Add username checks to password validation #11
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add: 1. Validate user for group membership. If in group listed in opfgroups.txt then validate password, else ignore. if no groups listed then validate everyone. 2. Validate password for regex match. See opfregex.txt file. 3. Add support for username in OpenPasswordFilter.dll and OPFService 4. Replace List array with Hash array - faster lookup 5. Additional Logging (some refactoring) 6. Change compile target to NET 4.5.2
with opfregex.txt and opfgroups.txt file details
Pull in username upstream pull request
Add checking that password does not contain username or user's name/names remove dependency on .net 3.5 and rebuild installer and alpha zip update readme.md remove x86 target (willing to discuss this - but I don't see any reason to be running a 32 bit DC in 2017)
Move list files to sysvol to leverage replication Add logic to detect changes to lists and automatically re-read them Rebuild zip and installer
|
I've moved the lists to sysvol to leverage active directory replication, and added some logic to watch their last write times and re-read if they've changed. I tried doing this by watching hashes and found it to be not performant with large lists. I've also fixed a bunch of disparate whitespace formatting issues that were making my eyes bleed. I also fixed an issue where service stop took too long for the process to die due to a blocking socket accept call, which would cause the service to not bind the network port on when restarted. Finally, an issue with case sensitivity of the 'matchlist' check was fixed. |
Add some SecureZeroMem stuff in the dll Add support for the HaveIBeenPwned API
Fix erroneous error report from pwnedpasswords api module Quiet logging down a touch
|
Now with pwnedpasswordsAPI support! 😃 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I used cdebbo's pull request to get the username into the c# bits, and added checks that the password does not contain SAMAccountName, user's given name, surname, or display name. Maybe someday I'll get around to trying to stop them from using 'leet' mutations on their names, but this is a start.
I also removed the dependency on .net 3.5 and re-rolled the installer, dropping x86. I'm willing to discuss that, but I don't think there's any reason to target an x86 domain controller in 2017.