I've got the task to detect whether the user has the blank or weak password.
I know that Microsoft Baseline Security Analyzer (MBSA) can do that, but
what I need to know what API it uses. Could anybody help me?
Thanks
The only function I know of is "NetValidatePasswordPolicy()" but it's good
for Win2003 only. Other options are to call "NetUserChangePassword()" (or
"NetUserSetInfo()" passing "USER_INFO_1033) and check for
"NERR_PasswordTooShort" which is returned if the password policy isn't met.
Depending on what you're doing, you may have to create a temporary (dummy)
account first and call it against that account which you can then delete
afterwards. It's ugly and may require certain administrator (or power user)
rights (you'll have to check) but I'm not sure if there's another way.
We are interested in the subject also, so I hope I may ask a question. Is it
possible to use the filter for the paswords that exist when the filter is
implemented? If that is answered in the documentation, then I will find it,
but any hints will be appreciated.
"Johnny Liu" <John...@discussions.microsoft.com> wrote in message
news:D72335B8-0984-49D0...@microsoft.com...
> I'm not sure what you need for your task. does your described "password"
> means the password for Windows logon? or the password is used by some web
> application for security issue. And what time that you want to detect ?
>
> If you want to verify weak or blank Windows logon password everytime when
> user change or re-assign it, then you can write a password filter. Please
> refer to
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp
>
> If your task is for web application, there are some documents focus on
> security topic described on .NET web page.
Windows 2000 has a security hole to open a back door to find the password of
current logged user. But this hole has been fixed on Windows XP, so I think
you should implement your program by regular method.
The only way to capture the password of current user for logon is write a
Gina stub to hook MSGina.dll (or any real gina which response for user
logon), when user intend to enter his password by Ctrl-Alt_Del, system will
call gina function WlxLoggedOutSas. If the username, password and domain are
correct for unique logon account, then WlxLoggedOutSas will return logon info
filled in the structure WLX_MPR_NOTIFY_INFO. The contains of this structure
is all you need.
Please remember, don't leave any security hole when you implement Gina stub,
Windows system has got too many security hole already. I suggest that when
your Gina stub get the contains of the structure WLX_MPR_NOTIFY_INFO, just
parse the password according to your password policy, and write a mark on
somewhere (registry or a file) if the password is weak or blank. Then your
application can highlight it to user depends on the mark. Don't copy the
structure by your Gina stub, it will increase risk of security.
Hope it is helpful for you.
Johnny
I certainly will be careful if I were to do something such as writing a Gina
stub.
I am not the person that posted the original question, but note that
Vladimir asked how MBSA detects a "blank or weak password". I believe you
that MBSA does not get the password. Therefore MBSA is somehow testing the
validity of various gueses, right? I don't know a lot about security, but I
have read enough about security (including many messages in this newsgroup)
to know that one of the most commonly used techniques to crack a password is
to simply try many possibilities but it is often unnecessary to compare the
actual password to determine if it is a match.
I am sorry I am not using the correct terminology but I hope you understand
what I mean. Also, if I knew what terminology to use in a search, I probably
can find what I need in previous answers in this newsgroup.
"Johnny Liu" <John...@discussions.microsoft.com> wrote in message
news:128D6C8E-D08E-4366...@microsoft.com...
Seems I have misunderstanding with you and Vladimir's question.
I don't know how MBSA to do for weak password checking. But depend on my
limited and tiny knowledge of Windows system security, the password was
stored either in local security accounts manager (SAM) database or Active
Directory. please refer to this page
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/msv1_0_authentication_package.asp
Unfortunately, the SAM is a dark box. Microsoft said that we can't access
the SAM database directly by any method, but only through LSA system
interface. But LSA system is also a dark box, there are many of exported
functions without document released. And I think Microsoft's guy will not
open the secret to the world forever, because we don't know who is good guy
to write a program for enhance security and who is bad guy to write a program
for steal someone's password. If Microsoft open the secret, then Windows OS
will not be secured anymore.
I believe that MBSA has some secret to check weak password, may be handle
the database of SAM through un-documented API of LSA, or may be try to attack
each account by closet attack, who know. Unless, we write a program to filter
and capture the each function calls when MBSA doing on weak password.
Sorry for I can't help you for this topic, may be some of Microsoft's guy
who programming LSA or MBSA will know how to do.
Johnny
It helps to know that it is not easily obvious.
"Johnny Liu" <John...@discussions.microsoft.com> wrote in message
news:8D9614E2-866E-4FA5...@microsoft.com...
-Valery.
http://www.harper.no/valery
"Vladimir Nechipurenko" <vlad...@ua.fm> wrote in message
news:%23qMTp3X...@TK2MSFTNGP10.phx.gbl...
May be there is some not-documented function, but who knows, except MS guys
Thanks all for the participation
Vladimir Nechipurenko
-Valery.
http://www.harper.no/valery
"Vladimir Nechipurenko" <vlad...@ua.fm> wrote in message
news:Ox35woH5...@tk2msftngp13.phx.gbl...
I am not sure I can figure out how to inject code into LSASS but I am
confident I can figure it out. I have written system-wide hooks and I have
seen articles describing other methods of injecting code. I think it is
better to provide as little sample code as possible for things like that
because it is the kind of thing that is dangerous for beginners.
The hardest part is the list of passwords to check for, but your suggestion
to inject code into LSASS is enough to pont me to a good direction. I think
it is enough for me.
"Valery Pryamikov" <val...@harper.no> wrote in message
news:eZ1L1M35...@TK2MSFTNGP14.phx.gbl...
-Valery.
http://www.harper.no/valery
"Sam Hobbs" <sam...@social.rr.com_change_social_to_socal> wrote in message
news:u7Ib3nD9...@TK2MSFTNGP12.phx.gbl...