Password Policy Enforcer Administrator's Guide

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta name="keywords" content="password policy enforcer anixis windows password policy passfilt password filter Dictionary Rule" /> <meta name="description" content="Password Policy Enforcer Dictionary Rule." /> <title>Password Policy Enforcer Dictionary Rule</title> <link rel="StyleSheet" href="document.css" type="text/css" media="all" /> <link rel="StyleSheet" href="catalog.css" type="text/css" media="all" /> <link rel="first" title="First" href="TOC.html" /> <link rel="last" title="Last" href="License_Agreement.html" /> <link rel="previous" title="Previous" href="Character_Rules.html" /> <link rel="next" title="Next" href="Keyboard_Pattern_Rule.html" /> </head> <body> <table id="SummaryNotReq1" width="220" border="0" align="right" cellpadding="0" cellspacing="0"> <tr> <td align="right"> <a accesskey="4" href="Character_Rules.html"><img id="LongDescNotReq1" src="images/prev.gif" border="0" alt="Previous" /></a><a accesskey="5" href="Keyboard_Pattern_Rule.html"><img id="LongDescNotReq2" src="images/next.gif" border="0" alt="Next" /></a><br /><br /> <span><a href="http://www.anixis.com/" style="font-family: Arial, Verdana, Helvetica, sans-serif; font-weight: bold; color: #007577;" target="_top">ANIXIS Web Site</a></span> </td> </tr> </table> <p> <a href="http://www.anixis.com/products/ppe/" target="_top"><img id="LongDescNotReq3" src="images/logo.gif" width="174" height="46" border="0" alt="Password Policy Enforcer" /></a> </p> <hr align="left" /> <blockquote> <a name="wp9000644"> </a><h2 class="pHeading2"> Dictionary Rule </h2> <a name="wp9000645"> </a><p class="pBody"> The Dictionary rule rejects passwords that are vulnerable to attack with a dictionary or hybrid cracking algorithm. Dictionary cracking algorithms can crack the weakest passwords in seconds, so always enable the Dictionary rule to protect passwords from these very fast algorithms. </p> <a name="wp9000646"> </a><p class="pBodyRelative"> <img src="images/Password_Policy_Enforcer_54.jpg" height="297" width="255" id="wp3000050" border="0" hspace="0" vspace="0"/> </p> <a name="wp9000647"> </a><p class="pBody"> Select the <span style="font-weight: bold">Enabled</span> check box to enable the Dictionary rule. </p> <a name="wp9000648"> </a><p class="pBody"> Select the <span style="font-weight: bold">Detect inclusion of non-alpha characters</span> check box if PPE should remove all non-alphabetic characters during analysis. This allows PPE to reject passwords such as "myp8ass8wor8d". </p> <a name="wp9000649"> </a><p class="pBody"> Select the <span style="font-weight: bold">Detect character substitution</span> check box if PPE should reject passwords that rely on <a href="PPE_Rules.html#wp9000526">character substitution</a> to comply with this rule. </p> <a name="wp9000650"> </a><p class="pBody"> Select the <span style="font-weight: bold">Bi-directional analysis</span> check box if PPE should additionally test passwords with their characters reversed. Enabling bi-directional analysis stops users from circumventing this rule by reversing the order of characters in their password. For example, a user may enter "drowssapym" instead of "mypassword". </p> <a name="wp9000651"> </a><p class="pBody"> Select the <span style="font-weight: bold">Wildcard analysis</span> check box if PPE should search for wildcard templates in the dictionary file. Wildcard templates are specially formatted dictionary words that PPE uses to reject a range of passwords. The Dictionary rule supports two wildcard template formats: </p> <a name="wp9000652"> </a><p class="pBodyRelative"> </p> <div align="left"> <table border="1" cellpadding="2" cellspacing="0" bordercolor="#007577" id="wp9000065table4000007"> <caption></caption> <tr align="left" valign="top"> <td><a name="wp9000065"> </a><div class="pCellHeading"> Format </div> </td> <td><a name="wp9000066"> </a><div class="pCellHeading"> Example </div> </td> <td><a name="wp9000067"> </a><div class="pCellHeading"> Description </div> </td> </tr> <tr align="left" valign="top"> <td colspan="1" rowspan="2"><a name="wp9000068"> </a><div class="pCellBody"> Prefix     </div> </td> <td><a name="wp9000069"> </a><div class="pCellBody"> !!BAN*!!     </div> </td> <td><a name="wp9000070"> </a><div class="pCellBody"> Rejects passwords that start with BAN. For example: band, banish, ban, bank etc.      </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000072"> </a><div class="pCellBody"> !!2*!! </div> </td> <td><a name="wp9000073"> </a><div class="pCellBody"> Rejects passwords that start with the numeric character 2. For example: 2ABC, 2123 etc.      </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000074"> </a><div class="pCellBody"> Suffix     </div> </td> <td><a name="wp9000075"> </a><div class="pCellBody"> !!*ING!! </div> </td> <td><a name="wp9000076"> </a><div class="pCellBody"> Rejects passwords that end with ING. For example: pushing, howling, trying etc.      </div> </td> </tr> </table> </div> <p class="pBodyRelative"> </p> <a name="wp9000653"> </a><p class="pBody"> <br />Enabling Wildcard analysis will slightly increase search times, so only enable this option if the dictionary file contains wildcard templates. The dictionary files included with PPE do not contain any wildcard templates. </p> <a name="wp9000654"> </a><p class="pBody"> Choose a value from the <span style="font-weight: bold">Tolerance</span> drop-down list to specify the maximum number of consecutive matching characters that PPE will tolerate before rejecting a password. For example, the dictionary word "<span style="font-weight: bold">telep</span>hone", and the password "12<span style="font-weight: bold">telep</span>ort" contain five consecutive matching characters (shown in bold type). PPE will reject this password if the tolerance is four (or lower), and accept it if the tolerance is five (or higher). </p> <a name="wp9000655"> </a><p class="pBody"> Click the <span style="font-weight: bold">Browse</span> button to select a dictionary file. PPE installs two dictionary files in the \Program Files\Password Policy Enforcer\ folder (\Program Files (x86)\Password Policy Enforcer\ on Windows x64). Every domain controller should have a local copy of the dictionary file. Accessing a dictionary file over a network connection will degrade performance, and could jeopardize security. </p> <hr width="100%" align="left" size="1" /> <table width="95%" border="0" cellspacing="0"> <tr> <td width="50" valign="top"> <img src="images/information.gif" width="32" height="32" /> </td> <td> <a name="wp9000656"> </a><p class="pInformation"> Dictionary files must exist in the same folder on every domain controller. The \Program Files (x86)\ folder does not exist on 32-bit Windows, so move the dictionary files into the \Program Files\Password Policy Enforcer\ folder if your domain has both x86 and x64 domain controllers. </p> </td> </tr> </table> <hr width="100%" align="left" size="1" /> <a name="wp9000657"> </a><p class="pBody"> Click the <span style="font-weight: bold">Sort</span> button if the dictionary file is being used with PPE for the first time, or if words have been added to the dictionary file since it was last sorted. The PPE management console will sort and reformat the file so that PPE can use it. Sorting the file also removes duplicate words, so the sorted file may be smaller than the original. </p> <a name="wp9000658"> </a><p class="pBody"> Click the <span style="font-weight: bold">Messages</span> tab to customize the Password Policy Client <a href="Customizing_Rule_Inserts.html">rule inserts</a> for this rule. </p> <a name="wp9000659"> </a><h4 class="pHeading4"> Sample Dictionary Files </h4> <a name="wp9000660"> </a><p class="pBody"> Two sample dictionary files are installed in the \Program Files\Password Policy Enforcer\ folder (\Program Files (x86)\Password Policy Enforcer\ on Windows x64). Both files are sorted and ready to use. </p> <a name="wp9000661"> </a><p class="pBody"> DICT.TXT contains approximately 257,000 words, names, and acronyms. DICT_O.TXT is an optimized version of DICT.TXT that contains approximately 97,000 words. Use DICT_O.TXT if the Dictionary rule tolerance is four (or lower), or DICT.TXT if the tolerance is five (or higher). </p> <a name="wp9000662"> </a><h4 class="pHeading4"> Creating a Custom Dictionary </h4> <a name="wp9000663"> </a><p class="pBody"> You can add words to the sample dictionary files, or download larger dictionary files (often called wordlists) from the Internet. Always sort a dictionary file before using it with PPE, and make sure that all domain controllers have a local copy of the updated and sorted dictionary file. </p> <a name="wp9000664"> </a><h4 class="pHeading4"> Dictionary file replication </h4> <a name="wp9000665"> </a><p class="pBody"> PPE does not replicate dictionary file updates to other domain controllers, however you can copy the PPE dictionary files into the Sysvol share if you want the Windows File Replication Service to replicate dictionary file updates. </p> <a name="wp9000666"> </a><p class="pBody"> The <a href="Testing_Policies.html">policy testing</a> feature cannot read a dictionary file from the Sysvol share if the PPE management console is running on a computer without a Sysvol share. This may lead to inaccurate test results as explained in <a href="Testing_Policies.html#wp9000513">Policy Testing vs. Password Changes</a>. To avoid this problem, use the Sysvol share for file replication, and have a scheduled task copy the dictionary files into another folder. The destination folder should exist on every domain controller and administrative workstation. </p> </blockquote> <hr /> <table id="SummaryNotReq2" align="right" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="right"> <span style="font-family: Arial, Verdana, Helvetica, sans-serif; font-size: 11px"> © Copyright 1998 - 2009 <a href="http://www.anixis.com/" target="_top">ANIXIS</a>.<br />All rights reserved. </span> </td> </tr> </table> <table id="SummaryNotReq3" width="220" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <a accesskey="4" href="Character_Rules.html"><img id="LongDescNotReq4" src="images/prev.gif" border="0" alt="Previous" /></a><a accesskey="5" href="Keyboard_Pattern_Rule.html"><img id="LongDescNotReq5" src="images/next.gif" border="0" alt="Next" /></a> </td> </tr> </table> </body> </html>