Win2K Complex Password Enforcement

Hey all,

I'm new to the group and had a quick question:

Anyone know how to fully enforce complex passwords (4 of 4 Uppercase,
Lowercase, Number, Special Char.) with Win2K. W2K will only
enforce/require 3 of the 4. Government standards require 4 of 4. Are
there .dll's out there I don't know about. I'm trying to avoid third party
software.

Any help/ideas is greatly appreciated.

KB

From: "Mr. Security" <Security@maybe.net>

| Hey all,
|
| I'm new to the group and had a quick question:
|
| Anyone know how to fully enforce complex passwords (4 of 4 Uppercase,
| Lowercase, Number, Special Char.) with Win2K. W2K will only
| enforce/require 3 of the 4. Government standards require 4 of 4. Are
| there .dll's out there I don't know about. I'm trying to avoid third party
| software.
|
| Any help/ideas is greatly appreciated.
|
| KB

Contact you associated Gov't. CERT or DOIM. They should have a support contract with
Microsoft and should be able to provide any DLL to support such standards that are set in
AR-25-2 or other Gov't. regulations.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:I6sHe.10131$DJ5.8878@trnddc07:

> From: "Mr. Security" <Security@maybe.net>
>
>| Hey all,
>|
>| I'm new to the group and had a quick question:
>|
>| Anyone know how to fully enforce complex passwords (4 of 4 Uppercase,
>| Lowercase, Number, Special Char.) with Win2K. W2K will only
>| enforce/require 3 of the 4. Government standards require 4 of 4.
>| Are there .dll's out there I don't know about. I'm trying to avoid
>| third party software.
>|
>| Any help/ideas is greatly appreciated.
>|
>| KB
>
> Contact you associated Gov't. CERT or DOIM. They should have a
> support contract with Microsoft and should be able to provide any DLL
> to support such standards that are set in AR-25-2 or other Gov't.
> regulations.
>

Thanks...

We've installed the enpasflt.dll, but it hasn't solved our problem. My
tech just asked if this could be on conflict with the passfilt.dll used by
default. Looking at what else I could find online, this may be an issue.
Unless I'm mistaken, the group policy is what determines what .dll is used
(in rough terms). Is there a way to direct a policy to one .dll over
another?

Thanks again.

KB

From: "Mr. Security" <Security@maybe.net>


| Thanks...
|
| We've installed the enpasflt.dll, but it hasn't solved our problem. My
| tech just asked if this could be on conflict with the passfilt.dll used by
| default. Looking at what else I could find online, this may be an issue.
| Unless I'm mistaken, the group policy is what determines what .dll is used
| (in rough terms). Is there a way to direct a policy to one .dll over
| another?
|
| Thanks again.
|
| KB

I don't know ... Sorry :-(

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:I6sHe.10131$DJ5.8878@trnddc07...
> From: "Mr. Security" <Security@maybe.net>
>
> | Hey all,
> |
> | I'm new to the group and had a quick question:
> |
> | Anyone know how to fully enforce complex passwords (4 of 4 Uppercase,
> | Lowercase, Number, Special Char.) with Win2K. W2K will only
> | enforce/require 3 of the 4. Government standards require 4 of 4. Are
> | there .dll's out there I don't know about. I'm trying to avoid third
> party
> | software.
> |
> | Any help/ideas is greatly appreciated.
> |
> | KB
>
> Contact you associated Gov't. CERT or DOIM. They should have a support
> contract with
> Microsoft and should be able to provide any DLL to support such standards
> that are set in
> AR-25-2 or other Gov't. regulations.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
The Password BBP allows you to use the maximum complexity settings in the
GPO as long as you use the maximum password length required by AR 25-2/BBP
is used and you require password changes not more than every 90 days (the
minimum allowed by AR 25-2).

I don't think a support contract with Microsoft will get you the
passfilt.dll you need, because it is not something you can just pick out of
a catalog (no money in that). NSA had a CD a few years ago that had a
passfilt.dll that had a minimum password length of 12 characters and
required characters from all four fields. The only CD I can find at the
moment is the one that has the 8 character version of the DLL. If I find
the other one I will let you know.

Have a nice day,
Catherder2000

Not sure if you have found your solution yet, be sure that under the Account Policies --> Passworld Policy that the option "Passwords must meet complexity requirements" is set to "Disabled" to avoid conflicts between the microsoft and NSA file. Also refer to Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Tool Set, pg 25 for you specific issue and the entire guide for helping to secure your system available from the following www.nsa.gov/snac