Brief introduction
In addition to Group Policy, Windows allows you to customize the password policy, and misuse of this mechanism can implement malicious behavior. Today for everyone under the popular science
What happens on the Windows server side when we press CTRL + ALT + DEL To modify the user's password.
First, the Windows server (domain control) checks the registry to find Password Filter, which is the LSA Notification Package. The DLL is then invoked, checking to see if the password matches the policy,
If you do not conform to the policy, you are prompted that the password is not robust
By default, a server on a domain contains two DLLs, where SECCLI is responsible for implementing password security policies, as well as our common GPO.
Our topic today is how to misuse this mechanism to implement a password policy plug-in to record the passwords of all domain Users
A listed company, in order to comply with SOX 404 audit requirements, the password every three months will be mandatory modification, just can trigger this mechanism
Check the official document, a password plug-in needs to export three functions,
Where Passwordfilter is responsible for checking whether the password is compliant, passwordchangenotify is executed on the workstation and is responsible for informing the workstation user of the password change.
The final source code and the 64-bit DLL can be downloaded here (using Build.cmd Compilation) to install the plugin
We login to the domain control, copy the compiled SecureFilter.dll to the%system32% directory,
Then open the registry and find Hkey_local_machine\system\currentcontrolset\control\lsa\notification Package
Add Securefilter words
Active demo after restarting DC server
We log on to a workstation, modify the password,
Back to domain control, the discovery log has been written in the last
After testing, regardless of how you modify your password, OWA is the same as the command line, and the effect is the same on a server that does not have a domain.
If you want to get a user's password immediately, click on the domain control to "user must change password at next logon", as shown in the figure:
Reference Https://www.slideshare.net/nFrontSecurity/how-do-password-filters-work https://technet.microsoft.com/en-us/ Library/cc963221.aspx https://msdn.microsoft.com/en-us/library/windows/desktop/ms721766 (v=vs.85). aspx.aspx)