Frequently Asked Questions
Answers to commonly asked questions about Enzoic for Active Directory
Enzoic for Active Directory is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials. Unlike products that only check passwords after they are saved, thus requiring subsequent reset by the user, Enzoic validates the password at the time it is being selected.
Enzoic for Active Directory registers a Microsoft standard Password Filter. This filter is used to gate user password changes and check candidate passwords against a continuously updated cloud database of exposed passwords using a partial hash based comparison.
When a user password change is received by the LSA, it notifies Enzoic’s Password Filter DLL. The Enzoic Service connects via HTTPS to the Enzoic Cloud API to check the new password and return a response. If the password is identified as compromised, it is rejected. If the password is not compromised, the password change operation is allowed to proceed.
Enzoic for Active Directory works wherever the password is being set or changed. When rejected, the user is notified via the standard Windows message that a password does not pass domain policies (e.g. “The value provided for the new password does not meet the length, complexity, or history requirements of the domain”). If the change request has come from a third-party service (e.g. IAM platform), that service receives the standard Windows notification and displays accordingly.
Enzoic for Active Directory uses the same partial hash comparison approach to check each password daily to determine if has become vulnerable. This check is initiated from the Delegate Server as configured on the Monitoring Settings tab of the Console app.
There are several automated actions that can be configured in the Monitoring Settings tab. The Email Addresses to be Notified setting provides the listed recipients with a real-time notification indicating the affected user’s account and if the configuration was set to automatically require password change on next login or disable the account. Note that these automated remediation action are optional.
Enzoic for Active Directory uses a partial hash comparison approach through Enzoic’s Password API. This allows you to check whether a given password is known to be compromised, without the exact password or hash leaving your environment. It is only necessary to supply the first 10 hex characters of a hash. A list of candidate hashes will then be returned and compared locally with the exact hash to determine if there is a match.
The Enzoic for Active Directory application is installed on each domain controller manually or via GPO policy. The install registers the Enzoic Password Filter DLL and runs the Enzoic Service on each domain controller.
Separately an Enzoic Console application is installed as a user interface to define the desired configuration. The configuration is stored in the Active Directory and replicated to other domain controllers via standard AD replication. The Enzoic Console is installed by default on the Domain Controller, but can be installed on any server connected to the domain.
No. Enzoic’s Password Filter DLL can work in conjunction with the default password policy settings enforced by Active Directory, as well as those from third-party Password Filter DLLS. If a new password fails validation from any of the installed password filters, it will be rejected.
Yes. Enzoic for Active Directory needs to be installed on each domain controller. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain. See our Enzoic for Active Directory Installation Instruction for simple deployment via GPO.
No. A standard container on Active Directory is used to store the configuration as a JSON string, so no schema changes are required.
Enzoic for Active Directory supports any Windows Server 2008 R2 or greater for Forest and Domain functional level. Microsoft .NET Framework 4.5 is required. Enzoic for Active Directory requires an active Internet connection. You can specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. If your firewall requires whitelisting IPs for traffic on port 443, please see Firewall Requirements in our Enzoic for Active Directory Installation Instructions.
Yes. Organizations using Azure AD in a hybrid mode can use Enzoic for Active Directory using Password writeback by enabling this configuration option in Azure.
Yes. Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. Read: Documentation for SIEM Logging
Root password detection provides more flexibility in the setting configuration. This option will enable or disable determining the function to determine a “root” password. It does this by removing trailing numbers and symbols.
For example:
- The password Blackberry1234!!! has a root password of Blackberry.
- If this option is enabled, the root password on Blackberry is checked with the other calculated variants.
Yes- there is a report displaying the status of all protected user accounts. Compromised accounts are clearly indicated. If an account is not being monitored, the reason is shown.
- There are two views for the report: All Users and Compromised Users.
- These report views can be exported to a CSV file that can be used by automation scripts or opened in applications such as Excel.
The newest version of Enzoic for Active Directory has a wizard to guide the user through configuring the application options to ensure compliance with NIST. It also includes a new dashboard widget that provides “at a glance” indication of whether the settings are NIST compliant.
Each Enzoic customer has a different threshold for how much they want to block. Some want a lot blocked so we added more passwords from cracking dictionaries. Some want less blocked to reduce user frustration. To reduce the amount of passwords blocked, simply uncheck the cracking dictionaries box in the dashboard.
With Enzoic for Active Directory, organizations can add up to 5000 custom passwords stored locally that will be screened and blocked at creation. These words can be local sports team, years, product names, the company name, office locations, etc. Whatever is most commonly used by employees. Custom passwords are partially matched and case insensitive so any password that includes that word would be blocked. These can also be optionally fuzzy matched if you have fuzzy matching turned on.
In Enzoic for Active Directory’s password similarity blocking, the systems admin can determine the amount of differences required between the old password and the new password. New passwords are screened by similarity to former password using the Damerau-Levenshtein distance. With this password policy, the minimum number of differences would be 1 and the maximum number of differences for this rule would be 8. Organizations have various opinions on how many characters should be different between old and new passwords, so this allows them to adjust it to the right level for their business.
Fuzzy password matching checks for multiple variants of the password, including case sensitivity as well as common substitutions such as leetspeak and password reversing.
Some organizations buy password policy enforcement tools that handle one or some of these, but the most recent version of Enzoic for Active Directory can meet all the NIST criteria. The goal of this product is to allow IT to set it up and then just let it run.
Organizations have unique needs, so the automated responses can be customized when compromised or weak passwords are found. Organizations can automatically force a password reset, disable the account, or send alerts to an admin, the IT helpdesk or the user. The organization can then select the appropriate automated action—ranging from prompting the user to change their password on some future login to instantly disabling the account.
Organizations have unique needs, so the automated responses can be customized when compromised or weak passwords are found. Organizations can automatically force a password reset, disable the account, or send alerts to an admin, the IT helpdesk or the user. The organization can then select the appropriate automated action—ranging from prompting the user to change their password on some future login to instantly disabling the account.
Additionally, Enzoic for Active Directory has incorporated additional insights into the product. It has enhanced usage tracking so Active Directory administrators can see the total number of detections, including the number of detections due to fuzzy matching, local dictionary or password similarity matching. With log files now stored in a JSON format, outside consumption by SIEM and log management tools can help streamline reporting.
Enzoic for Active Directory runs on each domain controller so it can check every password wherever it is being created; however, it only needs to be configured once. All of its configuration settings are stored in Active Directory itself and automatically shared across other domain controllers to make it easy. With the installation wizard, it is easy to install so you can get it up and running fast. Some customers have it fully implemented in 3 minutes, but of course, that depends on the complexity of your environment.
There is no requirement to use a proxy, however some clients will choose to restrict domain controllers from accessing the Internet directly. To support this case, clients may configure any HTTP proxy to act as an intermediary between the domain controller and the Enzoic Cloud. See the Network Settings tab of the Enzoic Console to enter your proxy settings. The proxy server will need to have able to access the list of IP addresses specified in the Firewall Requirements of the Enzoic for Active Directory Installation Instruction page.
The data is sourced from the public Internet, Dark Web, and human intelligence and is continuously updated several times each day. To maintain our database, we use a combination of automated and manual collection processes.
No customer data is stored by Enzoic. The partial hash sent to the Enzoic server is kept in memory only long enough to perform the database lookup and then the memory is zeroed out at the end of the call.