以编程方式验证 Windows 密码策略?
[英]Validate Windows password policy programmatically?
问题描述
I have an application for bulk creating users (atypical I know, but not my decision) and currently, the validation for the password is just done using regular expressions.
我有一个批量创建用户的应用程序(我知道不典型,但不是我的决定),目前,密码验证只是使用正则表达式完成。 But the specific requirements can change depending on the PC's settings, right?但具体要求可能会根据 PC 的设置而改变,对吧? So is there a way to test a given string against the PC's password policy in C#?那么有没有办法根据 C# 中的 PC 密码策略测试给定的字符串? I want to be able to do something like:我希望能够做类似的事情:
bool isPasswordGood = TestPasswordComplexity("notAgoodPassword");
2 个解决方案
解决方案1
2 2020-07-14 20:56:31
This will depend on the security policy set up in Windows.这将取决于 Windows 中设置的安全策略。 That is typically set up using the GUI for setting security policies, but you can actually export the settings from command line as follows:这通常使用 GUI 来设置安全策略,但您实际上可以从命令行导出设置,如下所示:
secedit.exe /export /cfg C:\temp\MySecurityPolicy.inf
Note: You may need to run command prompt as an admin for this to be permitted (right click the command prompt icon and select Run as administrator ).注意:您可能需要以管理员身份运行命令提示符才能允许此操作(右键单击命令提示符图标和 select以管理员身份运行)。
That should save your settings in a text file (here, MySecurityPolicy.inf ).这应该将您的设置保存在文本文件中(此处为MySecurityPolicy.inf )。 The first part of this file should look like this:该文件的第一部分应如下所示:
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 365
MinimumPasswordLength = 12
PasswordComplexity = 0
PasswordHistorySize = 20
LockoutBadCount = 20
ResetLockoutCount = 10
LockoutDuration = 10
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 1
NewAdministratorName = "LocalAdmin"
NewGuestName = "LocalGuest"
ClearTextPassword = 0
(...)
In particular I would imagine that lines 6 & 7, MinimumPasswordLength and PasswordComplexity will be of interest - There is some documentation about this available here特别是我会想象第 6 行和第 7 行、 MinimumPasswordLength和PasswordComplexity会很有趣 - 这里有一些关于此的文档
Once you understand how this works, you should be able to create a simple script or program to read from such a config file, and use the info from it to inform your password validation method.一旦你了解了它是如何工作的,你应该能够创建一个简单的脚本或程序来读取这样的配置文件,并使用其中的信息来告知你的密码验证方法。 Perhaps it might even suffice to only read lines 6 & 7?也许只阅读第 6 行和第 7 行就足够了?
I realize this might not be as good as being able to look up the policy settings directly from C#, but it will at least give you an option: Now whenever you need to check requirements, run a script that exports the settings to a known file, and re-evaluate it from your application.我意识到这可能不如直接从 C# 查找策略设置好,但它至少会给您一个选择:现在,每当您需要检查要求时,运行一个脚本,将设置导出到已知文件,并从您的应用程序中重新评估它。
If you can run the export procedure from your app too (assuming the elevated privileges requirements don't cause trouble), then you should be able to automate all of this.如果您也可以从您的应用程序运行导出过程(假设提升的权限要求不会造成麻烦),那么您应该能够自动化所有这些。 Otherwise, you might have to export the policy file manually, and store it in a location your app can read from.否则,您可能必须手动导出策略文件,并将其存储在您的应用程序可以读取的位置。
解决方案2
0 2021-11-27 20:43:59
The API function you want is NetValidatePasswordPolicy .您想要的 API function 是NetValidatePasswordPolicy 。
There are three modes it operates in:它有以下三种运行模式:
-
NetValidateAuthentication: if you are authenticating a user;NetValidateAuthentication:如果您正在验证用户; so the function can check password expiration policies, bad login attempts, account lockouts, bad login attempts, etc因此 function 可以检查密码过期策略、错误登录尝试、帐户锁定、错误登录尝试等 NetValidatePasswordChange: if the user is changing their password;NetValidatePasswordChange:如果用户正在更改他们的密码; so the function can check against lockout, or against the password policy因此 function 可以检查锁定或密码策略
and the mode you want:和你想要的模式:
-
NetValidatePasswordReset: you are an admin resetting a user's password;NetValidatePasswordReset:您是重置用户密码的管理员; which only checks the password complexity.仅检查密码复杂性。
I'll try transcoding from another language to C# on the fly;我将尝试即时从另一种语言转码为 C#; but you will have to P/Invoke it.但你必须 P/Invoke 它。
/*
Password reset.
The result from NetValidatePasswordReset, this member can be one of the following values.
NERR_Success The password passes the validation check.
NERR_PasswordTooShort Validation failed. The password does not meet policy requirements because it is too short.
NERR_PasswordTooLong Validation failed. The password does not meet policy requirements because it is too long.
NERR_PasswordNotComplexEnough Validation failed. The password does not meet policy requirements because it is not complex enough.
NERR_PasswordFilterError Validation failed. The password does not meet the requirements of the password filter DLL.
*/
UInt32 TestPasswordComplexity(String username, SecureString password)
{
const UInt32 NetValidatePasswordReset = 3;
NET_VALIDATE_PASSWORD_RESET_INPUT_ARG args = new NET_VALIDATE_PASSWORD_RESET_INPUT_ARG();
args.UserAccountName = "Kjartan"; //some policies check that your password cannot contain your username
PNET_VALIDATE_OUTPUT_ARG res;
DWORD le = NetValidatePasswordPolicy(null, null, NetValidatePasswordReset, @args, {out}Pointer(res));
if (le <> NERR_Success)
throw new WindowsException(le); //
return res.ValidationStatus;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.