Password Filter Configuration

Estimated reading: 1 minute 31 views
Configuration File Location

There is only one configuration file for the Password Filter and it is named “PasswordFilterRules.xml”. This file contains the operation configuration and filter rules. This file is located at the installation path under

				
					// File location
// <drive>\FastPassCorp\Configuration\FastPassPasswordFilter

// Basic structure
<?xml version="1.0" encoding="UTF-8"?>
<filterrules>
<configuration>
</configuration>
<filters>
</filters>
</filterrules>

The “configuration” node contains the configuration of event logging level and operations, which the password filters supports.

				
					<configuration>
<loglevel>2</loglevel>
<Operations>
<PasswordChange>false</PasswordChange>
<PasswordReset>true</PasswordReset>
</Operations>
</configuration>
Logging

There are four valid “loglevel” values for password filter:

  • 0 – Verbose, information, warnings and errors will be logged to event log.
  • 1 – Information, warnings and errors will be logged to event log.
  • 2 – Only errors will be logged to event log.
  • 3 – Warnings and errors will be logged to event log.
Supported Operations

Password filter supports two types of operations:

  • PasswordChange: If set to true, then the password filter will apply its password rules while changing the password.
  • PasswordReset: If set to true, then filter rules would be applied while resetting the password.
Filter Configuration

The “filter” node contains the rules that will be evaluated for the password operations. Filter node examples are provided below.

				
					<filters>
    <!--1: Requirement for length -->
    <!--<filter match="yes">^.{6,}$</filter>-->
    
    <!--2: Requirement for dictionary -->
    <filter match="no" ignorecasing="true">.*(p[a@]ssw[o0]rd|qwerty|123).*</filter>
    
    <!--3: Requirement for special character -->
    <!--<filter match="yes">.*[\,.\;'\-()\s\:\!\?\"]+.*</filter>-->
    
    <!--4: Requirement for uppercase letter -->
    <!--<filter match="yes">.*[A-Z]+.*</filter>-->
    
    <!--5: Requirement for lowercase letter -->
    <!--<filter match="yes">.*[a-z]+.*</filter>-->
    
    <!--6:Requirement for accented character -->
    <!--View http://en.wikipedia.org/wiki/Unicode,see lists of Unicode codes --><!--<filter match="yes">.*[\u00C0-\u017F]+.*</filter>-->
    
    <!--7:Requirement for accented character -->
    <filter match="yes" accountnamepattern="^az.*$">^[a-zA-Z0-19]{8,8}$</filter>
    
    <!--8:Requirement for accented character -->
    <filter match="yes" groupnamepattern ="^ApplyFilterGroup$">^[a-zA-Z0-19]{8,8}$</filter>
    
    <!—-9: Apply rule to specific AD group -->
    <filter match="yes" ignorecasing="true" groupnamepattern="^FilterGroup$" groupnamepatternmatch="True">^.{8,}$</filter>
    
    <!—-10: Apply rule to user NOT it a specific AD group -->
    <filter match="yes" ignorecasing="true" groupnamepattern="^FilterGroup$" groupnamepatternmatch="False” valuetype="Keyword">AccountNameCheck</filter>
    
    <!—-11: These rules will do as AD Complexety -->
    <filter match="yes" ignorecasing="true" valuetype="Keyword">AccountNameCheck</filter>
    <filter match="yes" ignorecasing="true" valuetype="Keyword">FullNameCheck</filter>
    <filter match="yes" ignorecasing="true" valuetype="Keyword">CharacterVarianceCheck</filter>
</filters>

Each filter has a match attribute. This informs the engine whether the filter requires the pattern to either be matched in the password or if the pattern should not match the password. Another attribute is to ignore the casing, which comes in handy when adding dictionary words. The groupnamepattern attribute applies a filter to a specific group – however, the groupnamepatternmatch attribute will notify you when it is to be nullified. If the groupnamepatternmatch is false, the rule will be applied to all users and not members of the group. Please note that the user has to be a direct member of the group. Nesting will not work. The Keyword attribute enables specific internal password checks as explained below.

  • Rule 1: The first rule simply requires the password to be at least 6 characters long.
  • Rule 2: Dictionary example, denies the passwords eg: pAssword, P@ssw0rd, myPASSWord22, qwerty etc.
  • Rule 3: Requires one of the special characters to be present.
  • Rule 4: Requires uppercase
  • Rule 5: Requires lowercase
  • Rule 6: Demands unicode intervals C0 –17F. Read more about it here: http://en.wikipedia.org/wiki/Unicode
  • Rule 7: Applies the rule only to account IDs (SamAccountnames) matching the a pattern. Eg. user: az1234
  • Rule 8: Applies the rule only to accounts in the group fitting the groupname pattern. Users must be a member of a group matching the pattern for the rule to be applied. Please note that nested groups are not supported, the user must be a direct member of a group which names fits the pattern.
  • Rule 9: Applies the specific rule to an Active Directory group of users.
  • Rule 10: Applies the specific rule to users not members of the Active Directory group
  • Rule 11: Applies Password Complexity matching Active Directory to all users
Please note that the Keyword rule CharacterVarianceCheck, AccountNameCheck and FullNameCheck match the requirements for AD Password Complexity as defined here: https://technet.microsoft.com/en-us/library/hh994562.aspx
 
Please note: After any rules have been modified in the PasswordFilterRule.xml file, the filter will automatically reload the file.