Passfilt Pro Documentation

nFront Security, the nFront Security logo and

nFront Password Filter are trademarks of Altus

Network Solutions, Inc. All other trademarks or

registered trademarks are the property of their

Multiple Policy Edition for Domain

Controllers

Single Policy Edition for Domain Controllers

Single Policy Edition for Member Servers

Multiple Policy Edition for Member Servers

Desktop Edition

Version 7.2.0

Documentation

nFront Password Filter

Contents

1.0 nFront Password Filter Overview ........................................................................... 2

1.1 Versions ................................................................................................................. 2

1.2 Compatibility and System Requirements ................................................................ 3

1.3 What’s New ............................................................................................................ 4

1.3 Notes to Evaluators ................................................................................................ 5

1.4 Overview of Features ............................................................................................. 6

1.4.1 The logic behind multiple policies (MPE version only) ................................................... 7

1.4.2 The Message Box for Rejected Passwords ...................................................................... 7

1.5 Information about your Evaluation Copy. ................................................................ 8

1.6 List of files included with nFront Password Filter .................................................... 9

2.0 Installing nFront Password Filter ......................................................................... 10

2.1 Deployment Overview ..................................................................................................... 10

2.2 Optionally disable Windows password complexity ......................................................... 10

2.3 Run nFront Password Filter Installer ................................................................................ 11

2.4 Decide to use ADM or ADMX templates .......................................................................... 14

2.5 Load the correct ADMX template .................................................................................... 14

2.6 Create a GPO via GPMC.................................................................................................... 15

2.6.1 Load the correct ADM template ................................................................................... 17

2.7 Customize the dictionary.txt file (optional) ..................................................................... 20

2.8 Optionally force immediate update of the group policy ................................................. 21

2.9 Optionally deploy the nFront Password Filter Password Expiration Service (MPE Only) 21

2.9.1 Installation of nFront Password Expiration Service ...................................................... 22

3.0 Configuring nFront Password Filter .................................................................... 23

3.1 Navigate to nFront Password Filter settings (via local or AD GPO).................................. 23

3.2 Configure Registration Settings ........................................................................................ 24

3.3 Configure General Configuration Settings ....................................................................... 24

3.4 Configure Password Policy Settings ................................................................................. 28

3.4.1 Checking a file of breached passwords or HIBP API ...................................................... 41

3.4.2 Notes on the dictionary checking features ................................................................... 44

3.4.3 Notes on the dictionary character substitution feature ............................................... 45

3.4.4 Notes on the dictionary wildcard feature ..................................................................... 46

3.5 Configure Password Expiration Settings (MPE Only) ....................................................... 47

3.5.1 Working with the nFront Password Expiration Service................................................. 51

3.5.2 Logging .......................................................................................................................... 51

3.5.3 Example Administrative Report .................................................................................... 53

3.5.4 Example Email to End-User: .......................................................................................... 54

3.6.5 Customizing the email body and using variables .......................................................... 54

3.6 Optionally configure Password Length-Based Aging Setting ........................................... 56

3.7 Optionally configure nFront Password Filter Client Setting ............................................. 57

3.8 Force immediate update of the group policy .................................................................. 60

4.0 Uninstallation Instructions ................................................................................... 61

4.1 Delete the nFront Password Filter GPO ........................................................................... 61

4.2 Run Uninstallation ............................................................................................................ 63

5.0 Verifying your Registration of nFront Password Filter ....................................... 64

6.0 Upgrade Instructions ............................................................................................ 68

Upgrading from a version prior to version 7.0.0: ......................................................... 68

Upgrading from a version 7.x.x or later: ...................................................................... 69

7.0 Implementation Guide ........................................................................................... 70

8.0 Troubleshooting ............................................................................................................... 71

8.1 Common Problems ........................................................................................................... 71

8.2 Sample Debug File ............................................................................................................ 72

9.0 The nFront Password Filter Client ....................................................................... 75

9.1 Technical Overview .............................................................................................. 78

9.1.1 Components .................................................................................................................. 78

9.1.2 Rules displayed by nFront Password Filter Client ......................................................... 78

9.1.3 Multiple Domain Support .............................................................................................. 79

9.1.4 Multiple Language Support ........................................................................................... 80

9.2 Steps to install the client via Software Installation GPO ........................................ 81

9.3 Configuration.................................................................................................................... 86

9.4 Configuring the Client Options GPO ................................................................................. 87

9.4.1 Configuring the optional Password Strength Meter ..................................................... 89

9.4 Troubleshooting ............................................................................................................... 91

9.5 Uninstalling....................................................................................................................... 94

10.0 Purchase Information .......................................................................................... 95

11.0 Support / Contact Information ............................................................................ 95

Appendix A - nFront Password Filter Settings Matrix .............................................. 96

Appendix B - nFront Password Filter MPE Policy Design Worksheet ..................... 98

Appendix C - nFront Password Filter Failure Codes .............................................. 100

Appendix D – Detailed Version History ................................................................... 101

NOTE: Please report any problems with this document to

feedback@nFrontSecurity.com. Your feedback is important and we sincerely appreciate

your help.

nFront Password Filter Documentation 2

1.0 nFront Password Filter Overview

nFront Password Filter provides a robust granular password policy system for Windows Active

Directory, member servers and workstations. You may use it to enforce one or more very

granular password policies. The comprehensive policy settings allow you to increase network

security by preventing the use of weak and easily hacked passwords. Policies can target users

that are organized into groups or OUs.

1.1 Versions

nFront Password Filter can be installed on domain controllers to filter passwords for Active

Directory users. It may be installed on Windows servers (both member servers and standalone

servers) or desktops (Windows 7 – Windows 10) to filter password changes for locally defined

users.

The same nFront Password Filter MSI package may be used on domain controllers, member

servers or desktops. The GPO template determines how the software performs (i.e. filters AD

user passwords or passwords of local users on member servers or desktops).

There are 2 versions for Windows Active Directory users. Each version runs on domain

controllers and filters password changes for users in the Active Directory:

 nFront Password Filter MPE (Multi-Policy Edition). The MPE version allows you to have

up to 10 different password policies in a single domain. Each policy can apply to one or

more global or universal security groups. This is an ideal choice for those who want to

promote strong passwords but do not feel they can enforce very restrictive policies

across all user accounts. nFront Password Filter MPE can be used to apply reasonable

policies to most end-users and very restrictive policies against those higher privileged

accounts with access to more secure information.

 nFront Password Filter SPE (Single Policy Edition). The SPE version contains a single

granular password policy that will be applied to all domain users.

Client Support. You can optionally deploy nFront Password Filter Client to domain workstations.

The client will provide password policy rules and more detailed reasons for password change

failure if the user attempts a non-compliant password. The client also has the option of

dynamically gauging the strength of the user’s new password.

If you do not wish to deploy client software, you may wish to consider our add-on product

nFront Web Password Change. It is a web application that provides password policy rules and

detailed failure messages to the end-user.

There are 2 versions for Member Servers (or standalone servers). Each version runs on a server

and filters password changes for users defined in the local SAM database:

 nFront Password Filter Single Policy Edition for Member Servers. SPE for Member

Servers allows you to filter the passwords of local accounts on Windows servers. It may

nFront Password Filter Documentation 3

be used on servers that are joined to a domain or servers that are a part of a workgroup.

This may be a good solution on servers like database servers or extranet servers where

you have many local accounts instead of the standard Administrator and guest account.

This version can be controlled via a GPO which is pushed to the server or via a local GPO.

 nFront Password Filter Multiple Policy Edition for Member Servers. MPE for Member

Servers allows you to filter the passwords of local accounts on Windows servers. It may

be used on servers that are joined to a domain or servers that are a part of a workgroup.

The MPE version supports up to 3 different password policies. The policies can target

one or more local groups. This version can be controlled via a GPO which is pushed to

the member server or via a local GPO.

There is 1 version for Desktop machines. It runs on a desktop (Windows XP, Windows Vista,

Windows 7, Windows 8 or Windows 8.1) and filters password changes for users defined in the

local SAM database:

 nFront Password Filter Desktop Edition. This version filters the passwords of local

accounts on Windows desktops. While it is rare to have more than the standard built-in

accounts on desktops, this version will ensure any local account is compliant with a

granular password policy. This version can be controlled via a GPO which is pushed to

the workstation or via a local GPO.

1.2 Compatibility and System Requirements

The nFront Password Filter and nFront Password Filter Client are compatible with the 64-bit

versions of the following operating systems:

 Windows Server 2022

 Windows Server 2019

 Windows Server 2016

 Windows Server 2012 R2

 Windows Server 2012

 Windows 2008 R2

 Windows 2008

 Windows 11

 Windows 10

 Windows 8.1

 Windows 8

 Windows 7

*As of 10/1/2020 we have stopped including the 32-bit versions in the download package. If

you need a 32-bit version, please email us at licensing@nFrontSecurity.com.

The software is supported on all server platforms from Windows 2008 through Server 2022 as

well as all desktop platforms from Windows 7 through Windows 11.

nFront Password Filter Documentation 4

The nFront Password Expiration Service should be run on a Windows Server that is a member of

the domain or a domain controller. It is best to run it on a domain controller. In that case, the

AD database is local and no network calls are needed to pull the email address for users.

1.3 What’s New

What is new in Version 7.2.x?

• Adds support for improved logging of failed passwords. The log file can now list the

exact reasons for failure in addition to the failure code. Prior versions only produce the

failure code and require a script to decode the failure codes to the exact reason(s) for

failure.

• Includes modification to the license check system to ensure the main worker thread to

enumerate all affected users has completed. On some networks with a large number of

exclusions the main thread was not completing prior to the run of the license check

thread.

• Version 7.2.0 defaults to interpreting the setOperation flag as true for any value other

than zero. In some scenarios, the LSA is calling the filter with values for setOperation

that are not 0 or 1. You can now change how the behavior is handled via a registry

setting.

• HTML email template for the nFront Password Expiration service was modified to

include some additional variables.

• Bugfix – version 7.2.0 fixes an issue with the rule to check for breached passwords. In

prior releases the breach password check used an all-lowercase version of the new

password if you were also running the rule to check for any part of the full name within

the new password.

What is new in Version 7.1.0?

• New option to check the HIBP API for breached passwords. This allows you to avoid the

need to save the 24GB file local to each DC. It does require Internet access.

• Rule to check for a repeating pattern.

•

What is new in Version 7.0.0?

• New rule to check against hash file of breached passwords. The filter can check against a

24GB file of 572 million breached passwords in less than 60 milliseconds. You must

supply the file and be sure it is in the system32 directory.

• Ability to implement separate dictionary files instead of one overall global dictionary

check. For example, you can use an entirely different dictionary for Policy 1 in the MPE

version.

• Removed “Compliance” portion of GPO. It only contained a few settings, all of which can

be implemented within the policies.

• Removed rule to reject passwords that have 2 consecutive identical characters. The rule

will still work if running an older GPO template.

• Improved debug logs that are more verbose.

• Automatic creation of system32\logfiles\nfront-errors.txt log to help identify incorrect

configurations, problems with registration/maintenance codes, etc.

• Optimizations for the dictionary have been removed to improve the client experience by

default. In earlier versions the filter did not scan the dictionary unless the other rules

were met and it stopped the scan on the first word encountered. It was efficient but

nFront Password Filter Documentation 5

could leave an incomplete error message on the client. There was a way to force a

complete error message but now we have changed the scan to scan fully every time be

default. If you are not running the client you can put the optimization back in place

using an option in the General Configuration Settings in the GPO.

• Bugfix - Improved functionality for writing debug files. On some customer networks

there was a problem writing the debug files when the DC experienced a high volume of

password changes. A new method of writing the debug files has solved this problem.

• Bugfix – Version 7.0.2 nFront Expiration Service has been updated. The prior version did

not correctly email the administrative report when debugging for the service was turned

on. Also, the service was not showing the correct password age on the report for users

affected by the Default Password Policy Configuration. This now operates correctly.

• Bugfix – Version 7.0.2 has an update nFront Password Policy Service. In the prior

release the service would stop if the nFront Client options are used and set for machines

to check password age at user logon. This is now corrected.

• Bugfix – Version 7.0.2 fixes problem with dictionary substitution not working for certain

policy combinations.

• Update – Version 7.0.2 - The license check process is updated to report to the registry

the number of affected users in both the case of a registered copy and an evaluation

version.

For a more detailed version history see the Appendix for Detailed Version History.

1.3 Notes to Evaluators

 You need a domain controller to test nFront Password Filter MPE. You can test nFront

Password Filter SPE or MPE for Member Servers on a standalone server or a member

server that is part of a domain.

 What do you wish to achieve with this software? Define you test scenarios and

expected output before you get started.

 Do you have a formal written password policy? If so, scan the group policy settings. If

you need assistance configuring the policies to enforce your written policy give us a call

at 404-348-4678.

 Start simple and then progress until you have all of your policies defined. Once you

have a successful Default Policy, move to Policy 1, etc.

 You can use the command line and batch files to expedite your testing

Command line syntax to create 1,000 user accounts:

For /L %i IN (1,1,1000) DO net user test%1 valid_password

/add

Command line syntax to change a password:

net user test1 abc

Use Appendix A and B to help you with your policy design and to document the policies as you

test them. Also, make use of the troubleshooting guide in Section 8.0.

nFront Password Filter Documentation 6

1.4 Overview of Features

nFront Password Filter includes the following policy settings. nFront Password Filter MPE has a

default policy and up to nine additional policies. nFront Password Filter MPE policies can be

applied or excluded based on membership in global groups.

nFront Password Filter allows you to control the following for each policy:

 Minimum number of characters in password.

 Maximum number of characters in password.

 **Maximum password age

 **Email password expiration warnings to users.

 ***Reject a new password that matches the old password by more than X characters

 ***Reject a new password that does not differ from an old password by X characters

 Ensure passwords contain characters from a minimum number of the following four

categories: (1) numeric characters (2) upper case characters (3) lower case characters

(4) special characters.

 Minimum and maximum number of lower-case characters (a-z)

 Minimum and maximum number of upper-case characters (A-Z)

 Minimum and maximum number of numeric characters (0-9)

 Minimum and maximum number of special (i.e. non-alphanumeric) characters

 Minimum and maximum number of alpha characters (a-z or A-Z)

 Minimum and maximum number of non-alpha characters

 Minimum and maximum number of spaces.

 Reject passwords with a repeating pattern of X characters

 Restrict Special character set to 32 or less specific special characters

 Enforce SAP password rules

o Cannot start with an exclamation or question mark.

o First three characters cannot all be the same.

o Cannot contain a space in the first 3 characters

o First 3 characters of password cannot appear in the same order in the username

 Enforce Stanford password rules

o Passwords with 8-11 characters require lower, upper, numeric and special

characters.

o Passwords with 12-15 characters require lower, upper and numeric characters.

o Passwords with 16-19 characters require lower and upper characters.

o Passwords with 20 or more characters require lower case characters

 Reject passwords containing vowels (a,e,i,o,u and y in upper or lower case)

 Reject passwords with 3 consecutive identical characters (e.g. aaa, bbb, etc.)

 Reject passwords with 3 consecutive identical characters from the same character set.

 Reject non-ASCII characters (i.e. foreign language characters)

 Reject passwords that begin with a number.

 Reject passwords that end with a number.

 Reject passwords that being with a special character.

 Reject passwords that end with a special character.

 Reject passwords that contain the username.

 Reject passwords that contain any part of the user’s full name.

nFront Password Filter Documentation 7

 Reject passwords that contain 3 consecutive characters from the username or user’s full

name.

 Reject passwords that are in a file of known breached passwords (or known via HIBP

API)

 Reject passwords that contain words from a customizable dictionary.

 Reject passwords that contain words from a customizable dictionary and use character

substitution (example: p@$$w0rd)

 Skip the dictionary check if the password is longer than a specific length.

 ** Apply the policy to multiple security groups or OUs. Nested groups are supported.

 ** Exclude multiple security groups or OUs from the policy. Nested groups are

supported.

 ** Apply or exclude policy from users with non-expiring passwords.

** Only applies to MPE version.

*** Only works if the password change is made via the nFront Password Filter client or nFront

Web Password Change.

1.4.1 The logic behind multiple policies (MPE version only)

nFront Password Filter MPE provides a default policy and 9 others. By design the Default

Password Policy Configuration applies to all users unless you make exclusions based on group

and/or OU. With the other policies you must designate which group(s) and/or OU(s) you wish to

target. You can also make exclusions of needed.

Policies are cumulative just like your file system permissions. If 2 polices apply to user the user

must meet the requirements of both policies. If one policy requires 8 characters and the other

requires 15 characters, the most restrictive will apply.

The application of password filtering policies works just like permissions within the file system.

You first decide who gets the policy. Then you decided if any users who will get the policy

should be excluded. Remember this: “The only time you need to exclude a group is when

members of that group are already included.”

You can make policies mutually exclusive but rarely is there a need to do so. In some cases, a

company must restrict password length to 12 characters for most users due to legacy

application compatibility, yet the company must also require 15 characters or more for

administrators. In such a case you can configure the Default Password Policy Configuration with

a maximum of 12 characters and exclude Domain Admins. Then you configure Policy 1 to target

Domain Admins with a requirement of 15 characters or more.

1.4.2 The Message Box for Rejected Passwords

If a user’s password is rejected by nFront Password Filter, the user will get the generic Windows

message box stating:

“Your password must be at least X characters long and cannot repeat any of your previous X

passwords. Please type a different password. Type a password that meets these requirements

in both text boxes.”

nFront Password Filter Documentation 8

This message is generated by the msgina.dll or credential provider on each local client.

To present the user with a list of password policy rules and a better failure message, consider

deploying the optional nFront Password Filter Client to some or all client workstations. Please

reference Section 9 for more information.

1.5 Information about your Evaluation Copy.

The evaluation code is listed in the email you received after downloading the software.

The evaluation code unlocks the software until the expiration date. If you have not purchased

and registered your copy of nFront Password Filter, you should be aware of the following:

 AFTER THE EXPIRATION DATE ALL PASSWORD CHANGES WILL NOT BE FILTERED.

 YOU CAN PURCHASE THE PRODUCT AND ENTER THE REGISTRATION INFORMATION

WITHOUT REBOOTING OR RE-LOADING THE DLL.

THE EVALUATION VERSION IS FULL FEATURED AND 100% OPERATIONAL UNTIL THE EXPIRATION

DATE.

nFront Password Filter Documentation 9

1.6 List of files included with nFront Password Filter

Filename

Purpose

nFront Password Filter x64.msi

Installation file. Contains ppro.dll, ppro-eng.dll,

ADM templates, dictionary file, group filter

service file, password policy service file and

documentation.

nFront Password Filter Client x64.msi

Optional package for domain workstations and

servers. It modifies the password change

process to show a list of rules and improved

failure message. It operates as a credential

provider.

nFront Password Expiration Service – x64.msi

Optional service to handle different password

aging policies. To be installed on a single DC

and only applies if using nFront Password Filter

MPE.

nFront Password Filter Documentation.pdf

This document.

adm-templates.zip

The ADM templates will be installed to the

windows\inf folder when you install the nFront

Password Filter package. However, they are

provided separately in case you wish to setup

the GPO before deploying the MSI package.

admx-templates.zip

These are provided for customers who wish to

use ADMX templates instead of ADM

templates.

nFront Password Filter Documentation 10

2.0 Installing nFront Password Filter

Please note there are not different MSI packages for domain controllers, member servers and

desktops. You will install the 32-bit or 64-bit MSI package on the target domain controllers,

member servers or workstations. Then you will load the correct GPO for the version you wish to

control. It is the GPO template that determines how the filter engine behaves and the type of

operating system on which it will run.

The instructions in this document will focus on installing nFront Password Filter MPE for domain

controllers. Where appropriate, instructions are given for other versions and operating systems.

2.1 Deployment Overview

Below is a graphic overview of the deployment process. The remaining portion of this section

will give detail of the installation and section 3 will cover the configuration options.

Domain Controller

Member Server

Desktop

nFront Password Filter MSI package.

• Create GPO in Active Directory

•

If controller member server or desktop rules, link to an

OU with member servers or workstations to filter

passwords for local users.

• Link the GPO to the Domain Controllers OU only and

retain the default permissions.

• Load the correct template for the version you wish to

control.

•

Configure the password policy rules.

2.2 Optionally disable Windows password complexity

You do not have to disable the Windows password complexity requirement. However, if your

nFront Password Filter settings will be less restrictive than the Microsoft complexity rules, you

should disable the Windows password complexity rule.

1. Start + Programs + Administrative Tools + Domain Security Policy + Security Settings +

Account Policies + Password Policy

2. Disable policy for “Passwords must meet complexity requirements” (Figure 2.2.1).

nFront Password Filter Documentation 11

Figure 2.2.1: Disabling Microsoft password complexity check

2.3 Run nFront Password Filter Installer

Double-click the nFront Password Filter.MSI file to run the installation wizard. Be sure to run the

x64 version if you are installing on an x64 server. You will see the screens displayed in figures

2.3.1 through 2.3.6.

Figure 2.3.1: Installation screen 1.

nFront Password Filter Documentation 12

Figure 2.3.2: Installation screen 2.

Figure 2.3.3: Installation screen 3.

nFront Password Filter Documentation 13

Figure 2.3.4: Installation screen 4.

Figure 2.3.5: Installation screen 5.

nFront Password Filter Documentation 14

Figure 2.3.6: Installation screen 6.

You must restart for the operating system to load the password filter DLLs on boot. You can say

No to the optional restart and reboot at a later time.

2.4 Decide to use ADM or ADMX templates

With release version 6.2.0 we have included ADMX templates along with ADM templates. You

will find both in the downloaded zip file that contains the MSI packages. So you now have 2

options for loading templates:

1. You can copy the correct ADMX template to the Central Store so it is available for

any GPO created.

2. You can load the ADM template after you create the GPO to configure the nFront

software.

2.5 Load the correct ADMX template

IMPORTANT NOTE: If you plan to use the ADM templates please skip to section

2.6.

In the nfront-password-filter.zip download package you will find a zipped collection of the ADMX

templates in a file called admx-templates.zip. The zip file will extract to the following template

structure.

Figure 2.5.1 : List of ADMX templates

We include templates for all editions of our software but likely you only need one of the

templates. The table below shows each template file and its corresponding edition. Most likely

nFront Password Filter Documentation 15

you are looking for the single or multiple policy edition for domain controllers to filter

passwords for Active Directory user accounts. If you will also run the product on member

servers or desktops you will need a template for the member servers and one for the desktops.

Template

Edition

nfront-password-filter-mpe.admx

nFront Password Filter Multiple Policy

Edition for Domain Controllers

nfront-password-filter-spe.admx

nFront Password Filter Single Policy

Edition for Domain Controllers

nfront-password-filter-spe-member-server.admx

nFront Password Filter Single Policy

Edition for Member Servers

nfront-password-filter-mpe-member-

server.admx

nFront Password Filter Multiple Policy

Edition for Member Servers

nfront-password-filter-de.adm

nFront Password Filter Desktop Edition

If you have not setup a central store you can do so easily by simply copying the

C:\Windows\PolicyDefinitions folder to C:\Windows\Sysvol\Sysvol\<domain

name>\Policies on a DC.

If you have the central store setup, copy and paste the correct ADMX template file into the

PolicyDefinitions folder in the central store. Also copy the corresponding ADML file from the en-

US folder to the PolicyDefinitions\en-US folder in the central store.

If you have GPMC open you will need to close it and open it again for it to refresh and pull

definitions from the central store.

2.6 Create a GPO via GPMC

You will use a single GPO to control the nFront software. If you are filtering passwords for

Active Directory users the GPO will be linked to the Domain Controllers container. If you are

using nFront to filter passwords on member servers or workstations you will link the GPO to the

OU or OUs containing the target member servers or workstations.

If you are running Windows 2003 you may have to load GPMC separately. It is included with

Windows 2008 and later. Click Start + Run + GPMC.MSC + expand the domain until you see the

Domain Controllers container + right-click + select “Create a GPO in this domain, and Link it

here…”.

nFront Password Filter Documentation 16

Figure 2.6.1: Creating a new GPO for nFront Password Filter.

Give the GPO a clever name.

Figure 2.6.2: Naming the new GPO

The new GPO will appear on the right pane. Right-click and select Edit.

nFront Password Filter Documentation 17

Figure 2.6.3: Edit the new GPO

IMPORTANT NOTE: The GPO should always be linked to the Domain Controllers

OU (unless you are filtering local passwords on member servers or desktops)

and you should never edit the permissions on the GPO. To target specific

groups or OUs you will specify the group name and/or OU path at the bottom of

each policy. Each DC must have permissions to read the GPO to add the

configuration data to the local registry.

If you have loaded the ADMX template it will appear automatically in the new GPO. If you plan

to use ADM templates please skip ahead to 2.6.1. In the new GPO, you will navigate to

Computer Configuration + Policies + Administrative Templates + nFront Password Filter

<edition> to configure the settings. Below is a screen clipping showing the nFront Password

Filter MPE settings that appear.

Figure 2.6.4: Edit the new GPO

Skip ahead to section 2.7 to optionally customize the dictionary file and continue with the

configuration.

2.6.1 Load the correct ADM template

In the Group Policy Management Editor, drill down to Computer Configuration + Policies +

Administrative Templates. Right-click Administrative Templates and choose Add/Remove

Templates. The Add/Remove Templates dialog box will appear.

nFront Password Filter Documentation 18

Figure 2.6.1.A: Add ADM template to nFront Password Filter policy

Click the Add button.

Figure 2.6.1.B: Add/Remove Templates dialog box

When you installed the nFront Password Filter.MSI package the installed copied templates for

all editions of the software to the windows\inf folder. It is important you select the correct

template for the edition you wish to configure. On domain controllers you will load nFront-

Password-Filter-mpe.adm or nFront-Password-Filter-spe.adm depending on whether you want

multiple policies or a single policy.

Here is a listing of each template the corresponding edition. Each templates uses a different

registry target location.

Template

Edition

nFront-Password-Filter-mpe.adm

nFront Password Filter Multiple Policy

nFront Password Filter Documentation 19

Edition for Domain Controllers

nFront-Password-Filter-spe.adm

nFront Password Filter Single Policy

Edition for Domain Controllers

nFront-Password-Filter-spe-member-server.adm

nFront Password Filter Single Policy

Edition for Member Servers

nFront-Password-Filter-mpe-member-server.adm

nFront Password Filter Multiple Policy

Edition for Member Servers

nFront-Password-Filter-de.adm

nFront Password Filter Desktop Edition

Select the correct template for the version you wish to install and click the Open button.

Figure 2.6.1.C: Select the correct template

Click on Close to complete the addition of the template. You should now see a “nFront

Password Filter – MPE” folder under Classic Administrative Templates (ADM).

nFront Password Filter Documentation 20

Figure 2.6.1.D: Add/Remove Templates dialog box

NOTE: BECAUSE OF REPLICATION, YOU ONLY NEED TO LOAD THE ADM TEMPLATE ON ONE

DOMAIN CONTROLLER

2.7 Customize the dictionary.txt file (optional)

Perform this step only if you plan to use the dictionary checking feature and need to customize

the dictionary.txt file.

The installer copies the supplied dictionary.txt file to the %systemroot%\system32 directory on

each domain controller. nFront Password Filter uses this directory as the default location.

You can edit the file using Notepad or any text editor. The provide dictionary.txt file is in a

Unicode format. However, we support ANSI, UTF-8 and Unicode formats. Most dictionary files

found on the internet will be Unicode. Once you customize the dictionary file you will need to

copy it to c:\windows\system32 on all other domain controllers. You may find it helpful to write

a simple xcopy batch file to do this.

You can configure the General Configuration setting the GPO to have nFront Password Filter

read the GPO from the netlogon share. This will allow you to edit the file on any DC and not

worry with synchronizing the changes among DCs.

Figure 2.7.1: General Configuration settings

nFront Password Filter Documentation 21

If using the dictionary.txt from the Netlogon share, you simply modify the file directly from the

Netlogon share. Once saved, the file will be replicated among all domain controllers.

2.8 Optionally force immediate update of the group policy

Group policies update every 90 minutes plus or minus a 30 minute random offset for clients.

The Domain Controller policies replicate every 5 to 15 minutes. If you cannot wait five minutes

or you are testing in a lab environment and need immediate replication, open a command

window and type:

gpupdate /force

This will have the effect of immediately propagating our new policy settings throughout the

domain.

2.9 Optionally deploy the nFront Password Filter Password Expiration Service

(MPE Only)

The nFront Password Filter MPE GPO exposes settings related to password expiration and

enforcing differing maximum password ages. Each policy can have a maximum password age

and you can optionally email users a warning of the upcoming expiration (Figure 2.8.1).

However, you must install the nFront Password Filter Service to enforce the settings.

Figure 2.8.1: nFront Password Filter – Max password age settings

The nFront Password Expiration Service can only be used when you deploy the MPE version of

the nFront Password Filter on domain controllers. The service can:

• Enforce different maximum password age settings for each password policy. If your

password is beyond the maximum password age you are required to change your

password at next logon.

• Email users with upcoming password expirations (i.e. within the warning interval)

• Notify users with upcoming password expirations at logon (only if you run our client

software on the client workstation)

nFront Password Filter Documentation 22

• Email administrators a report of upcoming password expirations.

IMPORTANT NOTE: Any age set via nFront Password Filter will be ignored if the

age is greater than that of your Domain Security Policy (i.e. Password Policy

settings in Default Domain Policy GPO). If your domain policy expires

passwords every 60 days, any nFront Password Filter policy with aging set to

more than 60 days will be ignored.

2.9.1 Installation of nFront Password Expiration Service

Install the “nFront Password Filter Password Expiration Service – x64.MSI” on a single domain

controller. A reboot is not required. The service will not start upon installation and the startup

mode will be set to Manual. You can optionally install the service on additional domain

controllers for fault tolerance.

See section 3.6 for information on configuring the service. On the “go live” date start the

service and change the startup mode to Automatic. As soon as the service starts it will read

through the nFront Password Filter policies and “expire” passwords for any accounts whose

password age is over the limit set in nFront Password Filter. Even for large networks the service

typically completes the tasks in one or two seconds.

nFront Password Filter Documentation 23

3.0 Configuring nFront Password Filter

nFront Password Filter MPE is used as an example in this section. nFront Password Filter SPE is

configured in the same way but only has one password policy for all domain users. nFront

Password Filter MPE for Member Servers offers the same settings except it only has 3 password

policies and the policies target local groups (instead of domain groups and OUs). nFront

Password Filter SPE for Member Servers and nFront Password Filter Desktop Edition offer a

single password policy.

IMPORTANT NOTE: You can reference Appendices A and B for help with

designing your password policy.

IMPORTANT NOTE: The desktop and member server products can be configured

via the local Group Policy Editor (Start + Run + gpedit.msc) or via a GPO in the

AD.

Pre-Configuration Considerations

 Do you have a formal written password policy that has been distributed to end-users?

 What are your overall goals with password filtering?

 What is your current written password policy?

3.1 Navigate to nFront Password Filter settings (via local or AD GPO)

Use GPMC or the local GPO editor (gpmc.msc) to open the GPO with the nFront settings.

Figure 3.1.1: nFront Password Filter – Multi-Policy Edition Settings.

nFront Password Filter Documentation 24

3.2 Configure Registration Settings

Double-click the Registration policy. Enable the policy and enter your registration code (if you

purchase the product) or the evaluation registration code (received via email after download). If

you have purchased the product you also must enter an annual maintenance code.

Figure 3.2.1: nFront Password Filter MPE Registration Policy.

3.3 Configure General Configuration Settings

When you are testing nFront Password Filter MPE we suggest you “Turn on Debugging” to verify

your configuration, see why certain passwords fail, etc. When debugging is turned on, nFront

Password Filter will generate a file called nfront-password-filter-debug.txt in the

%systemroot%\system32\logfiles directory. This file is overwritten with each password change

so it does not keep a running history. The file contains information on your nFront Password

Filter settings, the proposed password and why that password failed. This debug file can also be

used to verify that you have properly registered the product with the correct registration code.

nFront Password Filter Documentation 25

Figure 3.3.1: nFront Password Filter MPE General Configuration Policy.

Policy

Description

Turn on Debugging

Default Value: 0

Generates a file called nfront-password-filter-

debug.txt in the %systemroot%\system32\logfiles

directory. The file is overwritten with each

password change. The file contains information

on your group policy settings as well as the

proposed password change, username, full name,

registration information, etc.

Read dictionary.txt from Netlogon

share.

Default Value: 0

This setting affects the dictionary checking which

must be enabled via one of the Password Policy

Configurations. By default, nFront Password Filter

MPE looks for a file called dictionary.txt in the

%systemroot%\system32\logfiles directory on

each local domain controller. Some customers

find the manually copying of the dictionary file to

each DC to be too cumbersome. Thus, you can

nFront Password Filter Documentation 26

check this box to have nFront Password Filter MPE

look for dictionary.txt in the local Netlogon share.

Check HaveIBeenPwned API

(instead of local file)

Default Value: 0

This setting affects the check for breached

passwords found in each of the policies. If this

value is set to a 1 the system will call the HIBP API

to check the password hash. Only the first 5 digits

of the hash are sent and the HIBP API returns all

hashes that match the first 5 digits. The call is set

for a 5 second timeout. If no reply is received

within 5 seconds the system will continue to

process other rules and put an error in the

system32\logfiles\ nfront-password-filter-

errors.txt file.

Bypass password filtering (do not

reject any passwords)

Default Value: 0

This setting can be used to temporarily bypass

filtering. This setting can be used to skip all

password filtering by nFront in case of a software

conflict or vendor issue.

Allow password resets to bypass

the filter

Default Value: 0

This allows administrative staff to assign weaker

passwords when resetting an end-user’s

password.

IMPORTANT NOTE: The Windows OS is supposed

to call password filters with a value of 0 or 1 for

the setOperation flag. In some scenarios, it uses a

value that is not a 0 or 1. The default behavior is

to interpret any non-zero value as true (i.e. as an

admin reset). However, you can change this

behavior by adding the following registry value:

HKLM\Software\Policies\Altus\PassfiltProMPE\

setOperationTrueOneOnly, REG_DWORD32,

value=1.

Log Administrative password

resets.

Default Value: 0

Logs date/time and userid to

%systemroot%\system32\logfiles\nfront-

password-resets.txt file.

I am not running the client and

would like to optimize the

dictionary check.

Default Value: 0

Only scans the dictionary if the new password

nFront Password Filter Documentation 27

meets all other rules. Also, the scan will stop on

the first word found. This is more efficient and

suggested if you are not running the nFront client.

If you are running the client you should not select

this option as it may result in an incomplete error

message to the user (i.e. their password contains

dictionary words but the error message only

shows the other rules they did not meet).

Inspect USN to optimize Group

Filter Service

This feature only works on policies that target

groups and will not work if OU paths are targeted

by the policy. If checked this option will force the

inspection of the USN (update sequence number)

for the group object and if the number has not

changed the nFront Group Filter service will not

retrieve a new list of all group members. If the

group is modified in any way the service will

retrieve a new list of members.

Maintain a log of rejected

passwords

This will produce windows\system32\nfront-

password-filter-failures.txt. The file is in a CSV

format and will have columns for the date,

username, failure code, the dictionary word or

words that were found, and a column for the

multiple reasons for failure with each reason

separated by a semicolon. The file will grow

continuously so it will be up to your to periodically

archive or clear it. Due to the small amount of

data, it will not grow quickly.

Include rejected passwords in log

This will add a column to the rejected password

log. The column will contain the clear text

password the user attempted (but was rejected by

our filter and not in use on the network).

nFront Password Filter Documentation 28

3.4 Configure Password Policy Settings

Important Notes:

 The Default Password Policy Configuration applies to everyone except the “Excluded

Groups or OUs” (at bottom of scrolling list of policy settings).

 Other polices allow you to choose groups or OUs to which the policy applies and the

groups or OUs which are excluded from the policy. You must apply the policy to at least

one group or OU if you configure the policy.

 The Default Password Policy Configuration is used for all new account creation.

 Policies are cumulative just like NTFS permissions. If a user is affected by 2 polices the

user’s password must meet the requirements of both policies and if the same settings

differs between the policies, the most restrictive setting applies.

Figure 3.4.1: nFront Password Filter MPE Default Password Configuration Policy.

Policy

Description

Policy Name

Default Value: Default Policy

This is the policy name that is reported in the

debug output. This setting is arbitrary and

optional. If you wish to rename the policy names

that appear in the group policy editor you must

nFront Password Filter Documentation 29

* This setting only present in MPE version.

edit the supplied Group Policy Template (nfront-

Password-Filter-mpe.adm).

Maximum password age (in days):

* This setting only present in MPE version

Valid Values: 0-365

Default Value: 0 (turned off)

NOTE: The value set here cannot be greater than

the overall maximum password age for the

domain.

This parameter is read by the nFront Password

Filter Password Expiration Service which will

force users to “Change Password at next logon” if

their password is older than the value set. A

setting of 0 means no aging is applied.

IMPORTANT NOTE: The age must be

less than or equal to the maximum

password age set for the entire

domain. You can verify the domain

maximum password age via the

command line (“net accounts”).

IMPORTANT NOTE: For this setting to

be effective you must install the

separate nFront Password Expiration

Service on a domain controller.

Email Notification of Password Expiration

* This setting only present in MPE version

Default Value: 0

Check this box to email warnings to end users

about upcoming password expirations.

IMPORTANT NOTE: For this setting to

be effective you must install the

separate nFront Password Expiration

Service on a domain controller.

Minimum password length (in characters):

Valid Values: 0-256

Default Value: 0

Controls minimum number of overall characters

in password.

Since you can have multiple policies you may

wish to have a different minimum character limit

for different groups. Ideally passwords should all

be at least 8 characters or more. Also, passwords

nFront Password Filter Documentation 30

of more than 14 characters are not accepted by

Windows Terminal Services.

NOTE: This setting may conflict with

the minimum password length you

have established in the Default

Domain Policy.

Maximum password length (in characters):

Valid Values: 0-256

Default Value: 256

Controls maximum number of overall characters

in password.

Useful in environments with UNIX systems or

mainframes where passwords of more than 8

characters are truncated or rejected. If you use

Microsoft Services for UNIX or BMC’s password

synchronization software you may wish to

impose your maximum limits here.

Reject similar passwords.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy is used with the next 2 settings to

ensure the old and new password are not “too

similar” or to ensure they are different.

*This feature only works for password changes

made via the nFront Password Filter client or via

the nFront Web Password Change portal.

Max matching char in old and new

password

Valid Values: 0-256

Default Value: 0

This policy is used to select the maximum length

of a character string that can be found in both the

old and new password.

For example, if the old password is dogcat123

and the new password is tigerdog456 the new

password will be rejected if the max matching

characters is 3 or less because the phrase “dog” is

used in both passwords.

Min different char in old and new password

Valid Values: 0-256

Default Value: 0

This policy is used to ensure the old and new

nFront Password Filter Documentation 31

passwords are different by XX characters. Each

character in the new password is compared to

every character in the old password. The new

password must contain XX characters that were

not used in the old password.

Reject passwords that don’t contain at least

<value> of the following 4 character types:

1) Lower Case (a-z)

2) Numeric (0-9)

3) Upper Case (A-Z)

4) Special (e.g.!,@,etc.)

Valid Values: 0-4

Default Value: 0

nFront Password Filter categorizes each character

in the new password into one of the following

four categories:

1. numeric character

2. upper case character

3. lower case character

4. non-alphanumeric character

A 1 tells nFront Password Filter to make sure the

new password contains characters from at least 1

category. A 2 forces the new password to

contain characters from at least 2 categories.

This setting is provided for customers who want a

variation in the password complexity feature

provided by Microsoft.

Check for lower case characters in

password.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for lower case characters within the new

password and make sure the number of lower

case characters fits within the range specified.

Minimum Lower Case Characters Required:

Valid Values: 0-256

Default Value: 0

Defines the minimum number of lower case

characters that must be present in the password.

Maximum Lower Case Characters Required:

Valid Values: 0-256

Default Value: 256

Defines the maximum number of lower case

characters that must be present in the password.

Check for upper case characters in

password.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for upper case characters within the new

nFront Password Filter Documentation 32

password and make sure the number of upper

case characters fits within the range specified.

Minimum Upper Case Characters Required:

Valid Values: 0-256

Default Value: 0

Defines the minimum number of upper case

characters that must be present in the password.

Maximum Upper Case Characters Required:

Valid Values: 0-256

Default Value: 256

Defines the maximum number of upper case

characters that must be present in the password.

Check for numeric characters in password.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for numeric characters within the new password

and make sure the number of numeric characters

fits within the range specified.

Minimum Numeric Characters Required:

Valid Values: 0-256

Default Value: 0

Defines the minimum number of numeric

characters that must be present in the password.

Maximum Numeric Characters Allowed:

Valid Values: 0-256

Default Value: 256

Defines the maximum number of numeric

characters that must be present in the password.

Check for Special characters in password.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for non-alphanumeric characters within the new

password and make sure the number of non-

alphanumeric case characters fits within the

range specified.

Minimum Special Characters Required:

Valid Values: 0-256

Default Value: 0

Defines the minimum number of non-

alphanumeric characters that must be present in

the password.

Maximum Special Characters Required:

Valid Values: 0-256

Default Value: 256

Defines the maximum number of non-

nFront Password Filter Documentation 33

alphanumeric characters that must be present in

the password.

Check for spaces in password.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for space characters within the new password

and make sure the number of space case

characters fits within the range specified.

** great setting for encouraging the use of

passphrases

Minimum Spaces Required:

Valid Values: 0-256

Default Value: 0

Defines the minimum number of space

characters that must be present in the password.

Maximum Spaces Required:

Valid Values: 0-256

Default Value: 256

Defines the maximum number of space

characters that must be present in the password.

Check for alpha characters in password.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for alpha characters (upper or lower case) within

the new password and make sure the number of

alpha characters fits within range specified.

NOTE: Alpha does NOT distinguish between

upper and lower case characters.

Minimum alpha Characters Required:

Valid Values: 0-256

Default Value: 0

Defines the minimum number of alpha characters

(i.e. upper or lower case) that must be present in

the password.

Maximum alpha Characters Required:

Valid Values: 0-256

Default Value: 256

Defines the maximum number of alpha

characters (i.e. upper or lower case) that must be

present in the password.

Check for non-alpha characters in

password.

Valid Values: 0 or 1

Default Value: 0 (not checked)

nFront Password Filter Documentation 34

This policy tells nFront Password Filter to check

for non-alpha characters (numeric or special)

within the new password and make sure the

number of non-alpha characters fits within range

specified.

Minimum non-alpha Characters Required:

Valid Values: 0-256

Default Value: 0

Defines the minimum number of non-alpha

characters (i.e. numeric or special) that must be

present in the password.

Maximum non-alpha Characters Required:

Valid Values: 0-256

Default Value: 256

Defines the maximum number of alpha

characters (i.e. numeric or special) that must be

present in the password.

Restrict special character set

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to only

allow specific special characters listed in the

textbox below. Note that a space is a special

character.

Reject passwords with repeating pattern

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to scan the

password for a repeating pattern (only if the min

length of a repeating pattern is set).

Min length of repeating pattern (must be 2

or more)

Valid Values: 2 or 32

Default Value: 0 (not checked)

Scans the new password for a repeating pattern

of this size. Example: A pattern size of 8 will

prevent the password of “passwordpassword”

but not “summersummer”

Allowed special characters (up to 32)

List allowed special characters here. No need for

quotes or commas. Just type the characters into

the box. If you wish to include a space it would

be a good idea to include it between other

allowed special characters so it is obvious to the

viewer.

Enforce SAP password rules

Valid Values: 0 or 1

Default Value: 0 (not checked)

SAP PASSWORD RULES:

nFront Password Filter Documentation 35

• Cannot start with an exclamation or

question mark.

• First three characters cannot all be the

same.

• Cannot contain a space in the first 3

characters

• First 3 characters of password cannot

appear in the same order in the

username

Enforce Stanford password rules

* This setting only present in MPE version

The password policy adopted by Stanford is a

length based password policy. The longer the

password the fewer the character types required.

• Passwords with 8-11 characters require

lower, upper, numeric and special

characters.

• Passwords with 12-15 characters require

lower, upper and numeric characters.

• Passwords with 16-19 characters require

lower and upper characters.

Passwords with 20 or more characters require

lower case characters

Reject passwords that contain vowels

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for vowels (a,e,i,o,u,y). If any vowels are found

the password is rejected.

This may be used to eliminate dictionary words.

A dictionary containing common sequences is still

recommended.

Reject passwords that contain 3

consecutive identical characters.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for 3 consecutive identical characters within the

new password. For example any password

containing “aaa” would fail regardless of where

“aaa” falls within the password.

No more than 3 consecutive characters

from same char set

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for 3 consecutive identical characters from the

same character set within the new password.

The character sets are upper, lower, numeric and

special (i.e. non-alphanumeric). For example, any

nFront Password Filter Documentation 36

password containing “frog” would fail. It is also a

great rule to prevent users from including 4-digit

years in their password.

Reject non-ASCII characters (i.e. foreign

language characters).

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for characters outside of the ASCII range of 32-

126. This setting is typically used to disallow

foreign characters for many European customers.

Password like freibier4ü would be disallowed

when this setting is turned on.

Reject passwords without a numeric

character between alpha characters.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for a numeric character between 2 alpha

characters. The numeric character is not

required to have an alpha character immediately

before or after it. An alpha character anywhere

before and anywhere after the numeric character

meets the requirement.

Reject passwords that begin with a number

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for a numeric character at the beginning of the

password.

Reject passwords that end with a number

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for a numeric character at the end of the

password.

Reject passwords that begin with a special

character

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for a special character at the beginning of the

password.

Reject passwords that end with a special

character

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check

for a special character at the end of the

password.

Passwords must contain special character

Valid Values; 0-256

nFront Password Filter Documentation 37

before character number <value>

Default: 0

Use this setting to require a non-alphanumeric

character within a specified number of characters

at the beginning of the password.

Reject passwords that contain the

username.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check to

see if the new password contains the username

anywhere within it.

Reject passwords that contain any part of

the user's full name.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to check to

see if the new password contains any part of the

user’s fullname (listed as Display Name in

Windows ADUC tool). The full name of the user is

parsed and broken into sections based on spaces

in the full name field. Thus, the full name

“George P Burdell” would be checked for

“George” and “P” and “Burdell” within the new

password. The check is case-insensitve, so

passwords like “george123” and “GEORge123”

would both be rejected.

NOTE: To avoid problems with the

middle initial, nFront Password Filter

does not compare any portions of the

“full name” that are less than 3

characters.

Reject passwords that contain 3

consecutive characters from the username

or user’s full name.

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to parse

the username and user’s full name components

to ensure that no sequence of 3 consecutive

characters from any component is included in the

password. This was a policy requirement with a

large domain hosting provider.

Check password against a file of breached

passwords (in SHA1 format)

This rule results in the filter scanning a file named

npf-hashfile.sha1 in windows\system32. The file

should contain SHA1 hashes of known

compromised passwords in an alphabetical order

(i.e. ordered by hash).

nFront Password Filter Documentation 38

As of this writing you can download a file of 572

million breached passwords in a SHA1 format

(ordered by hash) from

https://haveibeenpwned.com/Passwords

Dictionary - reject passwords that contain

dictionary words

Valid Values: 0 or 1

Default Value: 0 (not checked)

This policy tells nFront Password Filter to scan the

password for any occurrence of the dictionary

line entry within the password (as opposed to

looking for an exact case-insensitive match).

example dictionary.txt

january

february

march

example passwords:

JANUARY1

123january

JaNuArYpW

January

JANuary

With the substring search enabled, all 5 of the

above passwords would be rejected.

With the standard dictionary check, only the last

two would be rejected.

Dictionary Option - check substitution

characters (a=@,e=3,i=1,l=1,

o=0,s=$)

Valid Values: 0 or 1

Default Value: 0 (not checked)

When checked the filter will check the password

for all combinations of each dictionary word that

contains the substitution characters.

For example, if the word in the dictionary is

“password” the following words will be checked:

password

p@ssword

pa$$word

passw0rd

p@$$word

pa$$w0rd

p@SSw0rd

nFront Password Filter Documentation 39

Dictionary Option - treat '*' as wildcards in

dictionary file

Valid Values: 0 or 1

Default Value: 0 (not checked)

This option gives you the ability to use a ‘*’ in

dictionary words as a wildcard where any number

of characters could be used in place of the

wildcard.

For example if the dictionary contains the word

“let*in” the following passwords would be

rejected:

letmein

letusin

lethimin

letmechecktoseeificangetin

…

Dictionary Option – check policy specific

dictionary instead of global dictionary

Valid Values: 0 or 1

Default Value: 0 (not checked)

This option gives you the ability to use a separate

dictionary for policies 1-9. If you wish to use a

different dictionary for policy 1 you can check this

option and add a new dictionary file to system32

or the netlogon share with a filename of

dictionary-policy1.txt.

This can be applied to Policies 1 – 9 but not the

Default Password Policy Configuration.

Skip dictionary check if password longer

than <value>

Default Value: 256

nFront Password Filter will skip any dictionary

checking and / or substring dictionary checking

for passwords greater than the length specified

here.

Groups/OUs to which this policy applies:

Valid Values: group names or OU paths separated

with semicolons (max text length is 1024

characters)

Default Value: none

List global groups here that should receive this

policy.

IMPORTANT NOTE: The setting is not

present in the Default Password

Policy. The Default Password Policy

applies to all users and you can only

nFront Password Filter Documentation 40

add exclusions.

ADVICE: Use the Default Password Policy for all

Domain Users. Generally, it will be your most

unrestricted policy. Other policies will generally

provide more restrictive filtering to protect

groups that have access to sensitive network

resources.

Always decide first which groups should receive

the policy. Then ask if there are any users in

those groups who should not receive the policy.

If such users exist, you need to create a global

group for them and exclude that global group

from this policy.

Group nesting is supported so if you have many

groups nested into 1 group you only need to list

the 1 group.

OU paths are supported. Please list the OU path

in the form of “OU=NY,OU=NA”. In this case NA

is an OU branching from the domain and NY is an

OU under NA. This is like an X.500 distinguished

name without the CN or DC components.

When an OU path is targeted all users in that OU

and any OUs under that OU are affected.

Apply this policy to users with non-expiring

passwords.

Valid Values: 0 or 1

Default Value: 0 (not checked)

If checked the policy will apply to all accounts

with the “Password Never Expires” flag set.

Groups/OUs EXCLUDED from this policy:

Valid Values: global group names separated with

semicolons (max text length is 1024 characters)

Default Value: none

List global groups here that should be excluded

from this policy. Many administrators find it

helpful to exclude certain service accounts that

may automatically change their passwords (e.g.

SMS service accounts, Exchange 2003 service

accounts).

Exclude this policy from users with non-

expiring passwords.

Valid Values: 0 or 1

Default Value: 0 (not checked)

nFront Password Filter Documentation 41

If checked the policy will be skipped for all

accounts with the “Password Never Expires” flag

set.

3.4.1 Checking a file of breached passwords or HIBP API

If you wish to have the software check against a list of known breached passwords, you have 2

options.

Option 1 – Parse a local file (default)

Option 2 – Call HIBP API

Option 1 – Parse a local file

By default the system will attempt to parse a file named npf-hashfile.sha1 in the system32

folder. This option avoids an API calls that leave the DC to make a password filtering decision

and removes any concerns over network latency. You must provide the list locally in the form of

a file named npf-hashfile.sha1 in the windows\system32 directory.

As of this writing (October 2020) you can download a file of known breached passwords from

the haveibeenpwned website (https://haveibeenpwned.com/Passwords). On the site you are

presented with a few different file types. You need to download the file in the SHA-1 format

which is ordered by hash. The file is 10.1 GB but will expand to over 24 GB. Once expanded it

will remain a single file. You will need to rename the file to npf-hashfile.sha1 and copy it to the

windows\system32 directory. The sha1 extension should help you avoid accidentally trying to

open the file in Notepad or other text editors. Most editors will not handle the large file size

and if they do open the file it will take them a very long time (over 20 minutes) to simply search

for one hash.

nFront Password Filter Documentation 42

If the npf-hashfile.sha1 is missing or cannot be opened the filter system will put error messages

into an errors file named nfront-errors.txt in the windows\system32\logfiles folder.

The ordered file allows the filter to search it efficiently. On a test virtual machine with limited

resources the filter can consistently scan the file in less than 300 milliseconds so there is no

significant performance penalty for adding this scan.

Please note that this method does not send any API calls that leave the DC. By referencing the

file locally we reduce the attack surface and increase performance. Also, note the file must be

in the system32 folder and cannot be relocated or read from a network share.

Option 2 – read from HIBP API

To leverage this option you must edit the General Configuration policy and check the box for

“Check HaveIBeenPwned API (instead of local file).”

nFront Password Filter Documentation 43

If you select this option, any policy (see below) that is configured to “Check password against

HIBP file / API of breached passwords” will result in an API call. The API call will only send the

first 5 digits of the SHA1 hash. The API will return any hashes that match the first 5 digits. It may

return zero hashes or thousands. By using this approach the original hash is never transmitted

outside of your network. There is a possiblity of the site being unavailable or a network error

reaching the site. In such a case we have placed a 5 second timeout on the call. If the call does

not return in 5 seconds we put an error in the system32\nfront-password-filter-errors.txt file

and continue processing the othe rules.

nFront Password Filter Documentation 44

Using nfp-checkHash utility

When you install the nFront Password Filter MSI package, the installer copies a command line

utility named “npf-checkHash.exe” to the windows\system32 folder. The utility calls the same

hash checking DLL using by the filter and gives you an easy way to test passwords against the

local HIBP file or the HIBP API. The utility is very simple to use and by default checks the HIBP

API. Below is a screenshot with a couple of examples:

3.4.2 Notes on the dictionary checking features

The dictionary check feature uses a plain-text file named dictionary.txt located in the

%SYSTEMROOT%\System32 directory. This file contains over 6,000 entries. You can edit the file

directly in any editor like Notepad (or any other text editor) to add or remove entries. The file is

nFront Password Filter Documentation 45

in a Unicode format so it can support any printable character in the world. If you edit the

dictionary file, you must manually copy it to the %systemroot%\system32 directory on each

domain controller.

When dictionary password checking is enabled, the dictionary.txt file is scanned line by line and

compared with the new password proposed by the user. The nFront software will look for the

dictionary word anywhere within the password regardless of case (lower, upper, or mixed case).

If the dictionary word is found anywhere within the new password, the new password will be

rejected.

In approximately 10 milliseconds, nFront Password Filter MPE ensures that the user’s proposed

password does not match any of the 6,000 entries.

There is no size limit on the dictionary file you can run. However, running a very large dictionary

with features like character substitution turned on may add significant processing time. Several

years ago, we had a customer running a 15-million-word dictionary with character substitution

on and it was taking about 2 seconds to process. With the substitution feature on it was likely

generating over 100 million words. We do not suggest such a large dictionary. You can be very

effective with a smaller but robust dictionary file. Ideally, you add a lot of custom entries

related to your company, products, brands, industry vernacular, local restaurants, sports teams,

etc. The more “local knowledge” the more effective the dictionary.

BEST PRACTICES:

Customize the dictionary.txt file with entries related to your company, products,

brands, local sports teams, etc.

Put the dictionary.txt file in the Netlogon share so it replicates among domain

controllers.

Placing the dictionary.txt file in the Netlogon share

In the General Configuration policy, you can turn on the option to “Read dictionary.txt from

Netlogon share.” We suggest placing the dictionary file in the Netlogon share to ensure

consistency among domain controllers. In such case, nFront Password Filter MPE will read the

dictionary.txt file from the local Netlogon share. Administrators can edit the dictionary.txt file

on any domain controller and the modified file will replicate to all other domain controllers

automatically. The negative to this approach is Netlogon is readable by all end-users, and they

can see the dictionary file you are using. However, you can modify permissions on the file to

disallow user access. The nFront product runs as a thread under the LSA process and under the

security context of SYSTEM. The only permission needed is SYSTEM with read access to the file.

Likely you also want to include Administrators with Modify permission or Full Control.

3.4.3 Notes on the dictionary character substitution feature

Turning on the character substitution feature can increase dictionary processing time depending

on the length and contents of the dictionary file. Each time the dictionary check routine

nFront Password Filter Documentation 46

encounters a word with one or more substitution characters it must calculate all possible

combinations of the characters. Using our default dictionary of 27,000 words the nFront

system can process it in 31 milliseconds without character substitution and in 152 milliseconds

with character substitution.

As shown below, the word “password” results in 7 different words to check:

password

p@ssword

pa$$word

passw0rd

p@$$word

pa$$w0rd

p@SSw0rd

If you wish to optimize dictionary checking and check for substitution characters it would be

best to pre-process your dictionary file and generate the substitutions you prefer to check.

Suppose you want to use the following words but only check for i=”!” and a=”@” (instead of our

standard substitution characters):

password

company

internet

You could generate the substitutions for each word and just use our standard dictionary

checking option (without the substitution option turned on):

password

p@ssword

company

comp@ny

internet

!nternet

Such customization allows you to directly select which characters you wish to substitution and it

makes the dictionary checking routine faster since you have pre-populated the dictionary with

the exact words you wish to check.

3.4.4 Notes on the dictionary wildcard feature

The wildcard feature (Dictionary Option - treat '*' as wildcards in dictionary file) is a different

approach to dictionary process. In any word containing a ‘*’ character the character will be

treated as a wildcard. Suppose the dictionary contains one word:

p*word

The following passwords would be rejected:

password

passssword

poorlychosenword

nFront Password Filter Documentation 47

This feature would allow you to eliminate many variations not otherwise possible with standard

dictionary checking or character substitution. However, you must be careful because it could

eliminate words or phrases you have not intended.

3.5 Configure Password Expiration Settings (MPE Only)

The Password Expiration Settings Policy (Figure 3.6.1) can be used to control the Password

Expiration Service.

The nFront Password Expiration Service includes the ability to email end users about upcoming

password expirations. The software uses the user’s email address that is specified on their AD

user account. The software will not only email end users about their upcoming password

expirations but can also email a report to the administrator which lists the configuration

settings, has a table of users with upcoming password expirations and has a table of users

whose passwords have been expired during this run of the service.

Features:

 You can set a warning threshold such that users are notified XX days before the

password expiration. The warning threshold applies to all policies.

 You can control the timing of the service. We suggest running the process every 24

hours.

 You can customize the message to the end user (perhaps giving remote users an

intranet location to be used for password changes). You can customize the “from” email

address, the subject and the body of the message.

 Emails to the end users can be sent in plain text or HTML. The default is HTML.

 You can customize the body of the email message to the end user. The following

variables may be used within the body of the message. When the email is sent the

correct information will be substituted based on the user account.

<%username%>

<%firstName%>

<%lastName%>

<%daysUntilExpiration%>

 Emails to the administrator are sent using HTML for a better formatted report.

 You can run the system in a report only mode. In report only mode an administrative

report is emailed. However, end users do not have their passwords expired and no

email goes to the end user. You receive a complete report of those with upcoming

expirations and a list of users whose passwords would be expired by the system.

 You do not have to create a MAPI profile. You simply specify an SMTP server name or IP

address and some parameters regarding the messaging.

 You can choose to email only certain groups of users because the choice to email

warnings is set on a per policy basis. So those on Password Policy 1 may receive

warnings and those on Password Policy 2 may not.

nFront Password Filter Documentation 48

Figure 3.5.1: nFront Password Expiration Settings

The table below shows a list of configuration settings related to the Password Expiration

Settings section.

Policy

Description

Password Expiration Service

interval (in hours)

Default Value: 24

Min: 1

Max: 120

This controls how often end-user emails and

administrative reports are generated.

Password expiration warning

threshold

Default Value: 14

This parameter corresponds to the number of days

in advance to email the user a warning of an

upcoming password change.

**If you use the first, second, or third warning you

must be sure this setting is set to the longest of

the warnings.

First Email Warning (in days)

Default Value: 0

Min: 1

nFront Password Filter Documentation 49

Max: 365

If set to a non-zero value this will cause the

expiration service to only send emails on the

warning interval specified. The value specified is

the number of days before password expiration.

You can specify up to three different warning days.

Second Email Warning (in days)

Default Value: 0

Min: 1

Max: 365

If set to a non-zero value this will cause the

expiration service to only send emails on the

warning interval specified. The value specified is

the number of days before password expiration.

You can specify up to three different warning days.

Third Email Warning (in days)

Default Value: 0

Min: 1

Max: 365

If set to a non-zero value this will cause the

expiration service to only send emails on the

warning interval specified. The value specified is

the number of days before password expiration.

You can specify up to three different warning days.

Report Only Mode

Default Value: checked

Uncheck this box to send emails to end users

about password expirations and expired

passwords on those accounts overdue for a

password change.

Generate Local HTML Log

Default Value: not checked

This will generate a file named “nfront-expiration-

report.html” in the c:\windows\system32\logfiles

directory. The file contains the body of the

message that is sent in the administrative email

report.

Limit end-user emails to one per

day

Default Value: not checked

This will prevent multiple password expiration

warning emails to an end user in the event of a

server or service restart.

SMTP Server

Default Value: “”

Specify the name or IP address of the SMTP server

you wish to use. This is required for any email

nFront Password Filter Documentation 50

notifications to users or administrators.

SMTP Username

Default Value: “”

Can be used to specify credentials to authenticate

to an SMTP server for email.

SMTP Password

Default Value: “”

Can be used to specify credentials to authenticate

to an SMTP server for email.

Email administrative reports

Default Value: 0

You can choose to skip the email of administrative

reports.

To: email address for email reports

Default Value: “”

This parameter is required if you wish to have the

administrative reports emailed to an individual or

department email address. After each run of

service, you will receive an email with a summary

of users with upcoming password expirations and

a list of passwords that have been expired during

this run.

From: email address for email

warnings

Default Value: “”

This is the email address from which the warnings

are sent. It can be a real or fake address depending

on if you wish to allow and accept user replies to

the email. This parameter is required if you wish

to email users or administrators.

Subject of password expiration

warning message

Default Value: “”

This parameter is optional. If left blank the user

receives an email stating “YOUR WINDOWS

PASSWORD WILL EXPIRE SOON.” You can change

the text to any 128-character string you would like.

Password Expiration Email Body

Customization

IMPORTANT NOTE: This setting was removed in

release 6.2.0. You can now edit the plain text or

html file in the local system32 directory. The

filenames are nFrontEmailExpiration.txt and

nFrontEmailExpiration.html. The system will send

the html version if it is present. If you prefer plain

text rename the html version and the plain text file

will be used. You can customize both versions just

by editing the file.

Only send a test email

Default Value: 0

If you set this to a 1 and provide a test email

nFront Password Filter Documentation 51

address the service will send the test email on

startup. This can be used to test customizations to

the email subject or body without affecting

production users. Since no test username is

provided it will use a username of GBurdell with a

full name of George Burdell. It also assumes the

password expires in 10 days. If you have used

variables in your email template customization

they should reflect this test username, first name,

etc.

Email address for test email

Default Value: “”

This is the email to which the test message will be

sent. The test message will appear as it would for

an end-user on the network whose password

expires in 10 days.

3.5.1 Working with the nFront Password Expiration Service

When the service installs the service is not started and it defaults to a Manual Startup mode.

When you start the service, it accomplishes its work in less than one or two seconds. By default,

the configuration defaults to Report Only mode and we suggest you keep the setting checked

until you are ready to go live and actively email users. In the Report Only mode the service will

run all of its calculations and build a local logfile and / or email you the administrative report.

You can then review the results and see what would have happened if it were not in Report Only

mode.

To test the expiration settings, you simply restart the service. Be sure to run gpupdate /force

after you change any GPO settings and then restart the service.

BEST PRACTICE: To have the service run at a specific time of day we suggest you schedule the

following batch file via Task Scheduler.

net stop “nfront password expiration service”

net start “nfront password expiration service”

If you run the service via a batch file we suggest you set the Password Expiration Service Interval

to a longer interval than the time between runs of the batch file. For example, if you wish to run

the batch file daily then you should set the interval to 25 hours or more. That avoids a potential

issue with the service thread waking up to run again at the same time the batch file is restarting

the service.

3.5.2 Logging

When not in Report Only mode the service generates two comma-delimited log files. The files

are located in the c:\windows\system32\logfiles directory. We suggest you copy the files to

another location and rename the extension to “.csv” such that you can easily open the files in

Excel or other spreadsheet programs.

nFront Password Filter Documentation 52

Below is information on each log file and excerpts from each:

 nFront-expired-pw.log. This file logs the accounts whose passwords have been expired

due to the policies configured in nFront Password Filter. It gives us the date and time

the account was expired, the account name, the age of the password (in days) at time of

expiration. The last two columns a successful or failed operation and an error code if

one was returned.

“5/15/2014 15:57:37”,”test750”,”46”,”successful”

“5/15/2014 15:57:37”,”test751”,”46”,”successful”

 nFront-expiring-soon.log. This file maintains an up-to-date listing of passwords that will

expire in the next XX days (where XX days is the warning interval you have configured

via nFront settings).

“Date of Run, Username, Days before expiration

“5/16/2014 9:28:55”,”jsmith”,”2”

“5/16/2014 9:28:55”,”test302”,”4”

“5/16/2014 9:28:55”,”test51”,”14”

nFront Password Filter Documentation 53

3.5.3 Example Administrative Report

Subject: nFront Password Expiration Report

HTML Body:

nFront Password Expiration Report

DATE OF RUN: 1/1/2020 5:00:00

Settings:

Service Interval (in hours)

SMTP Server

Warning Threshold

Email at specific intervals

Warning 1

Warning 2

Warning 3

Report Only

Email Admin Report

Limit Emails

Email length-based password aging users

Last Email Day

Users with upcoming password expirations:

Username

Email Warnings

Days until Expiration

Emailed

test1

none

test5

none

fred

fred@nFrontSecurity.com

yes

bob

bob@nFrontSecurity.com

Users with passwords expired during this run:

Username

pw Age

Max pw Age

Status

test100

john.doe@nFrontSecurity.com

PASSWORD EXPIRED

test101

jane.doe@nFrontSecurity.com

PASSWORD EXPIRED

test102

jane.smith@nFrontSecurity.com

117

PASSWORD EXPIRED

nFront Password Filter Documentation 54

3.5.4 Example Email to End-User:

Subject: YOUR PASSWORD WILL EXPIRE SOON

Body:

Your Windows password will expire in 7 days.

You can change your password before the expiration date to avoid

additional password expiration emails. If you do not change your

password before the expiration date you will be prompted to change your

password prior to logon on the day of expiration.

3.6.5 Customizing the email body and using variables

In release 6.2.0 the method to customize the email body has changed. In prior releases

customization was done via GPO. Now it is much easier. Also, it is now possible to send HTML

emails as well as plain text emails. In c:\windows\system32 are the following two files:

nFrontEmailExpiration.html

nFrontEmailExpiration.txt

You can directly edit these files and modify the messaging as needed. The expiration service will

always attempt to read the HTML version. If the HTML version is not present it will use the plain

text version. If you wish to use plain text, we suggest you simply rename the HTML version in

case you wish to use HTML in the future. You can simply add a .old extension or any other

method to change the name.

You can use the following variables in your custom message:

<%username%>

<%firstName%>

<%lastName%>

<%daysUntilExpiration%>

Here is the default HTML file:

<html>

<body>

<p>Hello <%firstName%>,</p>

</p>

<p>Your Windows password for your account with a username of

<%username%> will expire in <%daysUntilExpiration%> days.</p>

<br/>

<p>

You can change your password before the expiration date to avoid

additional password expiration emails. If you do not change your

password before the expiration date you will be prompted to change your

password prior to logon on the day of expiration.

</p>

</body>

</html>

nFront Password Filter Documentation 55

Here is the default plain text file:

Your Windows password will expire in <%daysUntilExpiration%> days.

You can change your password before the expiration date to avoid

additional password expiration emails. If you do not change your

password before the expiration date you will be prompted to change your

password prior to logon on the day of expiration.

IMPORTANT NOTE: We do not suggest using Microsoft Word to generate an

HTML email. It adds many extraneous HTML tags and likely will not work well.

With HTML you should keep it simple and avoid <div> tags. Always use tables

in lieu of <div> tags and if you reference any images use a URL that is publicly

accessible so the image renders correctly in cases where the user is not

connected to the corporate LAN.

After making any modifications to the templates you will likely want to send a test email. You

can easily do this by configured the GPO to “Only send a test email” and providing a test email

address. These settings are at the bottom of the Password Expiration Settings policy. If you

configure these parameters, the service will send a test email when started. It will put the

service in ReportOnly mode even if that is not configured via GPO. This will prevent the service

from sending any emails to the end users. You can experiment with modifications to the email

templates and repeatedly test by restarting the service with no disruption to production users.

Figure 3.5.2: Password Length-Based Aging settings

nFront Password Filter Documentation 56

3.6 Optionally configure Password Length-Based Aging Setting

Password Length-Based Aging is a feature introduced with release 6.1.0. It allows you to

enforce different maximum password age settings based on the length of the password. Please

note the overall windows maximum password age must be equal to or greater than the longest

age set within the nFront software.

Figure 3.6.1: Password Length-Based Aging settings

To use this feature, you must create the following 4 groups.

 nFrontExpirationGroup1

 nFrontExpirationGroup2

 nFrontExpirationGroup3

 nFrontExpirationGroup4

The groups can be created anywhere in the AD. They must be global groups and security (not

distribution) groups. The groups are populated with usernames based on the length of

password chosen by the user. The nFront Password Filter will place users into the correct group

based on your settings

You must also have the nFront Password Expiration Service.MSI (or x64 version) installed on one

of your domain controllers.

nFront Password Filter Documentation 57

You can use up to 4 different password lengths. Each length has a corresponding maximum age

that will be enforced for password greater or equal to that length (unless a longer length is

defined with a greater maximum age).

Suppose we have the following 4 settings:

Password Length

Password Max Age

nFrontExpirationGroup1

nFrontExpirationGroup2

120

nFrontExpirationGroup3

180

nFrontExpirationGroup4

365

If a user changes to a password with 8 to 11 characters their maximum password age will be 60

days. If they select a password that is 12-15 characters, they can keep the password for up to

120 days. If the password is 16-19 characters, the maximum password age will be 180 days. If

the password is 20 characters or more it may be kept up to 365 days.

You can enter the length and age in any order you wish. The system will automatically sort the

lengths and corresponding ages and determine the ranges for a specific maximum password

age.

Once this feature is activated the 4 groups above will populate with users as they change their

passwords. Using the example, nFrontExpirationGroup1 will contain all users who have selected

passwords that are 8 to 11 characters long and nFrontExpirationGroup4 will contain users who

chose passwords of 20 characters or more.

3.7 Optionally configure nFront Password Filter Client Setting

For detailed information on the optional client see Section 9. Configuration of this policy is not

necessary for the nFront Password Filter Client to work. It contains settings related to the

display of a custom message to the end user.

nFront Password Filter Documentation 58

Figure 3.7.1: nFront Password Filter client settings

You can choose to:

• Display a custom message to the end-user in addition to our default message.

• Display a custom message only

If you customize the message you will need to enter it into the GPO textbox as a single line of

text. The textbox will accept up to 2048 characters. It is advised to type the message you wish

to present into Notepad or your text editor of choice. To add carriage returns to the custom

message use “\\” (without the double quotes) as a carriage return. If you have typed the

message into Notepad, you can simply replace the real carriage returns with the double

backslashes and collapse all the text onto one line. Then you can easily paste the line into the

GPO textbox.

The custom message would also display in the nFront Web Password Change product. The

example below shows the phrase “Please choose your password wisely” added to the rules

displayed. To learn more about nFront Web Password Change visit our company website.

nFront Password Filter Documentation 59

Figure 3.7.2: nFront Web Password Change displaying requirements

nFront Password Filter Documentation 60

3.8 Force immediate update of the group policy

Group policies update every 90 minutes plus or minus a 30-minute random offset for clients.

The Domain Controller policies replicate every 5 minutes. If you cannot wait five minutes or you

are testing in a lab environment and need immediate replication, open a command window and

type:

gpupdate /force

This will have the effect of immediately propagating our new policy settings throughout the

domain.

nFront Password Filter Documentation 61

4.0 Uninstallation Instructions

4.1 Delete the nFront Password Filter GPO

Your GPO settings for nFront Password Filter should be in a dedicated GPO and not part of any

other policy. In this way you can delete the GPO with the nFront Settings to remove the

configuration data. You may do this using GPMC (or ADUC on Windows 2003). Below are

instructions for GPMC.

Launch GPMC and navigate to Domains\<domain name>\Group Policy Objects (not the Domain

Controllers container). Find the GPO for the nFront configuration and delete it. You will be

prompted with a message informing you that all GPO links in this domain will be removed as

well. Just answer Yes to remove the GPO and the link to the Domain Controllers container.

NOTE: BECAUSE OF REPLICATION, YOU ONLY NEED TO PERFORM THIS STEP ON ONE DOMAIN

CONTROLLER

nFront Password Filter Documentation 62

Figure 4.1.1: Deleting the nFront Password Filter policy.

Figure 4.1.2: Deleting the nFront Password Filter policy.

nFront Password Filter Documentation 63

IMPORTANT NOTE: If you simply need to quickly disable nFront Password Filter,

you can simply turn on the setting to “bypass password filtering” in the General

Configuration policy and then uninstall and reboot at your convenience.

4.2 Run Uninstallation

Go to Start + Control Panel + Programs + Uninstall a program + Uninstall nFront Password Filter.

At the end of the uninstallation routine you will be prompted for an optional reboot. You do not

have to reboot at that time. The uninstallation removes the filter engine and supporting

services. At that point the software is not operational. A reboot is needed to remove the base

DLL that is locked by the OS.

nFront Password Filter Documentation 64

5.0 Verifying your Registration of nFront Password Filter

If you have purchased nFront Password Filter, you will receive an email with a registration code.

The registration code must be entered into the nFront Password Filter group policy.

IMPORTANT: The registration code contains groups of capital letters and numbers separated by

dashes. It must be entered exactly as emailed or printed on the box label (all capital letters with

dashes).

1. Launch GPMC and navigate to Domains\<domain name>\Domain Controllers. Right-

click the nFront Password Filter MPE policy you created and click the Edit button.

2. From the Group Policy Window select Computer Configuration + Administrative Tools +

nFront Password Filter (Figure 5.0.1). Double-click General Configuration and select the

checkbox to “Turn on debugging” (Figure 5.0.2). Select OK to close the General

Configuration dialog box. Double-click the Registration policy. It should already be

enabled. If not, please Enable the Registration policy. Enter the registration code that

you were sent via email or the one that appears on the box label (Figure 5.0.3). The

code must be typed using capital letters and the code must include the dashes. You

must also enter the annual maintenance code that you received with the purchase.

Click OK to close the Registration dialog box. Minimize the Group Policy editor.

Figure 5.0.1: nFront Password Filter Group Policy

nFront Password Filter Documentation 65

Figure 5.0.2: Turn on debugging

nFront Password Filter Documentation 66

Figure 5.0.3: Enter Registration Code (all CAPS, include dashes)

3. Run gpupdate /force to propagate the new policy settings.

4. Change the password on a test account.

TIP: Change the password from the command line.

Example: net user <username> <password>

5. Inspect the %sytstemroot%\system32\logfiles\nfront-password-filter-debug.txt file.

You should see the following lines:

registered = 1

Annual Maintenance Code = <maintenance code>

Contract expires on <contract expiration date>

This line indicates that nFront Password Filter MPE is properly registered.

6. Maximize the Group Policy editor. Remove the debugging by double-clicking the

General Configuration policy and removing the checkbox for the item labeled “Turn on

debugging.” The policy will replicate in the next 5 minutes. Run gpupdate to force

immediate replication.

nFront Password Filter Documentation 67

7. Close the Group Policy editor.

nFront Password Filter Documentation 68

6.0 Upgrade Instructions

Please note that if you upgrade or uninstall the filter it will not remove your GPO settings (i.e.

your configuration).

You can confirm your current version by going to Control Panel + Add/Remove Programs and

look at the properties for nFront Password Filter. If the version is not listed as part of the name

you can click on the link for support information to confirm the version.

The nFront Password Filter product uses a 2 DLL system instead of a single password filter DLL

file. Under most circumstances, this allows you to upgrade the filter “engine” DLL with no need

to reboot. However, release 7.0.0 updates the “base” DLL and consequently it is best to

upgrade by completely removing the old version, rebooting and installing the new version.

IMPORTANT NOTE: You can upgrade by simply installing 7.0.0 over previous

versions with no reboot required. However, it will not update the base DLL. We

suggest you plan the upgrade and follow the steps below to completely remove

and replace the base DLL by cycling through 2 reboots.

Upgrading from a version prior to version 7.0.0:

On each domain controller, you will need to completely uninstall the old version, reboot, install

the new version, and reboot again to load the new filter system. After the new version is loaded

on all domain controllers you can update the GPO template.

Step 1 – Save a copy of npf-lang.txt if needed

You only need to perform this step if you have customized the npf-lang.txt file to change the

verbiage of the rules or failure message to the optional client. Prior to uninstalling the old

version, you should rename the windows\system32\npf-lang.txt file if you have customized it.

Step 2 – Update the MSI Filter package (requires 2 reboots)

1. Uninstall old version. Reboot when prompted or at a later scheduled time.

nFront Password Filter Documentation 69

2. Install new version. Reboot at end or at next opportunity to load the new filter system.

Step 3 – Update the GPO template

Once you have updated the MSI packages on all DCs you can update the GPO template to

expose new rules and features.

The installer will copy new versions of the GPO templates to the local windows\inf folder. Open

the GPO where you have loaded the nFront Password Filter Group Policy Template. Right-click

Administrative Templates and remove the old template. Then add the new template (nFront-

Password-Filter-mpe.adm, nFront-Password-Filter-spe.adm, nFront-Password-Filter-spe-ms.adm

or nFront-Password-Filter-de.adm). After clicking OK the GP Editor will refresh and your old

registry settings from the previous version are preserved. The new template will expose a

section titled “nFront Password Filter Client.” You do not have to enable it for the client to

work. You do need to deploy the nFront Password Filter Client.MSI package to any workstations

on which you wish to replace the standard password change dialogs with those customized for

nFront Password Filter.

Upgrading from a version 7.x.x or later:

If upgrading from nFront Password Filter 7.x.x (or later) to the latest version of nFront Password

Filter you do not have to uninstall the old version. Simply run the installer for the latest version.

If you watch closely you will notice it stop the current services and replace them with new ones.

If you have customized the dictionary.txt file it will not be overwritten.