Password Filtering Service Pack 3 includes a password filter (Passfilt.dll) that allows system administrators to increase password strength. This filter is copied to %system root%\SYSTEM32 when the Service Pack is installed on the system. The password filter should be copied to the primary domain controller for the domain, and to any backup domain controllers in the event the server role in the domain changes. To use the password filter, the following registry entry must exist. If it doesn't exist you must create it. WARNING: Using the registry editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT. Microsoft cannot guarantee that any problems resulting from the use of the registry editor can be solved. Use this tool at your own risk. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Value: Notification Packages Type: REG_MULTI_SZ Data: Passfilt.dll Notification Packages contains a list of DLLs to be loaded and notified of password changes and password change requests. You can audit the loading of Notification Packages by setting the audit policy in User Manager. To do this, start User Manager and then click Audit on the Policies menu. In the Audit Policy dialog box click Audit These Events and then enable Restart, Shutdown, and System by selecting the Success and/or Failure check boxes. Passfilt.dll implements the following password policy: 1. Passwords must be at least 6 characters long. 2. Passwords must contain characters from at least 3 of the following 4 classes: Class Examples ----- -------- English Upper Case Letters A, B, C, ... Z English Lower Case Letters a, b, c, ... z Westernized Arabic Numerals 0, 1, 2, ... 9 Non-alphanumeric characters .,;:*&%! 3. Passwords may not contain your user name or any part of your full name. Custom password filter DLLs can be written to implement different password rules. For more information, see the Microsoft Knowledge Base article Q151082 Password Change Filtering & Notification in Windows NT. You can access the Knowledge Base at http://www.microsoft.com/kb/. Restricting Anonymous User Access Windows NT has a feature where anonymous logon users can list domain user names and enumerate share names. Some customers who want enhanced security have requested the ability to optionally restrict this functionality. Service Pack 3 provides a mechanism for administrators to restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. In addition, Service Pack 3 has a feature that restricts anonymous logon users from connecting to the registry remotely. After Service Pack 3 is installed, anonymous users cannot connect to the registry and cannot read or write any registry data. Also, a new built-in group known as Authenticated Users is created when you install Service Pack 3. The Authenticated Users group is similar to the Everyone group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group. For more information on these new features, including information on configuring the registry to restrict anonymous user access to list domain user names and enumerate share names, go to the Microsoft Knowledge Base at http://www.microsoft.com/kb/ and search for the following article: Q143474. Using a System Key to Strongly Encrypt Password Information Service Pack 3 provides the capability to use strong encryption techniques to increase protection of account password information stored in the registry by the Security Account Manager (SAM). Windows NT stores user account information, including a derivative of the user account password, in a secure portion of the registry protected by access control and an obfuscation function. The account information in the registry is only accessible to members of the administrators group. Windows NT, like other operating systems, allows privileged users who are administrators access to all resources in the system. For users who require enhanced security, strong encryption of account password derivative information provides an additional level of security to prevent administrators from intentionally or unintentionally accessing password derivatives using registry programming interfaces. The strong encryption capability in Service Pack 3 is an optional feature. Strong encryption protects private account information by encrypting the password data using a 128-bit cryptographically random key, known as a password encryption key. Administrators may choose to implement strong encryption by defining a system key for Windows NT. To do this, administrators can run a utility called Syskey.exe. For more information on using Syskey.exe to configure a system key, go to the Microsoft Knowledge Base at http://www.microsoft.com/kb/ and search for the following article: Q143475.