Frequently Asked Questions for Active Directory

Frequently Asked Questions

Answers to commonly asked questions about Enzoic for Active Directory

GENERAL

How does Enzoic for Active Directory check passwords being created or reset?

Enzoic for Active Directory registers a Microsoft standard Password Filter. This filter is used to gate user password changes and check candidate passwords against a continuously updated cloud database of exposed passwords using a partial hash based comparison.

When a user password change is received by the LSA, it notifies Enzoic’s Password Filter DLL. The Enzoic Service connects via HTTPS to the Enzoic Cloud API to check a partial hash of the new password. If the password is identified as compromised, it is rejected. If the password is not compromised, the password change operation is allowed to proceed.

What does the user see when a password is rejected?

Enzoic for Active Directory works wherever the password is being set or changed. When rejected, the user is notified via the standard Windows message that a password does not pass domain policies (e.g. “The value provided for the new password does not meet the length, complexity, or history requirements of the domain”). If the change request has come from a third-party service (e.g. IAM platform), that service receives the standard Windows notification and displays accordingly.

How does Continuous Password Protection work?

What happens when Continuous Password Protection finds a vulnerable password?

INSTALLATION

How complex is Installation?

What are the Enzoic for Active Directory system requirements?

Enzoic for Active Directory supports any Windows Server 2008 R2 or greater for Forest and Domain functional level. Microsoft .NET Framework 4.5 is required. Enzoic for Active Directory requires an active Internet connection. You can  specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. If your firewall requires whitelisting IPs for traffic on port 443, please see Firewall Requirements in our Enzoic for Active Directory Installation Instructions.

Where is Enzoic for Active Directory installed?

The Enzoic for Active Directory application is installed on each domain controller manually or via GPO policy. The install registers the Enzoic Password Filter DLL and runs the Enzoic Service on each domain controller.

Separately an Enzoic Console application is installed as a user interface to define the desired configuration. The configuration is stored in the Active Directory and replicated to other domain controllers via standard AD replication. The Enzoic Console is installed by default on the Domain Controller, but can be installed on any server connected to the domain. See our Enzoic for Active Directory Installation Instruction for simple deployment via GPO.

Will Enzoic’s compromised password policy conflict with other password policies?

Are any schema changes required in Active Directory?

What type of proxy is required?

There is no requirement to use a proxy, however some clients will choose to restrict domain controllers from accessing the Internet directly. To support this case, clients may configure any HTTP proxy to act as an intermediary between the domain controller and the Enzoic Cloud. See the Network Settings tab of the Enzoic Console to enter your proxy settings. The proxy server will need to have able to access the list of IP addresses specified in the Firewall Requirements of the Enzoic for Active Directory Installation Instruction page.

Can Enzoic for Active Directory work with Azure AD?

FEATURES

How does fuzzy password matching work?

What is root password detection?

Root password detection provides more flexibility in the setting configuration. This option will enable or disable determining the function to determine a “root” password. It does this by removing trailing numbers and symbols.

For example:

The password Blackberry1234!!! has a root password of Blackberry.
If this option is enabled, the root password on Blackberry is checked with the other calculated variants.

How does password similarity blocking work?

In Enzoic for Active Directory’s password similarity blocking, the systems admin can determine the amount of differences required between the old password and the new password. New passwords are screened by similarity to former password using the Damerau-Levenshtein distance. With this password policy, the minimum number of differences would be 1 and the maximum number of differences for this rule would be 8. Organizations have various opinions on how many characters should be different between old and new passwords, so this allows them to adjust it to the right level for their business.

How many words can be added to the custom password dictionary?

With Enzoic for Active Directory, organizations can add up to 5000 custom passwords stored locally that will be screened and blocked at creation. These words can be local sports team, years, product names, the company name, office locations, etc. Whatever is most commonly used by employees. Custom passwords are partially matched and case insensitive so any password that includes that word would be blocked. These can also be optionally fuzzy matched if you have fuzzy matching turned on.

Can passwords be blocked from including users’ information?

Can email alerts be customized?

Can you see which users are compromised?

Can reports be delivered automatically via email?

Yes. There is an option to email a summary report to administrators on daily/weekly/monthly frequency showing product activity. Report will detail how many password changes were screened, how many were flagged for compromised passwords, how many compromised user passwords were found, and a detailed summary of which users were found with compromised passwords and what the current remediation status is for each.

What visibility is available?

Can I integrate event logs into my SIEM system?

SECURITY

What information is sent to the Enzoic servers?

Enzoic for Active Directory uses a partial hash comparison approach through Enzoic’s Password API. This allows you to check whether a given password is known to be compromised, without the exact password or hash leaving your environment. It is only necessary to supply the first 10 hex characters of a hash. A list of candidate hashes will then be returned and compared locally with the exact hash to determine if there is a match.

Is any customer data stored by Enzoic servers?

ADDITIONAL

What is the source of Enzoic’s compromised data?

How hard is it to comply with NIST password guidelines?

How does automation help IT when comparing passwords to password blacklists?

Some organizations buy password policy enforcement tools that handle one or some of these, but the most recent version of Enzoic for Active Directory can meet all the NIST criteria. The goal of this product is to allow IT to set it up and then just let it run.
Organizations have unique needs, so the automated responses can be customized when compromised or weak passwords are found. Organizations can automatically force a password reset, disable the account, or send alerts to an admin, the IT helpdesk or the user. The organization can then select the appropriate automated action—ranging from prompting the user to change their password on some future login to instantly disabling the account.