Active Directory Password Blacklisting

and now we're gonna have a talk about Active Directory password blacklisting and let's welcome Larry Chang hey guys so today I'll be doing a talk on something called Active Directory password blacklisting and I'm sure most of you guys know active directory along with open LDAP or two of one of our two of the most common directory services tools used today in most corporations and specifically I'm going to talk about how you can employ Active Directory password blacklisting into your internal networks and the benefits this will provide so what we've seen in the past couple years is a lot of times corporations might try to enforce more stringent password requirements by upping the complexity or for example requiring that certain

categories are met or maybe even expiring these passwords and I'm going to talk about why this sometimes isn't necessarily a good idea up to a certain point and will explicitly talk about how Active Directory password blacklisting for example can solve a lot of these problems so just a brief presentation outline first I'll give a brief overview and what Active Directory is for anyone who doesn't know then I'll give a brief history on password requirements and from this I'll branch towards the need for Active Directory password blacklisting and then my expectation of this is I'm gonna show a demo and I'm gonna show how easy it is to install Active Directory on to your domain controllers I'm gonna do a live demo for

that and then I'm gonna talk about how we installed it here at the company I work with which is Yelp so I'll talk about the various commercial options we explored and then how we kind of change to picking an open source solution and kind of toggling that to fit our needs and then that's when the demo will actually start and I'll show you how to install it really quickly and then just some brief transition thoughts as someone who is primarily UNIX based programmer like some thoughts I had moving to a more Windows oriented programming environment and then I'll talk to you guys about how you can create a testing framework around Active Directory password blacklisting and then

I'll just do some results that we have here Yelp and then some final reflections Before we jump into this though I'm from Yelp Yelp is supporting about 50 million businesses worldwide we have like 300 services and we're not actually all about restaurants we do a lot more than that for example like home services as of 2017 was about 20% of our revenue so that's pretty cool so what does Active Directory so most of you probably know Active Directory as a database system which it primarily is right it's a database system for organization of objects on a network using this hierarchical logical structure and it's comprised of three logical components which are domains trees and forests so basically have

domain network objects right which can be users computers whatever and then these form trees which are all along the same contiguous namespace and at the very top you have the forests which represents trees and domains sharing the same logical structure and in terms of a security perspective these forests represent the outermost layer behind different domain object groups so you could maliciously change the network configurations within domains of the same forest but not between different forests and as you all might know it's also primarily used as an identity provider from any single sign-on solutions you guys might also use it for authentication for internal network services or whatever corporations to utilize and a lot of people think LDAP

and Active Directory are two of the same things so act directory is the actual database system right and then LDAP is one of many protocols that Active Directory can use for communication between different objects and manipulation of different Network objects so that was just a brief overview on Active Directory I'm sure you guys already knew all this so now let's talk about password requirements real quickly so no matter what corporation you use you're probably gonna use some sort of requirements that look like the following you're gonna have between x and y characters right and you're gonna make sure sometimes that it doesn't contain certain words like this might be the user handle or some PII data related to your employee

like first name or last name and then maybe inclusion of some certain categories you might want some uppercase lowercase numbers non alphanumeric digits and a lot of times and this is recommended by the NIS T before which is expiring your passwords after a certain time so I just wanted to talk about this briefly and what I wanted to say is sometimes this trend of upping the complexity by toggling these requirements doesn't necessarily make sense and isn't necessarily efficient so of course enforcing a certain minimum password requirement will always make sense because otherwise you can't prevent against brute force or dictionary based attacks on very simple common passwords and of course it also makes sense to always allow your

employees or users to make their passwords as long as they want up to a certain point because it's all gonna be you know hashed and salted in your databases later however what does not necessarily make sense is ensuring a minimum password length that is above something like 12 to 14 and the reason behind this is it actually makes it cumbersome for the user the same applies to inclusion of too many categories you're basically increasing the entropy to the point that makes it very for users to remember their passwords I mean we all know those various obscure bank accounts where they require like three or four more different categories and we don't even remember them so the

point here is it's not necessarily efficient and this also applies for password explorations so the NIS t isn't necessarily recommending this either it only really makes sense especially assuming that you have two FA configured for all your devices already it only really makes sense to expire passwords if they've been deemed to be compromised or susceptible to a breach or seen in some sort of dump and I'm gonna explain exactly what I mean in a second but this all centers around the idea that humans are very much predictable right if Bob uses a very stupid password like password and then suddenly the requirements are changed to ensure you also have to have a number there's a

very high chance Bob will use password one is the password so to summarize why should we integrate password blacklist in an ad and what was the point I was trying to make from this so I have three main points the first is complexity doesn't necessarily override predictability just because your passwords are complex doesn't mean they're not very commonly used then the second is complexity doesn't override for each ability and I made up the word breech ability so it sounds nice but you get the point so basically leak passwords will always remain a standard attacking vector and we always want to prevent against against this and this brings me to the last point right which is complexity

doesn't protect against dictionary attacks nowadays one of the most common attack vectors are these leak password dumps that we use dictionary attacks against for example LinkedIn in 2008 or 2012 they got hacked by a bunch of Russians and this is what you call password sprain there is a very good chance that those credentials utilized by those LinkedIn employees were also being used for other different websites or organizations right passwords brain is the term to reflect this and it's extremely common nowadays so this is where Active Directory password blacklisting comes in and given how popular it's used as a directory services tool it makes sense to all these just have this installed in whatever corporate systems you're

working on because it's incredibly easy and it just gives you such a high defense layer against these targeted attacks so Yelp so we knew we wanted to integrate some sort of Active Directory password blacklisting mechanism into our services so at first I was tested like figuring out what kind of commercial option we might want to look at but ultimately we decided against this and this might not necessarily be the best decision maybe you might disagree but for us the reason was there was a lack of transparency so I'm gonna go with it exactly how this works later but the basic idea is this is a very sensitive service and we're dealing with right and basically this process that does this

authentication is called the local security authority for Windows Active Directory and in this process called the LS a SS any uncaught exception if there is one would cause a crash and yield at blue screen of death we all hate right so we really wanted this to be as transparent as possible and finally a lesser point is just that we thought it might increase yelps attack service area if we relied on this single vendor solution so given this we did we decided okay we should install a password filter how the hell do we do that and I was actually tested this project and I had no idea like how Windows programming works or what domain controllers were so

I had to do a lot of research but it turned out it's pretty simple you basically have this one interface called a password filter a DLL and DLL stands for dynamic linking library and I'll explain what that is in a bit but basically it's just this one interface you have to put it into your windows system32 folder and it's comprised of three functions one is this thing called initialize change notify so when your computer or domain controller boots up this function will be called to indicate whether or not your password filter DLL is loaded and this one isn't it's important you can just be by default return true this is called on your DLL to indicate

whether a password authentication was actually successful and the password changed again this is only if you do stuff post authentication so it's not as important it's only maybe this last function you have to implement and this will make such a huge difference in whatever corporate environments you're working on you just have to implement this function to perform your password validation and install into your local security Authority or put it in its registry and then you're done and I'm gonna talk to you exactly about how to do all this so just any more details this is basically how the authentication flow works the client makes a password change request this goes to the local security authority which is the Windows

service responsible for all these types of authentications and author authorizations and then for each registered password filter DLL of the local security authority it will call that password filter function and depending it on whether or not that returns true or false the password will be committed to the s a.m. or Security Council manager assuming that it was approved by all registered dll's so you can actually register more than one DLL which is really interesting if you have various different types of pasture based authentication mechanisms you want to employ and the security manager this is just Windows internal database for storing all these hash credentials it uses a combination of ntlm and LM hashes the details of that I'm not as familiar

with I'm sure some of you are though but yeah at the end finally these changes are synced to the actual DLL via password change notify and the authentication is done so that's how the flow really looks like so knowing this we did more research and we explored various open-source solutions and we found one that really fitted our needs best which is called open password filter and the links are here at the bottom if you want to take a picture it was actually a of this former open-source solution that we decided to utilize and the reason was well 3 main points first it was super easy to configure it provided configurable operability with a sequel database so all you had to do is you

know pipe a bunch of hashes into your Ellyn provision database within your network and then just connect it with that and then also what's very important is it incorporated the service-oriented architecture so what does that mean so remember when I said the DLL is extremely sensitive and I dealt with this initially thinking I could do the DLL on my own any crash there you'll get a blue screen of death and it's extremely frustrating so instead if you have the DLL call another registered service you can execute this fail open design such that any crash on your service because by default return true and you'll never have any issues with the blue screen of death on your DLL

itself and I'll show you how that architecture looks like so basically it's very much like the architecture diagram you saw earlier you have your local security authority a client password request to sent to this and then that's calling the password filter on every registered DLL this instead of directly authenticating through the DLL code you actually call through your loopback interface this thing called opf service so the open source solution is called open password filter so opf stands for open password filter so you call this service and then that does authentication for you and of course it'll do this authentication using whatever registered sequel server you've had provided and then given success or failure this will then be committed to

your security accounts manager so that's pretty much how the flow looks like and now I'm going to show you exactly how you can install one on whatever domain controller using I don't know if I mentioned this earlier if you don't know Active Directory all the authorization and authentication is done on the actual domain controllers so you'll have to install these dll's on every registered domain controller on your network so how do you install this well it basically boils down to these steps and on the right I've highlighted some like windows commands you can use to help assist you with this so first you want to configure your domain controllers and I'd suggest just starting with the standalone domain you

know just run a Windows Server 2008 r2 instance or something and install your own standalone domain controller and make sure Active Directory domain services is installed in everyone next thing you want to do is set up local group policies this is for testing purposes you want very bare minimal password requirements just for testing purposes so stuff like password will be installed into your database and you can make sure that's being blacklisted as appropriate this is just a convenience thing then finally load your common password hashes nowadays I think the most common one is having been poned comm and most of these hashes are all sha-1 so you can just download them there and then import that into your database

which is the next step you know creating the database importing the hashes then you want to move your DLL to the systems registry and then start your authentication service so remember the DLL is calling on this service to do the authentication and sorry this is where you actually register the DLL because you have to put it in this notification packages registry so that the local security authority knows to load it on boot and yeah if you do this you're pretty much done and like the reward is so much it's really simple it shouldn't take too long you really should have this and whatever corporate environment you're using but anyway enough with the talking I'm going to show you how you

can do this on in a demo alright okay whatever alright I'll just deal like this okay cool so here I have installed a Windows 2008 r2 server and I'm just configured you know Active Directory domain services and I've installed my own standalone domain so what we're gonna do is we're gonna create a database and we're gonna have password filtering working and just start everything off I'm gonna show you that and I'm gonna turn on the key caster so currently my password is admin 1 2 3 4 if I use the password password it's going to authenticate cuz I've configured you know very bare minimal local security policies and that's just to show you that doing this works so I'm just gonna

revert back to my old one all right cool so I changed it back to admin one two three four exclamation mark this is probably one of the very few times you want to have key casting on when you're typing your password next thing I want to do is just really quickly copy this so here I have a PowerShell open and the first thing I want to do is I actually want to get this snap in for executing sequel server commands which is what I'm using so let me just add that really quickly I should have done this before the demo but oh well so I'm getting that snap in okay cool so now we're gonna create a database

right and I hope you guys can see that I think it's big enough so first thing we're gonna do oops that's the wrong thing I copied let me just copy this real quickly alright everything's gonna go perfectly from here trust me alright so the first thing we're gonna do we're gonna create a database and we're gonna call it password dump alright next thing we're gonna do we're gonna create a table for this so we're gonna create a table for that password dump database using the database object basic schema and we're going to call it blacklisted and then in blacklisted we're going to two variables okay we're gonna give it hash ID which is an int which is not

null and then a hash which is a varchar' and since they're sha-1 hashes are gonna make it length 40 and this is of course is also not null so that's done next thing we want to do we want to create a user or login so logins are for authenticating to the database and then users are for the specific table so they're a bit different so I'm going to create a login I'll call it a b-sides reader and I'm gonna say it has the password equal to let's say b-sides Las Vegas 2018 and I'll give it a default database of what we just created which is password dump so that should work alright cool next thing I wanna do is we

want to this is why I don't like PowerShell cuz you you can't paste it keeps dying okay here we go next thing we want to create the user so let's use password dump and then we're gonna create the user create user and let's also call it b-sides reader for the login b-sides a reader cool and then finally we want to give it read privileges so we're gonna give this the role which is we want to execute this SP IDI role member and then we're gonna give it the DB data reader role for 'besides reader so that should work okay so now create a database that I've created a login and a user for accessing that blacklisted table next thing I want

to show you this directory right so I've pretty much installed that thing called opf which is open password filter I've installed a pre compiled version there's some small configurations I added from Yelp but it's pretty much gonna be the same thing you just go to that link you saw earlier and install the pre compiled version and you see this hashes dot txt file right so if I open this basically I've downloaded a bunch of sha-1 hash is from have I been poned comm like the top 1 million or something and I've also prepended an ID to them so we have these hashes let's import it into our actual table so I can just do bulk insert and then password dump DBA

blacklisted and then I'm gonna insert the actual hashes which is from my users slash administrator slash hashes file and it has to use these field terminators so the field Terminator in this case is a comma and then the row Terminator is actually a line feed which you can use this hexanol character for that should work okay so now it's importing which is awesome and we can just quickly show that it's actually in there so select from password dump DVO DUP blacklisted and yeah you can see we imported that into our database okay so we got the database configured and again you can just re-watch this and just follow what I do and you can install

like faster blacklisting into your local orgs so next thing we want to do is we want to actually register the service so what we can do is in this directory the precompiled directory that you can download you'll see the four files the DLL the actual service executive or a configuration for that and also this nice testing executive ole just for testing the service itself not the DLL of course so in that configuration file there's a bunch of predefined keys and values you can add to this since I have this you know standalone domain controller is gonna be on localhost and the database we call it a password dump right and then the table name was

blacklisted the username was 'besides reader and the database was 'besides Las Vegas 2018 or I think yeah that should be it alright cool so we configured the installation configuration file and now the next thing we want to do is actually install the service so if we go to windows.net 64 me too and then it's called install utility XE we can actually just install the service and again this is all on PowerShell [Music] so that's been installed successfully next thing we want to do is we want to move the DLL itself into windows system32 so let's copy that really quickly so copy the DLL into windows system32 cool and that should be it next we actually want to quickly start the

service so the SC start opf ok the service is started we installed a database we imported some hashes into it we configured the installation configuration we put it to system 32 we started the service that should be it so next thing you want to do is remember I told you that these dll's are only loaded by the LS 8 during boot so you have to restart your computer so I'll just do that really quickly I feel like there's one thing I forgot I hope this live demo works well it's taking a huge risk it's gonna work don't worry all right so um cool that's gonna take a while I don't want you guys to wait for it to shutdown so while that

loads I'll just give you another slide some implementation gotchas question ok so some implementation gosh is especially if you don't want to use an open source solution or if you want to install your own DLL yourself or configure your own DLL or your own service one thing any crash in this process means you'll get a blue screen of death which means you'll need like a kernel debugger if you're actually gonna do all the coding logic in the DLL so I don't suggest doing that completely replacing a DLL actually requires two reboots so one for actually clearing the registry and the other for actually loading the library and like I said this DLL is only loaded during boot by the

local security Authority via this notification registry of the local security authority and then yeah the DLL has to be installed on every network domain controller so don't forget that don't don't just have an install on one otherwise authentication pipe to other domain controllers won't work and another interesting gotcha is these password policy error messages they're hard-coded into that into the Microsoft operating system so you can't change the message that says these password requirement complexities aren't met which can be a good thing or a bad thing depending on your needs let's see if it finished it still didn't finish okay so just hear some thoughts I had transitioning from a UNIX programming environment some more windows heavy

especially with PowerShell first thing is what's a dynamic linking library I didn't know what that was now I know it's pretty much like the dot L IB files except it's a shared memory that you don't have to compile when importing libraries in it's all shared in one contiguous memory chunk on demand when your programs loaded another thing I learned is I really like using PowerShell I thought you know the transition was pretty seamless we went from batch to PowerShell the programming language is really intuitive I thought I just I don't know I really had a great time using it other question I had is what's the domain controller you know I didn't know what this is but this is

where all the authentication authorization is done for Active Directory I also thought it was incredibly convenient that UNIX and Windows use the same line terminators so this made it really easy when I was programming in UNIX and then moving to Windows another thing I asked myself is how do ID bug in LCS process without going crazy so this part was pretty hard it was kind of mundane attract kind of really stressed me out so again that's why the service oriented architecture suited our needs so well another interesting question is how do I test LDAP authenticate across the domain of a thousand plus users so this is an interesting question I'll talk about this in the testing

framework part and if you guys I don't think you guys realize this but this was extreme sarcasm and this is also sarcastic all right let's see if it actually installed so let me just log in and I'll show you the password I'm using which is admin one two three four that's weird I never got that before okay geez all right let's hope this works so if I open CMD one thing I want to show you again is I'm using really minimal password complexity requirements so if I theoretically changes the password sure work may I mean it should get blacklisted another thing we want to check is that the DLL has been registered into the LLC's registry so we

can do that by doing something like reg query I think it's hklm slash system current control set control LSA and then you can search for notification packages so we can see that it has been registered and another thing we can do is we can query that the OPF service is running so it does seem like it's running another thing is that's useful is this open source pre compiled version it can it provides a testing framework so you can just check whether

that is really weird I've depth that's just outrageous I've done this demo like ten times I've never gotten this star failure so I'm really sorry about this this is this is crazy sorry oh I actually I used the wrong executive all so it's all good actually I was just using the wrong executable so it promotes a testing framework called opf test password and this just tests that the service authentication works and as you can see testing the password password results in a failure but let's see if the dll actually works so if you change your password and again I'll show you what I'm typing sorry my old password was Evan one two three four now

if I try password it's unable to update the password so that was all alive it actually is a lot harder than it looks but everything worked which is nice thanks alright so that shows you how easy it is to install everything now I'll talk about how you can test and employ this and they Yelp we pretty much divided it into four phases first thing you want to do identify what kind of passwords you want to deploy especially depending on the policies you set you might want to use a different set of passwords meeting your policies also depending on the scale of your users or employees you want to adjust accordingly so first phase identify your passwords

second is you want to test your password filtering service on a Sat alone domain you know just like what I did just run up Windows 2008 server r2 instance and then hopefully you have a development domain configured or a lab domain with multiple domain controllers that you can finally test this with and then you want to slowly roll this service out to production servers and something I call non enforcement mode which means at first you want it running but you don't want it actually authenticating or blacklisting you just want to log that it would have otherwise succeeded and then after a while like two or three months and you know making sure everything is what it looks like then

you can actually run it in enforcement mode where you actually deny the passwords so phase zero require passwords this should be pretty simple it looks something like this you just gather a bunch of compromised passwords or sha-1 passwords and if they're you know plain text already just sha-1 them yourself like on the Ray you can see some scripts for doing that and then maybe you want to filter these against those conforming to your policies these are just some random policies I made at the bottom and then you want to move to your actual testing framework so what we did was we kind of divided this dump of pastures we got into four different groups in reality

there's only two groups you care about right which is whether they're in the dump or whether they're not in the dump and again this is all for testing purposes but because there's also this you know pre-authorization done on whether the complexity requirements are met we divided again into two more groups so you have four in total and this is just for completeness sake so yeah and number two stuff to just generate sha-1 hashes of those you plan to put in your password dump so that they're in your actual blacklisting database and then finally you generate a PowerShell script that or whatever script you want that basically tests whether these resets and LDAP binds are actually being successfully done so if

it's not in the password dump but meets the complexity requirements it should right so you're just testing the expected behavior of all these groups using something like a PowerShell script with you know resets and LDAP binds and then of course at the end you want to log all your results including the average reset time so that's what this looks like you know I divided the password into four different categories and then just rather this huge powershell script for verifying the behavior ie that for each you have an expected outcome and an actual outcome and you want to make sure these are the same they're all correlated properly so just in terms of the results we got a Yelp so the left

diagram it doesn't really mean anything because no password filter dll's are configured so the fact that the the the last right columns are kind of different it's just random but then in the results with the DLL configured you can see that the average time of course and this includes passwords which are in the black list so of course the the time will be a lot lower but what you'll notice is the yes policy no dump in the right side and the yes policy note up on the left side are pretty much the same so the overhead was almost minimal you couldn't even notice it so that was the standalone domain next you want to move to the actual lab

environment right so it's gonna be the same as I talked about earlier except you're gonna do some more things differently so you want to be indexing these logs to your sims somehow alright so you can make something in like syslog with whatever timestamp to do this and you also have an additional cross verification check with Windows events logs so for 73 and for 74 are the codes for success and failure respectively and then finally you want to toggle between enforcement's and non enforcement modes so when you suddenly roll this out into prod you want to make sure that non enforcement mode is toggled just in case there was something you missed and then slowly look at the results from your sim

data your logs whatever and make sure everything is correlated and once that's guaranteed then move it to actual enforcement mode where you're actually denying these blacklisted passwords so that's probably going to look something like this you know putting in this block and being able to index all this like having this ability to see everything very conveniently that's what seams are for right and yet then we got these average results which are that most of these password DLLs they didn't impose any overhead whatsoever it was extremely marginal and then yeah finally you put it into production and yes I spend most of my time making these planes so that's about it finally flexions let's ensure good communication between

all teams most of the people I was working with was remote in London and I was the only guy in San Francisco so ensuring that everything was documented it was very very very important and that that's the second point I wanted to make you know also you want to be very patient with everything especially if you do plan on making your own custom DLL and maybe using a kernel debugger you want to be very patient and the last thing is I hope I don't touch PowerShell again and I don't guys didn't find the sarcastic comment that funny I thought those hilarious anyway that's about it I have a blog post which details all of this so you can check that out or you

can just search Yelp Active Directory password blacklisting it'll include the code for the testing and I think also the code for our steps for instil installing your DLL and then lastly yelps hiring especially for the security team I'm part of the corporate security team so if you're interested you can talk to me later but that's it so thank you [Applause] yeah what you used inside the DLL yeah so if you look at most password dumps these days most of them will be hashed already and I think you'll find that sha-1 hashes are the most common but the actual authentication flow works in such that you have the password pass to your local security authority and then that

actually so your DLL service will sha-1 hash that password and compare with what's in the dump yeah so there's been a lot of discussion over the past few months about how large blacklist should be if you make them too long you know if you use Troy hunts half a billion passwords you're going to really annoy users and if you make it too short you're not getting the effect that you want so do you have any opinions on how larger yours and do you have opinions on what the appropriate size is yeah so we use about I think it was like ten to a hundred million and we didn't really face any performance constraints and also depending on where you're sampling

these passwords from you might for example the sampling a bunch that conform to your password policy so we did take like for the sha-1 hashes you can't know unless you like do a dictionary attack yourself with a bunch of GPUs but for those that you do know you can actually filter them against those that pass your password policies and then shot one of those yourselves and put them in another interesting thing you can do which is really effective is so we at Yelp not only do we sample these commonly used passwords but we created our own using some algorithms that would add where it's like Yelp or maybe even the months of the year because they're extremely

popular and will be used by your employees trust me yeah yeah for the filtering message have I included the hash ID yeah yeah yeah that could be a good idea especially for your testing framework so what I showed wasn't our actual official spunky index it was just something I generated but yeah that's

right so so right I said in an earlier slide though it doesn't seem like you can change that message because it's hard-coded into Microsoft's operating system so unfortunately you can't configure that oh oh yeah you know it's this default message that's always returned on a password authentication failure so you can that you can't change that unfortunately quite a practical question about updating the passwords to cross the domain controllers how do you do that okay so that's the reason the service-oriented architecture is so great right so the database doesn't necessarily have to exist in your domain controller the domain controller is only calling this DLL which calls upon the service which can

so currently yeah we're doing that and I guess that's why he asked about scalability concerns so that is something we have to think about okay so oh yeah okay so so actually what we did is we understand your problem and because of this we explicitly targeted the most commonly used passwords instead of just random password leaks and that's how we got the top 10 or 100 million from various sources with having been pwned calm being just one of them because we ran tests on this and we did realize like almost all of these either weren't conforming to our password policy or we're just too so obscured that no one was using them and again this is for our internal corporate

systems we do something entirely different for actual user authentication

since the error message in Windows can't be updated directly did you have user education outreach type session or when this new blacklist was implemented right that's actually something that's ongoing which is a great point you're making which is how do we notify the users that this error message might mean that they've been blacklisted so that's where the logging infrastructure comes in so you can configure these logs to detail this the specifics of why a user was blacklisted or not and currently what we do is we basically scrape these logs and then email our individual employees or users who have been compromised through this attack but you know developing a better strategy for this is something

that we're currently thinking about

um I mean the biggest problem with me is I just didn't know anything about PowerShell and it was really stressful learning about how to debug everything but after you like if I had this demo and if I could see this demo I just did when I was doing it could probably take me a week honestly yeah anyone ice

against known password my question is that have you gone beyond this where you're actually searching passwords that are already in your database hash however Microsoft's doing it in your domain and you're alerting those people your password it's a very common one you need to change it right so we're like I said to him we haven't developed an accurate pipeline for telling employees that they've been compromised because of blacklisting we've only made it really general at this point and right now what we're doing is these emails through scraping of the logs which isn't very efficient but this is a relatively new service so we're actually doing that right now it should be done pretty soon hey yeah do you know if there is any way

to use kind of a wild-card to avoid certain words from being used yeah so so that's why this DLL is so useful like we added some of this logic to our password filtering service too you can just put that in the service that the dll calls whatever type of you know pattern matching you might want to do you can put it in that it's really easy to configure it's just basic reggae yeah thank you yeah just a another quick question about the service because it is a service I assume that a couple of things it can be run on one instance or on a distributed framework potentially and also if you can write your own rules in that service

can do things more than just regex can it use like custom functions and things like that I mean yeah yeah it's all up to how you want to program it the the baseline is you have this DLL with this interface and you can implement these functions however you want so yeah it's really really you know flexible I was wondering I I don't know is there a way to check for this is not exactly what you're talking about but is there a way for to check for duplicate characters of any character in a password yeah you can you can just uh do that function so so the DLL is just this file that will call whatever service you've registered and

your service can be running like c-sharp C++ or whatever and you can do all this filtering on your own it's just like basic code matching so you could definitely do that that's that's something a lot of people do actually which is duplicate consecutive characters what confused about is that for example if your if your if your password was 12 characters long yeah how would it how wouldn't know that the the you typed a twice and that that position that a twice was you know ten characters and versus two characters in in the hash that you have oh okay sorry so the LSA right the password that it gets passed is actually in plain text that's why this is such a you know

sensitive service that you want to make sure it's very secure and then it does so you would do the checking there and then you - it and compare it against your database but that's why you have there's a lot of security concerns and a lot of people might ask like oh what if you pipe it to you know localhost what if someone's sniffing on your domain controller but usually the the general response is if a malicious hacker is compromised your domain controller you have much bigger things to worry about right

anyone who like to ask how nervous various aside means when you deployed in production I'm sorry what how nervous may your society means when you deployed this in production oh yeah I mean that's why I emphasizes not enforcement and enforcement mode so we were doing non enforcement mode for almost like one and a half months and I could do a bunch of aggregation on the data we've already employed and we knew there were no issues whatsoever so it's just a matter of resetting the service with enforcement mode turn it true so I wasn't nervous at all actually you you mentioned you're still kind of in the process of the user education component of this I have other plans for

expanding this or changing the way that you've got it implemented yet or is that still something that will come with time I think this is probably the final part I don't really see any other issues like we have the password filtering installed we have the logging infrastructure there it's just making the whole pipeline more efficient for when someone got compromised and it's in their log to directly messaging the user for why this is the case but that should be the final part yeah questions

less chance questions I think that's it all right cool thank you guys so much [Applause] [Music]