#active-directory #security #password-filter

bin+lib sediment-rs

An Active Directory password filter

1 unstable release

0.1.0 May 28, 2023

#13 in #active-directory

Apache-2.0

24KB
428 lines

Sediment - Active Directory Password Filter (WIP)

Sediment is an Active Directory password filter built in Rust. Using modern data structures, it is able to provide maximum performance with zero compromise to security. Passwords are handled using zeroize, guaranteeing that the memory behind will be cleared when no longer needed. Event logs are generated for transparency into rejections, without logging the plaintext password being used.

Setup

Once this project is finished, an MSI installer will be provided which will include the password filter DLL, and an optional CLI available for managing the compromised and banned password lists. It will also create required registry keys by default. These will be used to find the install path among other things

Usage

Once available, the filter itself is intended to be installed on all domain controllers (DCs) in your environment, as authentication is distributed among them. After being installed, a reboot will be required for Windows LSA to register the DLL on boot. DFS-R will also be recommended for replicating the files necessary for the operation of the filter across the DCs.

Dependencies

~17–30MB
~435K SLoC