Enzoic for Active Directory Release Notes

Unless noted, no reboot is required during upgrade and it is permissible to leapfrog versions, however all Domain Controllers need to run the same Enzoic version.

2.7 Release Notes

Periodic Summary Report for Administrators
Option to email a report to administrators on daily/weekly/monthly frequency showing product activity. Report will detail how many password changes were screened, how many were flagged for compromised passwords, how many compromised user passwords were found, and a detailed summary of which users were found with compromised passwords and what the current remediation status is for each.

New Password Policy Blocking Passwords Containing:

  • User’s First or Last Name
  • User’s Login Name
  • User’s User’s Email Address

User password changes can now be optionally screened to prevent users from using their first or last name, their login name, and their email address anywhere within the new password. If “fuzzy” password matching is enabled, variants of the password using leetspeak substitutions will also be blocked.

Customizable and Brandable User Notification Emails
Emails sent to users by Continuous Password Protection whenever their password becomes compromised can now be customized. Your company name and logo can now be used in the email and the intro and outro text of the email can be set.

Admin Error Reporting
Product now has the ability to send critical error reports or misconfigurations via email to a list of administrators.

Improved UI Organization
Settings are now grouped together in a more logical manner and more context appropriate help is available.

Stability and Performance Improvements

  • Improved performance of user password change checks.
  • Improved load performance of users list on Reports tab.
  • Allow modification of Product Key without reinstalling.
  • Better installer behavior on upgrades: no longer prompt to kill the Enzoic service.
  • Better retry logic when calls to the Enzoic API fail. In prolonged network outage scenarios, administrator and user alerts could get lost previously.
  • Console UI now only uses specified proxy settings. Prior versions would use Windows proxy server settings instead, resulting in potentially different behaviors between the console UI test page and the actual Enzoic service when proxy server settings were specified in Windows, but not in the Enzoic configuration.

Improved UI Organization
Settings are now grouped together in a more logical manner and more context appropriate help is available.

Whitelist Changes
The following additional IP addresses should be whitelisted for outbound communications over TCP port 443 from your domain controllers:
75.2.9.104
99.83.177.145

2.6 Release Notes

One-Click NIST Compliance Setting
A new one-click wizard to guide the user through configuring the application options to ensure compliance with NIST 800-63b password guidelines. This includes:

  • Rejecting common passwords
  • Enable fuzzy password matching
  • Turning on continuous password protection
  • Accessing the custom password dictionary
  • Checking passwords during password resets

NIST Compliance Status on Dashboard
A dashboard widget that provides “at a glance” indication of whether the current settings are NIST password guideline compliant.

New Wizard Messaging to Recommend Global Password Reset
After the initial setup is complete, a message is displayed indicating that a global password reset needs to be performed. This is necessary to initiate continuous password monitoring.

New Monitored Users Report
A report displaying the status of all protected user accounts. Compromised accounts are clearly indicated. If an account is not being monitored, the reason is shown.

  • There are two views for the report: All Users and Compromised Users.
  • These report views can be exported to a CSV file that can be used by automation scripts or opened in applications such as Excel.

Root Password Detection
Root Password Detection optionally will check user passwords for so-called “root” passwords that are common or compromised. It does this by removing trailing numbers and symbols that users often will use to prefix or suffix a less secure password in order to meet complexity or uniqueness guidelines.

  • For example: The password Blackberry1234!!! has a root password of Blackberry.
  • If this option is enabled, the root password on Blackberry is checked with the other calculated variants.

Ignore Domain Trust Accounts in User Count
Defect fixed where Trust Accounts were being counted as users.

Clean Up Server Containers on Uninstall
Defect fixed where domain controller specific data used by Enzoic was being orphaned in Active Directory.

Remove Servers from Delegate Dropdown
Remove servers from Delegate dropdown if they haven’t been seen for > 24 hours. Enzoic for Active Directory now prevents selecting a server which may be offline as the Delegate Server. A Delegate Server is the domain controller in your environment you have chosen to perform the work of Continuous Password Protection. Previously, if you selected a server that was offline or unresponsive, you would not know that Continuous Password Protection was not running.

New Dashboard Widget to List Compromised Users
A widget on the dashboard which displays the usernames of the first few compromised users (if any) and a link to the Users Report if there are too many to display. The widget is red if any user is compromised, otherwise, it is green.

Delete Orphan Containers on Install/Upgrade
When installing Enzoic (either upgrade or re-install), we now find and remove any orphaned application data used by Enzoic previously. An example of this would be server-specific settings for a DC which has since been removed.

Various Stability Improvements

  • The determination of whether a user password change should be checked is now more robust and faster. There was a rarely occurring defect in which a protected user would not have their password checked.
  • Fixed the defect of partially missing output on the Test Page.
  • Removed some unneeded debug logging.
  • Fixed a defect where Enzoic GUI would crash if it didn’t have the debug process permission. This is needed to determine whether the EnzoicFilter.dll is loaded into LSASS.exe. However, on some installations, the permission to do this is denied, and we now fail open, allowing the Enzoic GUI to run.
  • Other various improvements.

2.5 Release Notes

Custom Password Dictionary
Up to 5,000 custom passwords can be stored locally. Candidate passwords and those being protected through continuous monitoring will be evaluated using a partial match comparison (i.e. If dictionary includes “Summer”, then “SummerVacation2020” will also be blocked).

Fuzzy Password Matching
Fuzzy matching checks multiple variants of the password, controlling for case sensitivity as well as common substitutions, including: case insensitivity; L33T speak substitutions; reverse spelling. Fuzzy password matching is applied to comparisons against Enzoic’s password database and your local dictionary – if enabled.

Password Similarity Blocking
New candidate passwords will be screened by similarity to the prior password using a Damerau-Levenshtein distance. Distance refers to the minimum number of changes and is configurable. Please refer to the help icon in the console interface for examples.

Continuous Password Monitoring – User Notification
Users can be notified when their password is found to be compromised. Notification uses the email address as stored AD.

Continuous Password Monitoring – Delayed Remediation
The remediation options for “Change Password on Next Login” and “Disable Account” can now be set to wait a configurable number of hours after the password is found to be compromised. If the user changes password prior to delay, the remediation action will not be taken, and administrators will be notified accordingly. Administrators are also notified when remediation action is taken after delay. If user notification is enabled, users will be notified of both as well. Note there is a change in behavior where users in a compromised password condition will no longer trigger notification each subsequent day when the monitoring is run.

Enhanced Usage Tracking
Password Change and Continuous Password Protection usage displayed on the Results tab now include the following counters: Number of Operations, Number of Detections (By Total, Fuzzy Matching, Similarity Blocking).

SIEM Friendly Logging
Log files are now stored in a JSON format more friendly for import to SIEM and log management tools.

Update Check
Enzoic Console application will now perform a version update check and let admin know if an update to Enzoic for Active Directory is available, along with a link to download subsequent new versions.

Reboot Check
Enzoic Console application will now display a message on the Dashboard if a reboot of the local system is needed to assist with troubleshooting.

UI Enhancements
Settings were reorganized into tabs to support future UI scalability.

2.0 Release Notes

Continuous Password Monitoring
When Continuous Password Protection finds a vulnerable password, there are several automated actions that can be configured in the Monitoring Settings tab. The Email Addresses to be Notified setting provides the listed recipients with a real-time notification indicating the affected user’s account and if the configuration was set to automatically require password change on next login or disable the account. Note that these automated remediation action are optional.

Select a Delegate Server
Allows the client to select which domain controller will be responsible for performing the continuous monitoring function. Results will then be propagated to any other Domain Controllers that are connected. Enzoic for AD seamlessly manages syncing of configuration across multiple domain controllers.