• The above policy allows passwords like:
aaaaa myusername qwerty
january mydogsname 123456
Conclusion:
The Windows Password Policy is not enough!

5. Compliance
• Sarbanes-Oxley section 404
• Payment Card Industry (PCI)
• HIPPA
• IRS 1075 Guidelines

6. nFront Password Filter
 Allows multiple granular password policies
in the same Windows domain.
 Runs on all domain controllers.
 Tightly integrated with Windows OS.
 Cannot be bypassed.
 Easy to install and configure.

7. Password Change Overview
1. User submits password change. All password changes
go to a Domain Controller.
2. LSA calls nFront Password Filter. NPF consults password
policy.
3. nFront Password Filter may check dictionary.
4. nFront Password Filter tells LSA if password is
acceptable. Password change accepted or rejected.

8. Where NPF fits

9. NPF Group Policy
These settings are pushed to registry of all domain controllers and tell
the filter the policy rules.

10. NPF Configuration
• MPE has a Default Policy plus
5 others.
• Each policy has many
granular settings that cover
not only character types but
also rules like rejecting
passwords with vowels, etc.
• Each policy is linked to one
or more security groups.

11. DEMO - configuration
• Create GPO
• Configure GPO for one policy

12. Versions
• Multipolicy Edition
– Runs on Domain Controllers
– Up to 6 password policies in 1 domain
• Single Policy Edition
– Runs on Domain Controllers
– 1 password policy per domain
• Member Server Edition
– runs on Member Servers
– Filters local pw changes. Controlled via GPO that
targets OU where servers are.
– Can filter passwords for SQL users if you run SQL
Server 2005 on Windows 2003.

13. Performance / Scalability
• DLL is only 150 KB in size!
• No Network API calls that leave the Domain Controller
and add latency.
• The PasswordFilter() routine completes in
milliseconds.
• Sprint tested the DLL with over 11,000 password
changes per minute (dictionary not used).
• Can check password against 2.5 million passwords in
dictionary in less than 1 second.

14. DEMO
• Two Policies
• Dictionary Scanning

15. Questions and Answers

16. Thank you.
Thank you for your time.