Skip to main content

Back to Blog

Introducing 1-Click NIST Password Standard Compliance & More

Introducing one-click NIST password standard compliance, user reporting which outlines users who are using compromised passwords, and root password detection to prevent users from using root passwords.

Microsoft’s Active Directory is used widely across companies and industries throughout the world and unfortunately, it is one of the key targets for bad actors. Many organizations are adopting the use of password blacklists or compromised password detection to help protect Active Directory accounts from account takeover. But static password blacklists are simply not enough because they get outdated too fast and attackers often use fresher lists to attack to increase their odds of success.

Modern organizations are moving to Active Directory plugins that automatically check for compromised passwords on a daily basis. The automation reduces the burden on their IT team from having to manually update static lists, while a daily refresh of continuously updated dark web data decreases the window for an attack.

With this in mind, Enzoic is introducing new features into Enzoic for Active Directory version 2.6. This version includes many unique features including easy one-click NIST password standard compliance in the setup wizard, user reporting which outlines users who are using compromised passwords, and root password detection to prevent users from using root passwords.

Please view our release notes below to see the newest features.

2.6 Release Notes
One-Click NIST Password Standard Compliance

A new one-click wizard to guide the user through configuring the application options to ensure compliance with NIST password standards. This includes:

  • Rejecting common passwords
  • Enable fuzzy password matching
  • Turning on continuous password protection
  • Accessing the custom password dictionary
  • Checking passwords during password resets
One-Click NIST Password Standards
NIST Password Standards One-Click Compliance
Root Password Detection

Root Password Detection optionally will check user passwords for so-called “root” passwords that are common or compromised. It does this by removing trailing numbers and symbols that users often will use to prefix or suffix a less secure password in order to meet complexity or uniqueness guidelines.

  • For example: The password Blackberry1234!!! has a root password of Blackberry. If this option is enabled, the root password on Blackberry is checked with the other calculated variants.
Root Password Detection
Root Password Detection
NIST Password Standard Compliance Status on Dashboard

A dashboard widget that provides “at a glance” indication of whether the current settings are NIST compliant.

Dashboard that displays NIST Password Guideline Compliance
Dashboard that displays NIST Password Guideline Compliance

Dashboard Widget to List Compromised Users

A widget on the dashboard displays the usernames of the first few compromised users (if any) and a link to the Users Report if there are too many to display. The widget is red if any user is compromised, otherwise, it is green.

Dashboard that displays Compromised Users
Dashboard that displays Compromised Users

Monitored Users Report

A report displaying the status of all protected user accounts. Compromised accounts are clearly indicated. If an account is not being monitored, the reason is shown.

  • There are two views for the report: All Users and Compromised Users.
  • These report views can be exported to a CSV file that can be used by automation scripts or opened in applications such as Excel.
Compromised User Reporting
Compromised User Reporting
Other Enhancements

Wizard Messaging to Recommend Global Password Reset
After the initial setup is complete, a message is displayed indicating that a global password reset needs to be performed. This is necessary to initiate continuous password monitoring.

Ignore Domain Trust Accounts in User Count
Defect fixed where Trust Accounts were being counted as users.

Clean Up Server Containers on Uninstall
Defect fixed where domain controller specific data used by Enzoic was being orphaned in Active Directory.

Remove Servers from Delegate Dropdown
Remove servers from Delegate dropdown if they haven’t been seen for > 24 hours. Enzoic for Active Directory now prevents selecting a server which may be offline as the Delegate Server. A Delegate Server is the domain controller in your environment you have chosen to perform the work of Continuous Password Protection. Previously, if you selected a server that was offline or unresponsive, you would not know that Continuous Password Protection was not running.

Delete Orphan Containers on Install/Upgrade
When installing Enzoic (either upgrade or re-install), we now find and remove any orphaned application data used by Enzoic previously. An example of this would be server specific settings for a DC which has since been removed.

Stability Improvements

  • The determination of whether a user password change should be checked is now more robust and faster. There was a rarely occurring defect in which a protected user would not have their password checked.
  • Fixed the defect of partially missing output on the Test Page.
  • Removed some unneeded debug logging.
  • Fixed a defect where Enzoic GUI would crash if it didn’t have the debug process permission. This is needed to determine whether the EnzoicFilter.dll is loaded into LSASS.exe. However, on some installations, the permission to do this is denied, and we now fail open, allowing the Enzoic GUI to run.
  • Other various improvements.