Enzoic for Active Directory 3.3

Setup Instructions


Please ensure you've reviewed the information on the Installation Prerequisites page prior to proceeding.

Download the Installer


The installer is available as both an MSI and an EXE. The EXE version will install the necessary version of the .NET Framework if it is not already available on your server, while the MSI will not. If in doubt, you should use the EXE installer.

Links to download the most current version (Domain Controllers must all run the same version):

https://cdn.enzoic.com/files/EnzoicForAD.exe (MD5: 24843ec7baec3a1be1609fd6bd7de7bb)
https://cdn.enzoic.com/files/EnzoicForAD.msi (MD5: 56193fd0ca39b7cd61aee5c8850ab344)
https://cdn.enzoic.com/files/EnzoicForADClient.msi (MD5: 270d9c84f19c8b7ee823f23f42c2fc08)

Read the current release notes.

Multiple Domain Controllers


Enzoic for Active Directory needs to be installed on every writable domain controller in the target domain - it is not necessary to install it on read only domain controllers. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain.

Multiple Domain Environments


Enzoic for Active Directory runs at the domain level and does not support interacting with multiple domains. Its configuration and state are all stored at the domain level. If you have an environment with a multi-domain forest or parent-child domain relationships, Enzoic for Active Directory must be installed and managed separately on each domain in your environment. After installing Enzoic for Active Directory on the first DC in each domain, you will need to run the console application as a domain admin on that domain and go through first time configuration.

Setup Wizard Installation


Run the installer, and then reboot the domain controller when prompted. Future upgrades will not generally require a reboot, but the initial install does.

Enzoic for Active Directory needs to run on each domain controller; however, it only needs to be configured once. All configuration settings (with the exception of the optional proxy server settings) are stored in Active Directory and automatically shared with all instances of that domain.

After the initial reboot, the Setup Wizard will walk you through the configuration process with the following steps. All settings can be modified through the console after initial set-up:

1. Network Settings
2. License
3. Monitored Entities
4. One-Click NIST Compliance
5. Custom Dictionary
6. Password Change Screening
7. User Password Monitoring
8. User Credentials Monitoring
9. Password Policies
10. Administrative Notifications
11. Test Settings

1. Network Settings

 

Adjust the API timeout duration. This controls how long a user password change will be held waiting for a response from the Enzoic API. If the timeout is reached, the password change will be allowed to go through without checking the user password for compromise. The compromise status will be detected subsequently if Continuous Password Protection is enabled. Although it is completely dependent on your Internet connection, typical response times for the Enzoic API from most locations are less than 500 milliseconds.

OPTIONAL: Specify an HTTP proxy server to use if your DC does not have direct Internet access. This setting will need to be configured separately on each Domain Controller.

2. License

 

Enter the Enzoic License Key provided for your account.

You can register to obtain a free key

3. Monitored Entities

 

Specify which Active Directory accounts to protect. You can select any combination of individual users, groups, or containers/OUs.

For best performance with large domains, it is highly recommended to not use recursive groups and to enable the "Disable Recursive Membership Checks" setting. This will ensure your users have the lowest possible latency during password changes.

4. One-Click NIST Compliance

 

Choose if you’d like to accept the default settings recommended for NIST 800-63b compliance:

  • Custom dictionary for context-sensitive words for your business
  • Common passwords found in cracking dictionaries
  • Fuzzy matching for common password patterns and substitutions
  • Continuous monitoring to detect when existing user passwords become vulnerable

If you choose NIST 800-63b compliance mode, these settings will be automatically applied and you will get an overall status on the Enzoic Console dashboard indicating whether your current settings in compliance.

If you're unfamiliar with the new NIST 800-63b standard, a quick rundown is here and the full standard can be found here.

5. Add Words Specific to Your Business to Custom Dictionary
(only shown when One-Click NIST Compliance is selected)

 

If you choose NIST 800-63b compliance mode, you should add words specific to your business and office locations. Add product name(s), your business name(s), names of cities your offices are in, local sports teams, etc. These will be added to the local dictionary and used to prevent passwords containing these terms. Make sure not to include words that are too short or generic, as this will prevent any passwords containing these strings from being used.

6. Password Change Screening
(not shown when One-Click NIST Compliance is selected)

 

Select whether you want Enzoic to screen user password changes. When enabled, users who are in one of the monitored groups or OU's will have their new passwords checked whenever they are changed. Passwords that are either present on Enzoic's compromised password list or don't meet any of the other password complexity policies you have selected will be rejected and the user will be required to enter a different password.

You may want to disable this option if you'd prefer for Enzoic to do offline checks of user passwords and/or credentials and not interactively check passwords during change. It is highly recommended that you leave this setting enabled however.

The "Screen password resets performed by administrators" option controls whether administrators are exempt from this check when manually resetting a user's password for them via Active Directory administrative tools.

7. User Password Monitoring

 

User Password Monitoring checks once every 24 hours to determine if any monitored users’ passwords have become compromised. The "Action to Take" dropdown allows you to select remediation actions to use when such a compromised password is detected. The following remediation actions are available:

  • User Must Change Password on Next Login
    Immediately sets the User must change password at next logon setting in Active Directory for this user
  • User Must Change Password on Next Login (Delayed)
    Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period
  • Disable Account
    Immediately sets the Account is disabled setting in Active Directory for this user
  • Disable Account (Delayed)
    Sets the Account is disabled setting in Active Directory for this user after the selected delay period
  • Notification Only
    The administrators on the notify list (configured in step 7) as well as optionally the affected user will be notified via email that the password is compromised. No other action will be taken.

Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.

If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the "Action to Take" is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.

Clicking "Customize Email" gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email.

Lastly, you can select the Delegate Server used to run User Password Monitoring scans. This is the DC in your organization which will do the work of checking user passwords for compromise. This occurs in an evenly spaced out manner over the course of the day and is generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.

8. User Credentials Monitoring

 

Note that this page may be omitted if your license isn't enabled for User Credentials Monitoring.

When enabled, User Credentials Monitoring (if available for your license level) checks once every 24 hours to determine if any monitored users’ credentials have become compromised. This is different from User Password Monitoring in that the exact email/password combination for the user is checked for compromise, rather than just the password. Since a compromise of this nature is much riskier, you may wish to select more stringent remediation options when this occurs.

The "Action to Take" dropdown allows you to select remediation actions to use when compromised credentials are detected for a user. The following remediation actions are available:

  • User Must Change Password on Next Login
    Immediately sets the User must change password at next logon setting in Active Directory for this user
  • User Must Change Password on Next Login (Delayed)
    Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period
  • Disable Account
    Immediately sets the Account is disabled setting in Active Directory for this user
  • Disable Account (Delayed)
    Sets the Account is disabled setting in Active Directory for this user after the selected delay period
  • Notification Only
    The administrators on the notify list (configured in step 7) as well as optionally the affected user will be notified via email that the password is compromised. No other action will be taken.

Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.

If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the "Action to Take" is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.

Clicking "Customize Email" gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email. Note that these customization settings are distinct from those used for Password Monitoring, so you can use different text specific to this alert type if you prefer.

Lastly, you can select the Delegate Server used to run User Credentials Monitoring scans. This is the DC in your organization which will do the work of checking user credentials for compromise. This occurs in an evenly spaced out manner over the course of the day and is generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.

9. Password Policies
(only shown when One-Click NIST Compliance is selected)

 

This page contains settings defining the specifics of how Enzoic will handle compromised password screening (i.e. inclusion of cracking dictionaries, fuzzy matching, etc.) and additional password complexity policies that can optionally be applied.

Compromised Password Screening Settings:
  • Reject common passwords found in cracking dictionaries
    Enzoic's database contains two types of passwords: those that have been exposed in data breaches and those that have been recovered in the dictionaries that hackers use to crack passwords. Disable this option if you'd prefer to only check your user passwords against those exposed in data breaches.
  • Use fuzzy password matching
    Fuzzy password matching ignores case and performs common "leet speek" substitutions as part of the password screening process. For example, if the candidate password is "Georgie", with this setting enabled variants like "georgie", "g30rg13", "G30RG13", etc. would be checked as well. It is recommended to enable this setting.
  • Screen root passwords
    Users will often add numbers and/or symbols at the beginning or end of their password in an attempt to reuse the same root password. This can be problematic if a hacker learns the root password and can make some rudimentary guesses as to the pattern. For example, a user might change their password from "Password123!" to "Password124!" during a required password change. Enabling this option will instruct Enzoic to attempt to identify such root passwords and check them for compromise as well.
Additional Password Policies
  • Reject passwords containing user's first or last name
    Enabling will reject passwords containing the user's first or last name. If Fuzzy Password Matching is enabled, "leet speek" variants will also be disallowed.
  • Reject passwords containing user's login name
    Enabling will reject passwords containing the user's Windows login name. If Fuzzy Password Matching is enabled, "leet speek" variants will also be disallowed.
  • Reject passwords containing user's email address
    Enabling will reject passwords containing the user's corporate email address. If Fuzzy Password Matching is enabled, "leet speek" variants will also be disallowed.
  • Reject passwords containing repeating characters
    Enabling will reject passwords containing a repeating character that appears more than the threshold defined with the setting.
  • Password Similarity Blocking
    Enabling will reject passwords that are too similar to the user's existing password. You can define a Minimum Required Distance which is the minimum number of differences the new password must have from the current one. This distance is defined as the number of single character additions, substitutions or deletions that would be required to transform the current password to the new one. For example, if the original password was "Flatirons2018!" and the new password was "Flatirons!2019$", the distance would be 3 (insert '!', substitute '9' for '8', substitute '$' for '!'). "Normalize Password First" performs this check with case insensitivity and uses common "leet speek" substitutions prior to checking.

    Note that either User Password Monitoring or User Credentials Monitoring must be enabled for Password Similarity Blocking to function.

10. Administrative Notifications

 

Include one or more email addresses to be notified for administrative events. These events include:

  1. Detection of new user password compromise
  2. Summary of all users’ compromise status
  3. Alert about any service operation errors.

An optional Periodic Summary report is also available that can be sent to the administrators in the list, if selected here. This report can be sent Daily, Weekly or Monthly.

11. Test Settings

 

The Test Page allows you to test your settings are working as expected and that the Enzoic API Servers are reachable from your environment.

Entering a username here (either NT4 style or UPN) and a test password allows you to validate that:

  1. Everything is working
  2. The entered username is in one of the monitored OU's or groups.
  3. The entered password is allowed or not based on your selected policies.

A sample compromised password: uGetL0ckedOut!

If you receive an error indicating there is a problem reaching the Enzoic servers, please review the Troubleshooting section.

Completing Setup


After you have finished the Setup Wizard, you will be placed on the Enzoic Console Dashboard. You will receive a prompt asking if you'd like to run an initial scan of your domain for users with compromised passwords. If you are familiar with the Enzoic AD Lite product, this is essentially the same scan.

Proceeding will scan all user passwords in your Active Directory domain to see if the exact password is present in Enzoic's database of bad passwords (note this scan can take some time for very large domains). At the end of the scan, you will see a dialog with a report showing which users had weak or compromised passwords. From the report, you can select users to perform remediations such as disabling their account or forcing a password change on next login. You may also export the results to a CSV for reference.

Completing the setup process above will get you started with a single default monitoring policy and some initial settings. You can always tweak the settings from the Console Settings or Monitoring Policies area.