Frequently Asked Questions
Answers to commonly asked questions about Enzoic for Active Directory
GENERAL
Enzoic for Active Directory is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials. Enzoic validates the password at the time it is being selected and then re-checks the password again daily.
Enzoic for Active Directory registers a Microsoft standard Password Filter. This filter is used to gate user password changes and check candidate passwords against a continuously updated cloud database of exposed passwords using a partial hash based comparison.
When a user password change is received by the LSA, it notifies Enzoic’s Password Filter DLL. The Enzoic Service connects via HTTPS to the Enzoic Cloud API to check a partial hash of the new password. If the password is identified as compromised, it is rejected. If the password is not compromised, the password change operation is allowed to proceed.
Enzoic for Active Directory works wherever the password is being set or changed. When rejected, the user is notified via the standard Windows message that a password does not pass domain policies (e.g. “The value provided for the new password does not meet the length, complexity, or history requirements of the domain”). If the change request has come from a third-party service (e.g. IAM platform), that service receives the standard Windows notification and displays accordingly.
Enzoic for Active Directory uses the same partial hash comparison approach to check each password daily to determine if it has become vulnerable. This check is initiated from the Delegate Server as configured on the Monitoring Settings tab of the Console app.
There are several automated actions that can be configured in the Monitoring Settings tab. Options include notifying an Administrator and/or the affected User. If desired, the User’s account can be disabled or password reset required after a desired delay.
INSTALLATION
With the installation wizard, it is easy to install so you can get it up and running fast. Some customers have it fully implemented in 15 minutes, but of course, that depends on the complexity of your environment.
Enzoic for Active Directory supports any Windows Server 2008 R2 or greater for Forest and Domain functional level. Microsoft .NET Framework 4.5 is required. Enzoic for Active Directory requires an active Internet connection. You can specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. If your firewall requires whitelisting IPs for traffic on port 443, please see Firewall Requirements in our Enzoic for Active Directory Installation Instructions.
The Enzoic for Active Directory application is installed on each domain controller manually or via GPO policy. The install registers the Enzoic Password Filter DLL and runs the Enzoic Service on each domain controller.
Separately an Enzoic Console application is installed as a user interface to define the desired configuration. The configuration is stored in the Active Directory and replicated to other domain controllers via standard AD replication. The Enzoic Console is installed by default on the Domain Controller, but can be installed on any server connected to the domain. See our installation instructions for simple deployment via GPO.
No. Enzoic’s Password Filter DLL can work in conjunction with the default password policy settings enforced by Active Directory, as well as those from third-party Password Filter DLLS. If a new password fails validation from any of the installed password filters, it will be rejected.
No. A standard container on Active Directory is used to store the configuration as a JSON string, so no schema changes are required.
There is no requirement to use a proxy, however some clients will choose to restrict domain controllers from accessing the Internet directly. To support this case, clients may configure any HTTP proxy to act as an intermediary between the domain controller and the Enzoic Cloud. See the Network Settings tab of the Enzoic Console to enter your proxy settings. See our firewall requirements for IPs to whitelist.
Yes. Organizations using Azure AD in a hybrid mode can use Enzoic for Active Directory using Password writeback by enabling this configuration option in Azure.
FEATURES
Fuzzy password matching checks for multiple variants of the password, including case sensitivity as well as common substitutions such as leetspeak and password reversing.
Root password detection provides more flexibility in the setting configuration. This option will enable or disable determining the function to determine a "root" password. It does this by removing trailing numbers and symbols.
For example:
- The password Blackberry1234!!! has a root password of Blackberry.
- If this option is enabled, the root password on Blackberry is checked with the other calculated variants.
In Enzoic for Active Directory’s password similarity blocking, the systems admin can determine the amount of differences required between the old password and the new password. New passwords are screened by similarity to former password using the Damerau-Levenshtein distance. With this password policy, the minimum number of differences would be 1 and the maximum number of differences for this rule would be 8. Organizations have various opinions on how many characters should be different between old and new passwords, so this allows them to adjust it to the right level for their business.
With Enzoic for Active Directory, organizations can add up to 5000 custom passwords stored locally that will be screened and blocked at creation. These words can be local sports team, years, product names, the company name, office locations, etc. Whatever is most commonly used by employees. Custom passwords are partially matched and case insensitive so any password that includes that word would be blocked. These can also be optionally fuzzy matched if you have fuzzy matching turned on.
Yes. Enzoic for Active Directory blocks passwords that contain a user’s first name, last name, email address or Active Directory username. If "fuzzy" password matching is enabled, variants of the password using leet speak substitutions will also be blocked.
Yes. Email alerts sent to users can be customized with messages and links to further information. Your company name and logo can also be tailored to match your branding.
Yes. There is a Monitored Users report displaying the status of all protected user accounts. Compromised accounts are clearly indicated. If an account is not being monitored, the reason is shown.
- The Monitored Users report can be filtered and sorted from the Enzoic Console.
- Data from this report can be exported to a CSV file that can be used by automation scripts or opened in applications such as Excel.
Yes. There is an option to email a summary report to administrators on daily/weekly/monthly frequency showing product activity. Report will detail how many password changes were screened, how many were flagged for compromised passwords, how many compromised user passwords were found, and a detailed summary of which users were found with compromised passwords and what the current remediation status is for each.
Additionally, Enzoic for Active Directory provides enhanced usage tracking so administrators can see the total number of detections, including the number of detections due to fuzzy matching, local dictionary or password similarity matching. With log files now stored in a JSON format, outside consumption by SIEM and log management tools can help streamline reporting.
Yes. Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. Read: Documentation for SIEM Logging
SECURITY
Enzoic for Active Directory uses a partial hash comparison approach through Enzoic’s Password API. This allows you to check whether a given password is known to be compromised, without the exact password or hash leaving your environment. It is only necessary to supply the first 10 hex characters of a hash. A list of candidate hashes will then be returned and compared locally with the exact hash to determine if there is a match.
No customer data is stored by Enzoic. The partial hash sent to the Enzoic server is kept in memory only long enough to perform the database lookup and then the memory is zeroed out at the end of the call.
ADDITIONAL
The data is sourced from the public Internet, Dark Web, and human intelligence and is continuously updated several times each day. To maintain our database, we use a combination of automated and manual collection processes.
The newest version of Enzoic for Active Directory has a wizard to guide the user through configuring the application options to ensure compliance with NIST. It also includes a new dashboard widget that provides "at a glance" indication of whether the settings are NIST compliant.
Some organizations buy password policy enforcement tools that handle one or some of these, but the most recent version of Enzoic for Active Directory can meet all the NIST criteria. The goal of this product is to allow IT to set it up and then just let it run.
Organizations have unique needs, so the automated responses can be customized when compromised or weak passwords are found. Organizations can automatically force a password reset, disable the account, or send alerts to an admin, the IT helpdesk or the user. The organization can then select the appropriate automated action—ranging from prompting the user to change their password on some future login to instantly disabling the account.