ChkLock: NT Password Policy Auditor
Berbee is pleased to release ChkLock, a command-line password policy
auditing tool for Windows NT and Windows 2000. ChkLock requires no
special security permissions in order to run, and does not attempt
any password-guessing: it is an information-gathering utility only.
ChkLock is a Win32 console program designed to retrieve and display the
password policy of Windows NT and Windows 2000 workstations and servers.
It uses standard API calls to retrieve the following data:
- Minimum Password Length: the length of
the shortest allowable password, as set by the
administrator. If passwords are not required by
the machine's account policy (minimum length of
0 characters), this will be noted.
- Maximum Password Age: the length of
time before passwords expire and must be changed.
If passwords never expire, this will be noted.
- Minimum Password Age: the minimum
amount of time a password must be in effect before
a user can change it; this is generally set in
combination with enforced password uniqueness (see
below) to prevent users from quickly cycling through
a short list of passwords until they get back to one
they are fond of.
- Logoff Forced After: if a user has a
session in progress when the account password
expires, Windows can force the user to log off,
after a suitable grace period. This attribute is
very rarely set, since there is no easily-accessible
means of implementing it.
- Password Uniqueness Depth: in order
to force users to select new passwords when the
current ones expire, NT can enforce that passwords
are not recycled for a certain number of changes.
This is often set in combination with a minimum
password age (see above) to prevent users from
repeatedly resetting their passwords until they are
once again allowed to use their favorite one.
- Lockout Duration: if the administrator
has specified that a certain number of invalid
authentication attempts will automatically lock
out accounts, this is the duration for which they
remain inaccessible. It is possible that they will
remain locked indefinitely, until the administrator
unlocks them.
- Lockout Reset Window: the period of
time within which a series of invalid logon attempts
needs to occur in order to qualify an account for
lockout.
- Lockout Threhsold: the number of
invalid logon attempts allowed before an account
is locked out; ChkLock detects whether account
lockout is turned off altogether.
- This machine's logon role: for server
machines, ChkLock can distinguish between standalone
servers, member servers, backup domain controllers,
and primary domain controllers.
- The name of the PDC: if the machine
is not its own primary domain controller, the
name of the machine that houses the primary security
database is noted.
- The name of the domain: the name
of the logon domain (this is simply the machine name
for standalone workstations).
Because ChkLock uses the standard Windows networking functions, it is able
to retrieve this information from remote machines, as well as the local
password policy.
The following additional information is available:
- What's Interesting: What is important about
ChkLock, what's new about it, and how it can be used.
- Technical Overview: How ChkLock works, and its
relationship to existing tools.
- Source code: Complete source code to the
ChkLock utility.
- Download: A working binary executable, and this documentation, including
the source code.
Many people helped in the development of ChkLock. Matt Jach came up
with the idea, and he also helped in testing, along with Chris Gerg,
Tom Callaci, and David Klann. David Klann and Ken Bywaters offered
advice about publishing the utility. Jenny DeNicolo made sure the
documentation was intelligible. Joe Mondloch made the web site possible,
with support from Berbee's Marketing and AMG departments. Thanks,
everyone!
This page is maintained by Peyton Engel.
Last updated 13 October 2000