Tuesday, October 2, 2007

Inside Active Directory Password Filter DLL

I had posted a blog How to get plain text password in Active Directory??? to give some inside of how to write password filter DLL.

In this post I am going to talk about some issues and precautions should be followed while writing these components.

Like a user account Active Directory maintains computer accounts in it's repository. It enforces the same password policy which is applicable for user accounts. For example if there is a policy to change the password after every 30 days for the user accounts same applies to the computer accounts stored in Active Directory. This policy can be disabled for computer accounts but that leads to some security issues over the network because these accounts (computer accounts) are used to provide some kind of internal authentication when you access shared resources over the network like printer or some shared folder etc.

Computer accounts password change notifications should be ignored while passing the credentials to the identity management(IDM) products ( I am assuming that you know why this is done???) for synchronization. If password filter DLL will send these computer password change notifications to the IDM products it will not be processed as these products are not managing computer accounts.

Every computer account has an attribute named samaccountname which has a DOLLAR ($) character at the end. Password filter DLL should check if the sAmAccountname of the event is terminating with DOLLAR then it should skip the whole process. This provides two benefits
1) Increases the efficiency of the password filter DLL as it is skipping the processing of unnecessary accounts.
2) Better utilization of network bandwidth.

Hope this tips help you building more efficient password filter DLL.

2 comments:

Techblue Software said...

TechBlue Software is a recognized leader in the Software Development field, having helped a range of organizations in their mission to cut down their costs while retaining or increasing the level of quality of their software. Active Directory Password Reset Solution (ADPR) is TechBlue Software flagship product for active directory user management. TechBlue Software provides solution for small and large businesses. Specializing in custom development and well crafted products.

Techblue Software provides the utility to reset password and enrollment.
· Software Development Services in various Technologies
· Product & Application Development Services in various Business Domains.
· Self Service Operation: Users reset passwords and recover accounts on their own.
· Password Reset Anywhere: Reset passwords from any login dialog. ADPR adds a "Reset Password" option.


For More details:
You can refer http://www.techbluesoftware.com

johnrockfellerZ said...

ADAudit Plus is a valuable security tool that will help you be compliant with all the IT regulatory acts. With this tool, you can monitor user activity such as logon, file access, etc. A configurable alert system warns you of potential threats.

http://www.manageengine.com/products/active-directory-audit/