How to Enable Strong Password Functionality in Windows NT

• Microsoft Windows NT Server version 4.0
• Microsoft WIndows NT Workstation version 4.0

SUMMARY

Windows NT 4.0 Service Pack 2 includes a new DLL file (Passfilt.dll) that lets you enforce stronger password requirements for users. Passfilt.dll provides enhanced security against "password guessing" or "dictionary attacks" by outside intruders.

NOTE: This functionality is not available under previous versions of Windows NT or under non-Windows NT network clients such as Windows 3.xx, Windows for Workgroups 3.xx, or Windows 95.

MORE INFORMATION

Passfilt.dll implements the following password policy:

1. Passwords must be at least six (6) characters long.

2. Passwords must contain characters from at least three (3) of the following four (4) classes:

         Description                             Examples
         -------------------------------------------------------------------
   
         English upper case letters              A, B, C, ... Z
         English lower case letters              a, b, c, ... z
         Westernized Arabic numerals             0, 1, 2, ... 9
         Non-alphanumeric ("special characters") such as punctuation symbols
   
   

3. Passwords may not contain your user name or any part of your full name.

How to Install Strong Password Filtering

To ensure Strong Password functionality occurs throughout your domain structure, make the following changes on all primary domain controllers (or stand-alone servers, where needed).

PASSFILT.DLL is not necessary on backup domain controllers since the PDC is the only machine where changes to the domain accounts database are made. However, it should be installed on all BDCs because they can be promoted to PDC. If a BDC without PASSFILT.DLL is promoted to PDC, then strong password enforcement will be lost but there will be no other adverse effects.

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

1. Install Windows NT 4.0 Service Pack 2.

2. Copy Passfilt.dll to the %SYSTEMROOT%\SYSTEM32 folder.

3. Use Registry Editor (Regedt32.exe) to add the value "Notification Packages", of type REG_MULTI_SZ, under the LSA key.

   NOTE: If this key already exists, go to Step 4.

         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
   

4. Double-click the "Notification Packages" key and add the following value:

   NOTE: If the value FPNWCLNT is already present, place the following entry beneath the FPNWCLNT entry:

         PASSFILT
   

5. Click OK and then exit Registry Editor.

6. Shut down and restart the computer running Windows NT Server.

   ARTICLE-ID: Q151082
   TITLE     : Password Change Filtering & Notification in Windows NT

Keywords          : ntsecurity NTSrv kbenv kbnetwork
Version           : 4.0
Platform          : winnt
Issue type        : kbhowto