After you install the User-ID agent on an
RODC, the User-ID credential service runs in the background and
scans the directory for the usernames and password hashes of group
members that are listed in the RODC password replication policy
(PRP)—you can define who you want to be on this list. The User-ID
credential service then takes the collected usernames and password
hashes and deconstructs the data into a type of bit mask called
a
bloom filter. Bloom filters are compact data structures
that provide a secure method to check if an element (a username
or a password hash) is a member of a set of elements (the sets of
credentials you have approved for replication to the RODC). The
User-ID credential service forwards the bloom filter to the Windows
User-ID agent; the firewall retrieves the latest bloom filter from
the User-ID agent at regular intervals and uses it to detect usernames
and password hash submissions. Depending on your settings, the firewall
then blocks, alerts, or allows on valid password submissions to
web pages, or displays a response page to users warning them of
the dangers of phishing, but allowing them to continue with the
submission.