v2.1
Powered by

# Lithnet Password Protection for AD

By
Brian Johnson

A cool password filter to stop people from picking weak passwords in AD!

# Install it

Download from GitHub and run the install wizard (I checked all the options)

# Prepare a password repository

The documentation covers a way to do this via something like DFS, but for a single DC implementation:

# Make a folder to store passwords in
mkdir c:\passprotect

# Load the lithnet password protection module
import-module lithnetpasswordprotection

# Specify the "storepath" for passwords:
Set-PasswordFilterConfig -StorePath "c:\passprotect"

# Download all passwords from HaveIBeenPwned!
Sync-HashesFromHibp

Note - if you have problems with the HIBP hash download, try adding -Threads 1 to the end of the command (per this issue)

# Adjust the lithnet GPO

Head to Computer Configuration > Administrative Templates > Lithnet > Password Protection for Active Directory > Default Policy, and set the properties you desire. I went with:

  • Set Minimum password length
  • Enable Reject passwords that contain the user's account name
  • Enable Reject passwords that contain the user's display name
  • Enable Reject passwords found in the compromised password store
  • Enable Reject normalized passwords found in the compromised password store
  • Enable Reject normalized passwords found in the banned word store

Be careful with this policy and make sure none of the settings conflict with Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. I set this policy to establish:

  • Password history
  • Password maximum age
  • Password minimum age
  • Enable password complexity

# Review policy configuration 

Get-PasswordFilterPolicy

# Import a custom word list

In addition to the HIBP database, you can import custom word lists you've downloaded from places like weakpass.com

Import-CompromisedPasswords -Filename "D:\password-protection\hashes.org-2018.txt"

# Add a specific password you don't want people to be able to pick 

Add-CompromisedPassword -Value Meowmix2025!

# Test if a given password is blocked 

Test-IsCompromisedPassword -Value Meowmix2025!

# Add banned passwords to the store

By adding passwords into the "banned" list, you essentially normalize those passwords and prevent common variations. So for example, if you banned lithnet as a password, you'd also be banning lithnet2018, l1thn3t, and Lithnet! from being used.

# Import a list of banned words
Import-BannedWords -Filename "D:\password-protection\english-dictionary-words.txt"

# Import an individual banned word
Add-BannedWord -Value "7minsec"

# Test if banned password is on the list 

Test-IsBannedWord "7minsec"
Test-IsBannedWord "7minsec!"
Test-IsBannedWord "7m1ns3c!"
Test-IsBannedWord "7MINSEC"

# Check filter actions in the event logs

Look in Windows Logs > Application for events such as 8195 which will show a user's password change was blocked due to not meeting the domain requirements and/or the lithnet filter's requirements.