Password Policy Enforcer

nFront Password Filter

nFront Security recently started promoting their nFront Password Filter by comparing it to an unnamed competitor's product. Their prominent use of the "Password Policy Server" trademark makes it clear that they are comparing their product to Password Policy Enforcer. ANIXIS believes the claims made on the "nFront Password Filter Benefits" page are inaccurate and misleading, and is releasing this document to help potential customers make an informed decision about these two products.

This document will show that:

  • Statements made by nFront Security about PPE's Password Policy Server are factually incorrect.
  • Password Policy Enforcer uses fewer server resources, is more capable, and easier to use than nFront Password Filter.
  • nFront Password Filter contains undocumented security vulnerabilities, both in its design and implementation.

The text in the shaded boxes below appeared on the "nFront Password Filter Benefits" page on November 2, 2007. Responses are based on the latest software versions available at the time, Password Policy Enforcer V5.01 and nFront Password Filter V4.03

No Single Point of Failure
Each Domain Controller runs nFront Password Filter and there are NO API CALLS THAT LEAVE THE DOMAIN CONTROLLER! Thus, there is no dependency on other "password policy servers."

This paragraph is clearly aimed at Password Policy Enforcer as ANIXIS has used the Password Policy Server trademark since 1998. This statement is misleading because it implies that PPE sends queries to a remote server for processing.

PPE's Password Policy Server is a self-contained password filter that runs on every domain controller. Passwords are checked on the domain controller, and never sent to another server. There is no reliance on other servers. There is no single point of failure in a domain with more than one domain controller.

When the T1 to corporate is down, any local DC can filter the password change and support the nFront Password Filter Clients. Competing solutions rely on "password policy servers" so they subject the password change process to network latency and do not guarantee the passwords are filtered if the "password policy server" is not reachable. With other solutions, be sure to read the disclaimers and micetype.

As stated above, the PPE Password Policy Server has no dependency on remote domain controllers. It can service password change requests on any local domain controller just like nFront Password Filter. There is no extra network latency, nor is there any need for disclaimers or "micetype".

Simple Group Policy Control
Notice that with other products you have to load their snap-in or executable on your system to control policy settings. nFront Password Filter uses a Group Policies and requires only that you load the provided ADM template one time on 1 domain controller. From there, the GPO replicates and can be administered from any domain controller and workstation using Active Directory Users and Computers or the Group Policy Management Console.

Using the Microsoft Management Console allows ANIXIS to include many features in Password Policy Enforcer that are not present in nFront Password Filter. For example, the PPE management console allows you to:

The PPE management console helps administrators to manage their password policies by presenting configuration settings in a familiar interface. It also detects and automatically fixes common configuration mistakes, a feature that is not possible with the limited validation rules in administrative templates.

By contrast, nFront Password Filter's administrative templates overwhelm the user by offering up to 44 configuration settings in one non-resizable window. There is no context-sensitive help, and limited control over the policy rules.

The PPE management console is installed with PPE, so there is often no need to install it manually. Administrators who prefer to configure PPE from their workstation can install the management console with a few mouse clicks.

Ease of Use - GPO Control done right
nFront Password Filter is controlled via Group Policies. No fancy front ends. No pretty MMC snap-ins to forget to load. Simply create a new GPO, load our template file and it replicates to ALL domain controllers. You can then manage from any domain controller or workstation where you can run Active Directory Users and Computers...

You can deploy PPE with Group Policy, so you won't "forget to load" the management console. The claims made later in this paragraph are not addressed here as they do not relate to PPE. PPE configuration settings are also accessible from one location, so nFront Password Filter offers no benefit over PPE in this respect.

No Reboots to upgrade
nFront Password Filter allows you to dynamically upgrade the filtering engine without rebooting your domain controllers.

nFront Password Filter uses an intermediate stub DLL to allow upgrades without rebooting. In doing so, it bypasses a Windows security feature and increases the attack surface on every domain controller. An attacker can use the intermediate DLL to bypass notification package auditing and gain access to the LSASS (Local Security Authority Subsystem Service) without detection. The nFront Password Filter documentation makes no mention of the security risks associated with this feature.

ANIXIS releases updates to Password Policy Enforcer once or twice a year. Customers can postpone rebooting until Windows updates are installed. ANIXIS does not believe the added security risks posed by this feature are justified.

Very Fast Filtering Engine
Our filtering engine has been tested by a Fortune 100 customer with over 11,000 password changes per minute. If it can handle that volume, it should surely spend most of its time sleeping on your network.

Password filter throughput is dependent on the number of policies enforced, which rules are enabled, how the rules are configured, and the hardware used. None of these details are provided to support this benchmark. Also missing is the number of domain controllers used to achieve this number.

Password filtering rules are typically very fast because they work with small amounts of data. The dictionary rule is an exception because it processes much more information, making it orders of magnitude slower than the other rules. Password filter performance is therefore dictated by the speed of the dictionary rule. The test results below show that Password Policy Enforcer's dictionary rule is thousands of times more efficient than nFront Password Filter's. PPE will outperform nFront Password Filter in almost every situation.

Easily customized dictionary
Competitors use cumbersome GUI tools to manipulate the dictionary "wordlists." nFront Password Filter gives you full control and allows you to directly edit the dictionary.txt file in any ANSI-compatible editor (like Notepad). You can even add words from different languages and mix words of different languages...

Password Policy Enforcer's dictionary is also a text file, and its user interface is anything but cumbersome.

Very fast dictionary check
We can scan a new password against over 2.5 million words in less than a single second. So now you can take all those hacking wordlists and throw them into our dictionary file.

The quoted figure sounds impressive, but it is achieved at the expense of all other processes on the domain controllers. The test results below show that nFront Password Filter's dictionary search algorithm is inefficient and places a heavy load on all domain controllers. PPE's dictionary rule is many times faster, and only uses a fraction of the server resources consumed by nFront Password Filter.

Dictionary Rule Performance

The dictionary rule is the most important rule in a password filter because it detects the most vulnerable passwords. It also has the greatest impact on password filter performance because it is slower than all the other rules combined. ANIXIS tested nFront's dictionary rule to see how it performed relative to PPE's rule. All other rules were disabled, and the computer was restarted before each product was tested. The test server was virtualized and running Windows Server 2003 on an Intel Xeon 5130. No other virtual machines were running at the time. A 44.1 megabyte dictionary file was used. Exact match searching was enabled to ensure that both products found the same dictionary word.

nFront Password Filter performance graph

The System Monitor graph above shows nFront Password Filter's test results. CPU utilization (red line) peaked around 30% during the first password change, but it took nFront Password Filter 9.4 seconds to return a result. I/O (blue line) proved to be the bottleneck as the virtual drive could not keep up with the CPU. The second and third password changes were faster (2.5 seconds) because Windows had cached the dictionary file. CPU utilization peaked at 100% for the last two tests.

Password Policy Enforcer performance graph

The graph above shows Password Policy Enforcer's test results. Notice that CPU utilization remained at almost 0% for all three password changes. PPE returned its first result in 130 milliseconds, and subsequent results in 10 milliseconds (0.01 of a second).

Password Policy Enforcer was 72 times faster during the first test, and 250 times faster during subsequent tests. Inspection of the test data shows that nFront Password Filter read 41 megabytes (92.9%) of the dictionary file during each test, whereas PPE read only 2.9 kilobytes (0.000064%). nFront Password Filter generated 11,364 I/O operations, PPE generated 21.

nFront Password Filter would have achieved better results if the test password was closer to the start of the file. It must be noted however that every successful password change requires an exhaustive search of the dictionary file, so it is reasonable to test with a password that is near end of the file.

It could also be argued that nFront Password Filter's performance would improve with a smaller dictionary. This is true, but our test only simulated the load placed on a domain controller by one user. The extra load created by multiple password change requests during peak periods will quickly offset any gains made by using a smaller dictionary file.

Password Policy Enforcer is a clear winner in this test. It responds faster, consumes less I/O bandwidth, and uses fewer CPU cycles than nFront Password Filter. These qualities are especially important for customers with virtualized domain controllers.

nFront Security?

We discovered several security vulnerabilities while testing nFront Password Filter. Some are due to the software's design, while others are caused by programming errors. The image below shows one of these vulnerabilities being exploited.

nFront Password Filter vulnerability

The highlighted memory buffer belongs to the nFront Password Filter Client and contains a user's password (the new password entered during a password change). The buffer is never cleared, only replaced with a new password during the next password change. Other users with physical or remote access to the computer can retrieve the password even after the original user has logged off. If the computer is a terminal server, a privileged user can retrieve other user's passwords while their sessions are active.

A reference to the Altus Passfilt Pro Client appears below the password buffer. nFront Password Filter was called Altus Passfilt Pro until Altus Network Solutions established their nFront Security division in June 2007.

ANIXIS confirmed the existence of this vulnerability on Windows XP and 2003 with nFront Password Filter v4.00 and v4.03. Other versions were not tested and may also be affected. The user's password was extracted from memory with free software tools. It should also be possible to retrieve the password from the system's paging or hibernation files. The password buffer's start address varies somewhat, but it is very easy to find by seeding it with a known password.

Conclusion

nFront Security's web site claims that their product is superior to an unnamed competitor with a "password policy server". As this document shows, Password Policy Enforcer is equal to, and often better than nFront Password Filter. Even if nFront Security addresses all the problems identified in this document, their product will still not match PPE. ANIXIS identified other problems and shortcomings after only a few hours of testing. This document was created to show that nFront Security's claimed benefits are misleading, not to list every deficiency in their product. If you are not convinced, then we encourage you to evaluate both products and experience the difference yourself.

Password Policy Enforcer was the first configurable password filter for Windows. Originally released in 1998, PPE has been continually improved for sixteen years. ANIXIS has helped more than 2,000 customers with over 3,000,000 user accounts to enforce their password policy. If you are looking for the most widely deployed, reliable and flexible third-party password filter for Windows, then look no further. Download Password Policy Enforcer today.

ANIXIS, Password Policy Enforcer, Password Policy Server, and Password Policy Client are trademarks of ANIXIS. Microsoft, Microsoft Management Console, Windows, Windows XP, and Windows Server 2003 are trademarks of Microsoft Corporation. nFront Password Filter and Passfilt Pro are trademarks of Altus Network Solutions, Inc. Portions of this page are copyright 2007 nFront Security, Inc.