Solved

Logon history display

Posted on 2006-06-29
4
438 Views
Last Modified: 2013-12-04
Hello,

I am the Sys. Admin for a US Military unit. "The Powers that be" have mandated some changes to our configuration and some of the solutions to their requirements elude me. I need to know how, if possible, to do the following. References would be greatly appreciated for the requirements that cannot be fulfilled.

1) Enforce different password lengths for users and administrators.
2) Increase the requirements for special characters used in passwords (i.e. 2 capital letters, 2 numbers and 2 special characters), beyond that already required when "Password must meet complexity requirements" is enabled in the Default Domain Policy.
3) Upon successful login have a pop up display the last successful login by that user and all unsuccessful attempts since then.

I thank you in advance for your help.

0
Comment
Question by:mack6565
4 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 17015495
Here's a good link to start with:

 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx

Also, there are some good articles here:

 http://www.microsoft.com/technet/technetmag/issues/2006/05/default.aspx

Re. passwords, I think it is better to have long passwords and not worry so much about complexity, as long as simple names and dictionary words are avoided.
0
 

Author Comment

by:mack6565
ID: 17015526
Here is a bit of amplifying information.

1) Our Domain here is a Windows 2000 Native domain. One Forest with one domain.
2) All Windows 2000 workstations.
3) We already enforce the use of strong passwords.


I did not come up with these requirements, some people with a lot more seniority did. It seems as if they sat around a table and came up with these requirements, but never asked anyone with Systems experience if these new security measures are a good idea or if they are even able to be implemented.

Thank you.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17019515
Where would you like the pop-up? On the pc the current user is logging into, or to an administrators machine? You can easily do this sort of activity with tool like Snare or Gfi's SELM: http://www.intersectalliance.com/projects/SnareWindows/  http://www.gfi.com/lanselm/
You can recieve email reports, or alerts depending on how you configure the devices. They also keep a copy of the Event log's, so if someone were to erase their log's you may still have a back up copy using those tools. If it has an event associated with it, those two tools can alert you to it. Typically you want to increase the level of logging on machines and servers, the default logging is minimal on M$ by default.

As for a pop-up, you could use various scripts to do this, here is an example:  http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan05/hey0126.mspx
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul05/hey0705.mspx
Scripts like that can easily be modified to send a pop-up.  http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx

Event log GP
http://technet2.microsoft.com/WindowsServer/en/Library/5a86ab0f-c7eb-45ed-9e5e-514173bf15e31033.mspx
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgappb.mspx

Stong Password GP
http://www.microsoft.com/technet/security/smallbusiness/topics/networksecurity/enforce_strong_passwords.mspx
-rich
0
 
LVL 7

Accepted Solution

by:
Chatable earned 500 total points
ID: 17023466
Hi,
You can define your own passwod policy for Windows if you have some programming knowledge. You will need to create a "password filter" DLL file. This file contains the actual code that runs when a user attempts to change passwords and the "Passwords must meet complexity requirements" policy is on. In other words, it allows you to define your own complexity settings.

So what do you need to do? You need to create a DLL file which exports the following functions:

BOOLEAN __stdcall InitializeChangeNotify(void);
This function will be called a single time when the computer boots - If you need to do any initialization stuff, do it here and return true (return false on error). If you don't have any initialization stuff, just return true.

BOOLEAN __stdcall PasswordFilter(
  PUNICODE_STRING AccountName,
  PUNICODE_STRING FullName,
  PUNICODE_STRING Password,
  BOOLEAN SetOperation
);
This is the real interesting function. It will be called whenever a user attempts to chage his/her password. The parameter "AccountName" contains the username of the account whose password is being changed. If you want to set different policies for users and administrators, you can check if this user is an administrator and act accordingly. "FullName" contains the full name record for the user (not really interesting), "Password" contains the new password - This is the string you should check for your desired complexity requirements. SetOperation will be TRUE if an administrator is resetting the password (rather than a user changing his/her own password).
If the new password is acceptable according to your policy, return true. If not, return false. That would reject the new password and display a message to the user that the password is not strong enough. Unfortunately I don't know any method to change this message (so it can explain what the password policy is) so you should make sure all your users already know what is the password policy.

NTSTATUS __stdcall PasswordChangeNotify(
  PUNICODE_STRING UserName,
  ULONG RelativeId,
  PUNICODE_STRING NewPassword
);
This function will be called once the password has changed. This one is needed because Windows allows you to install multiple password filters and *all* filters must accept the new password before the system sets it as the new one. In other words, even if you've accepted the new password (through the PasswordFilter function) it doesn't mean it has been accepted by the system because another password filter may have rejected it. When this function is called, it notifies you that all filters have accepted the new password, that that the password had actually changed.

Once you've created your DLL file, install it by copying it to the system32 folder and editing the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Modify the "Notification Packages" value, which is of type REG_MULTI_SZ. It should contain "scecli" - That's the default password filter (it checks for a single letter from at least 3 of the character groups). Just add the name of your DLL file (no need for the ".dll" extension) as a new string (or replace the existing one if you don't want it). You can create a startup script that will install the new filter on all computers in your domain. Then simply enable the "Passwords must meet complexity requirements" policy and that's it.

For more information visit:
http://www.devx.com/security/Article/21522/0/page/1
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now