Add new rules with a plugin

You can use a plugin to display and enforce additional password strength rules in Bravura Security Fabric . You can also include embedded HTML as part of a custom password strength rule. This is helpful in cases where Unix target systems make use of a text-only terminal, and objects cannot be accessed using graphical methods. For example, on systems where hyperlinks are not supported, a HTML tag containing a URL could be displayed.

Configuration

The plugin point is set by the Require the password to be approved by this plugin and the Warn if the password is not approved by this plugin strength rules on the Policies > Password policies configuration page.

Caution

Ensure that password strength rules enforced by the plugin do not conflict with rules enabled in Bravura Security Fabric . This will cause all passwords to be invalid. For example, a minimum password length of 7 characters in Bravura Security Fabric will conflict with a plugin-enforced minimum of 4 or a maximum of 6 characters.

Shipped plugins

There are two shipped plugins for additional password strength checking:

The passfilt.psl plugin program can be used with the Require the password to be approved by this plugin and Warn if the password is not approved by this plugin strength rules, whereas netvalidatepwpol can be used with Require the password to be approved by this plugin only.

passfilt.psl

Bravura Security Fabric is shipped with passfilt.psl, which emulates the Windows NT passfilt.dll to enforce a combination of strength rules. The plugin point is set by the Require the password to be approved by this plugin strength rule on the Manage the system > Policies > Password policies configuration page.

Click below to view a demonstration.

For passwords to be approved by the passfilt.psl plugin, passwords must:

Be at least six characters long.
May not contain your profile ID or name or any part of your full name.
A profile ID or name value with one character, such as a middle initial, can be used in the password.
Must contain characters from at least three of the four following classes:
Class
Examples
English uppercase letters
A, B, C,... Z
English lowercase letters
a, b, c,... z
Westernized Arabic numerals
0, 1, 2,... 9
Non-alphanumeric ("special characters")
$,!,%,∧

Class	Examples
English uppercase letters	A, B, C,... Z
English lowercase letters	a, b, c,... z
Westernized Arabic numerals	0, 1, 2,... 9
Non-alphanumeric ("special characters")	$,!,%,∧

passfilt.psl details

Execution points

The passfilt.psl program is run by the View and update profile (IDR) module, Password synchronization registration (PSR) module, and the Manage the system (PSA) module. The plugin is located in the \<instance>\plugin\ directory on the Bravura Security Fabric server.

When passfilt.psl is configured as part of the Bravura Security Fabric password strength policy, it is used to approve passwords entered by users when requesting new accounts.

Input

Bravura Security Fabric makes two calls to the password strength plugin. The first call asks the plugin to display its rules. The second call asks the plugin to validate the selected password.

When Bravura Security Fabric asks the plugin to display its rules, input to the plugin is the KVGroup:

"show_rules" "show_rules" = {
 }

After a user selects a new password, Bravura Security Fabric calls the program with the following KVGroup:

 "pwcheck" "pwcheck" = {
   "accountid" = "<account id>"
   "oldpassword" = "<old password>"
   "password" = "<requested password>"
   "targetid" = "<target id>"
   "userid" = "<user id>"
   "username" = "<user name>"
 }

The accountid, oldpassword, and targetid values may not always be passed to the plugin. Verify that your plugin works under scenarios such as an initial password change (when no old password is available).

Output

When Bravura Security Fabric requests the plugin’s password rules (the show_rules KVGroup is input), the plugin may respond with a KVGroup listing the plugin’s enforced password requirements as displayed to the user. The default passfilt.psl plugin returns the following KVGroup in response to a show_rules request:

"" "" = {
    "rules" "rules" = {
      "USERNAME" = "!!!PASSFILT_RULE_USERNAME_DESC"
      "CHARTYPES" = "!!!PASSFILT_RULE_CHARTYPES_DESC"
     }
    "retval" = "0"
  }

Every value in the "rules" KVGroup will be displayed to the user. Keys must be unique between rules in this plugin and are used to associate success/failure statuses with their corresponding rule description. At least one rule description must be provided.

!!!PASSFILT_RULE_USERNAME_DESC and !!!PASSFILT_RULE_CHARTYPES_DESC are multi-language tags that will be transformed into appropriate strings. It is not necessary to use multi-language tags; for convenience, you may simply return non-tag strings, but they will not be translated.

See Add language tags for more information about multi-language tags.

When Bravura Security Fabric asks the plugin to validate the selected password, the plugin must respond with a KVGroup containing a retval (equal to 0 for success, or any other integer for failure), and a pass (true) or failure (false) for each rule defined. If the password failed validation of any of the rules, a corresponding error message must be provided. This error message is typically the description, as demonstrated by passfilt.psl, where it is the same message passed back on error and in response to the "show_rules" request. Keep in mind the description must make sense after the prompt "The password must:".

The shipped passfilt.psl plugin responds to a failure with a KVGroup similar to the following:

 "" "" = {
      "results" "results" = {
      "USERNAME" = "false"
      "CHARTYPES" = "true"
     }
     "errmsgs" "errmsgs" = {
      "USERNAME" = "!!!PASSFILT_RULE_USERNAME_DESC"
     }
     "retval" = "1"
   }

netvalidatepwpol.exe

The netvalidatepwpol password strength plugin, shipped with Bravura Security Fabric, is used to enforce Azure AD Password Protection password policy.

This plugin supports password policy enforcement for both on-prem or cloud installations of Azure AD Password Protection.

Note

On-premises Azure password policy checking is not supported when you have transparent synchronization trigger software enabled for AD on the on-prem DCs. This configuration can create a potential loop when changing passwords for a user. If transparent synchronization is required on Active Directory, follow the instructions for the "Configuration - cloud" section below.

The plugin point is set by the Require the password to be approved by this plugin strength rule.

Configuration - on premises

The netvalidatepwpol plugin can be configured to enforce on-premises Azure password policy checking with following steps:

Ensure Azure AD Password Protection is On and Enabled in On-premises mode, as described in:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises .
Make sure it is enabled but NOT in Audit mode to avoid over logging.
On the target system configuration page, set the Active Directory target as the ”domain” on the address wizard page and specify domain target credentials, the plugin must run in the context of a domain user.
Ensure the Bravura Security Fabric server is a domain member, which is required for the above step.
Copy the sample netvalidatepwpol.cfg file from the samples directory to the plugin directory on the Bravura Security Fabric server.
Update netvalidatepwpol.cfg file to point to the AD target.
Go to Manage the system > Policies > Password policies configuration page; set Require the password to be approved by this plugin to netvalidatepwpol.exe.

Configuration - cloud

The netvalidatepwpol plugin can be configured to enforce cloud Azure password policy checking with the following steps:

Ensure Azure AD Password Protection is On and Enabled, as described in:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
Make sure it is enabled but not in Audit mode to avoid over logging.
Configure an Azure Active Directory target system and associate its accounts to Bravura Security Fabric profiles.
The Azure AD target can also be configured to not list users since it only needs to be used as a placeholder for the target address and credentials used by the netvalidatepwpol.exe plugin. In this case for the purposes of the plugin, the only permission you should need to grant according to Microsoft is the User.ReadWrite permission.
Copy the sample netvalidatepwpol.cfg file from the samples directory to the plugin directory on the Bravura Security Fabric server.
Update the netvalidatepwpol.cfg file to point to the Azure AD target.
The API is in beta status as per Microsoft's documentation and we will update our solution when it leaves beta status. By default, netvalidatepwpol.cfg uses the API in beta status when the "apiver" parameter is not specified. This can also be explicity specified by setting "apiver" to "beta", for example using the following assuming the Azure AD target ID is set to "AZURE":
```
#KVGROUP-V2.0
netvalidatepwpol = {
apiver=beta;
target = AZURE;
};
```
Go to Manage the system > Policies > Password policies configuration page; set Require the password to be approved by this plugin to netvalidatepwpol.exe.

netvalidatepwpol details

Execution points

netvalidatepwpol is run by the Change passwords (PSS) module and the Help users (IDA) module.

The netvalidatepwpol.exe plugin program is located in the \<instance>\plugin\ directory There is also a sample configuration file, netvalidatepwpol.cfg, which is located in the samples\ directory on the Bravura Security Fabric server.

When netvalidatepwpol is configured as part of the Bravura Security Fabric password strength policy, it checks Azure password policy when Azure Active Directory is synchronized with Azure.

In netvalidatepwpol.cfg, the API version used to validate password against Azure policy can be specified as below:

apiver=beta

By default, without specifying the version, it is using beta; in the future if there is an official version that supports this validation, that beta can be the version number; for example, 2.0.