Enzoic for Active Directory is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials. Unlike products that only check passwords after they are saved, thus requiring subsequent reset by the user, Enzoic validates the password at the time it is being selected.

Enzoic for Active Directory registers a Microsoft standard Password Filter. This filter is used to gate user password changes and check candidate passwords against a continuously updated cloud database of exposed passwords using a partial hash based comparison.

When a user password change is received by the LSA, it notifies Enzoic’s Password Filter DLL. The Enzoic Service connects via HTTPS to the Enzoic Cloud API to check the new password and return a response. If the password is identified as compromised, it is rejected. If the password is not compromised, the password change operation is allowed to proceed.

Enzoic for Active Directory works wherever the password is being set or changed. When rejected, the user is notified via the standard Windows message that a password does not pass domain policies (e.g. “The value provided for the new password does not meet the length, complexity, or history requirements of the domain”). If the change request has come from a third-party service (e.g. IAM platform), that service receives the standard Windows notification and displays accordingly.

Enzoic for Active Directory uses the same partial hash comparison approach to check each password daily to determine if has become vulnerable. This check is initiated from the Delegate Server as configured on the Monitoring Settings tab of the Console app.

There are several automated actions that can be configured in the Monitoring Settings tab. The Email Addresses to be Notified setting provides the listed recipients with a real-time notification indicating the affected user’s account and if the configuration was set to automatically require password change on next login or disable the account. Note that these automated remediation action are optional.

Enzoic for Active Directory uses a partial hash comparison approach through Enzoic’s Password API. This allows you to check whether a given password is known to be compromised, without the exact password or hash leaving your environment. It is only necessary to supply the first 10 hex characters of a hash. A list of candidate hashes will then be returned and compared locally with the exact hash to determine if there is a match.

The Enzoic for Active Directory application is installed on each domain controller manually or via GPO policy. The install registers the Enzoic Password Filter DLL and runs the Enzoic Service on each domain controller.

Separately an Enzoic Console application is installed as a user interface to define the desired configuration. The configuration is stored in the Active Directory and replicated to other domain controllers via standard AD replication. The Enzoic Console is installed by default on the Domain Controller, but can be installed on any server connected to the domain.

No. Enzoic’s Password Filter DLL can work in conjunction with the default password policy settings enforced by Active Directory, as well as those from third-party Password Filter DLLS. If a new password fails validation from any of the installed password filters, it will be rejected.

Yes. Enzoic for Active Directory needs to be installed on each domain controller. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain. See our Enzoic for Active Directory Installation Instruction for simple deployment via GPO.

No. A standard container on Active Directory is used to store the configuration as a JSON string, so no schema changes are required.

Enzoic for Active Directory supports any Windows Server 2008 R2 or greater for Forest and Domain functional level. Microsoft .NET Framework 4.5 is required.

Enzoic for Active Directory requires an active Internet connection. You can
 specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. Please see Firewall Requirements below for the required IP whitelist.

There is no requirement to use a proxy, however some clients will choose to restrict domain controllers from accessing the Internet directly. To support this case, clients may configure any HTTP proxy to act as an intermediary between the domain controller and the Enzoic Cloud. See the Network Settings tab of the Enzoic Console to enter your proxy settings. The proxy server will need to have able to access the list of IP addresses specified in the Firewall Requirements of the Enzoic for Active Directory Installation Instruction page.

No customer data is stored by Enzoic. The partial hash sent to the Enzoic server is kept in memory only long enough to perform the database lookup and then the memory is zeroed out at the end of the call.

The data is sourced from the public Internet, Dark Web, and human intelligence and is continuously updated several times each day. To maintain our database, we use a combination of automated and manual collection processes.

Yes. Organizations using Azure AD in a hybrid mode can use Enzoic for Active Directory using Password writeback by enabling this configuration option in Azure.