Is this a security risk?

[MidiGuy]

I would like to get everyone's opinion on this. Is the Password Policy Enforcer from TP Information Systems safe to use? I'm not sure I'm confortable with third party software (especially from a small organization) intercepting all the passwords in my organization's domain. Any thoughts as to whether this is a security risk, or for that matter, how it's even possible for third party software to interfer with the password creation/change system in Windows NT 4.0, 2000, and XP?

Thanks!

-Midi

 

[bsobel]

Microsoft makes the password verification scheme extensible for exactly these types of products. As for how comfortable you are with a third party component interfacing with the gina, well, thats your call 😉

I disagree that this is, by definition, a security risk unless you can show (or even suspect) that such a third party is doing somethign 'improper' with the data.

Bill

 

[SUOrangeman]

FYI, NT4 and later have some built-in password policy rules. Well, NT4 requires the passprop utility from the resource kit. Win2K and XP should have something like that in the "Local Security Policy" console. Something about password complexity and password lifetimes.

Are you looking for something more complicated?

-SUO

 

[MidiGuy]

Yeah, we might want to get a little more specific than the built-in policies let you. It does make me feel a little better to know that Windows is designed to allow that (although it seems a little bit like a place Microsoft design may be a security risk in itself). I have no reason to doubt IPIS's legitimacy. Their software actually seems pretty well done from what I've seen. And I would think that even if something were trying to send data (i.e. network passwords) to someone outside of the organization, our firewall might block those attempts, depending on how it was done.