Hello Greg,
There is nothing built into the OS that will allow you to ban certain
passwords, unless you write your own passfilt.dll.
You can enable "Passwords Must Meet Complexity Requirements" which should
catch most problem passwords.
The following information is from the "Microsoft Solution for Securing
Windows 2000 Server" paper.
Passwords Must Meet Complexity Requirements
Vulnerability
Passwords that contain only alphanumeric characters are extremely easy to
crack using several publicly available utilities. To prevent this,
passwords should contain additional characters and requirements.
The Passwords Must Meet Complexity Requirements setting determines whether
passwords must meet a series of guidelines that are considered important
for a strong password.
If this policy setting is enabled, then passwords must meet the following
requirements:
The password does not contain all or part of the user's account name.
The password Is at least six characters long.
The password contains characters from three of the following four
categories:
English upper case characters (A - Z).
English lower case characters (a - z).
Base 10 digits (0 - 9).
Nonalphanumeric (For example, !, $, #, or %).
These complexity requirements are enforced upon password change or creation
of new passwords.
The rules that are included in the Windows 2000 Server policy cannot be
directly modified. However, a new version of passfilt.dll can be created to
apply a different set of rules. The source code for passfilt.dll can be
found in the Microsoft Knowledge Base article 151082: "HOW TO: Password
Change Filtering & Notification in Windows NT."
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/win2000/secwin2k/05secdom.asp
Hope this helps,
(e-mail address removed)
This posting is provided "AS IS" with no warranties, and confers no rights.
