Enzoic for Active Directory Technical Docs
Enzoic for Active Directory is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials. Unlike products that only check passwords after they are saved, thus requiring subsequent reset by the user, Enzoic validates the password at the time it is being selected. Passwords are then continuously monitored to detect if they become compromised – with automated remediation and alerts. It helps organizations with NIST Password Guideline compliance in Active Directory.
Learn more in our technical FAQ on Enzoic for Active Directory
Enzoic for Active Directory supports any Windows Server 2008 R2 or greater for Forest and Domain functional level. Microsoft .NET Framework 4.5 is required.
Enzoic for Active Directory requires an active Internet connection. You can specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. Please see Firewall Requirements below for the required IP whitelist.
Download the Installer
The installer is available via both an MSI and an EXE file type. The .exe version installs the necessary version of the .NET Framework if it is not already available on your server. If in doubt, you should use the .exe installer file.
Link to download the most current version:
Setup Wizard Installation
Run the installer, and then reboot the domain controller when prompted. Note that subsequent upgrades will not generally require a reboot.
Enzoic for Active Directory needs to run on each domain controller; however, it only needs to be configured once. All configuration settings (with the exception of the optional proxy settings) are stored in Active Directory and automatically shared with all instances of that domain.
After the initial reboot, the Setup Wizard will walk you through the configuration process with the following steps:
1. Network Settings:
Adjust the timeout for API Calls to the Enzoic servers. If operation exceeds this time, the password change will be allowed to go through without checking the compromise status of the new password.
OPTIONAL: specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. Any HTTP proxy server can be used. Proxy Settings are specific to the Domain Controller on which they are configured, therefore will need to be configured separately on each Domain Controller.
Enter your Enzoic License Key provided for your account.
Contact us to request a trial.
3. Monitored Entities:
Specify which Active Directory accounts require compromised password checks. You can select individual Users, Groups, Containers, Organizational Units, any combination therein, or simply monitor all users in Active Directory.
4. Monitoring Settings:
Choose to include or exclude password checks of certain types and situations:
a. Reject common passwords (Enable is recommended): Adds checking against dictionary words and other common passwords found in cracking dictionaries – in addition to checking against passwords exposed in data breaches.
b. Check passwords during reset (Enable is recommended): Allows password changes to also be checked for administrative users (via the AD Users and Computers directly on the domain controller).
c. Use fuzzy matching (Enable is recommended): Allows fuzzy password matching to check for passwords that are similar to those found in Enzoic’s database and your Custom dictionary.
d. Select one click NIST compliance: If you are trying to satisfy NIST 800-63b password guidelines, select this option to meet the NIST password guideline requirements.
5: Continuous Password Protection Settings:
Choose to monitor passwords daily to detect subsequent compromise and configure the desired remediation action.
a. The “Notify affected users” and “Email Addresses to Notify” setting will send messages with any of the “Action To Take” option selected.
b. The “Delegate Server” is used to consolidate and process all continuous monitoring checks.
6: Test Settings:
Enter a username (either NT4 style or UPN) and a password to ensure the user is included (or excluded) as desired, and that the application can reach the Enzoic servers. If you are seeing problems reaching the Enzoic servers, please review your proxy server settings as well as the Firewall Requirements section below.
Sample compromised password: uGetL0ckedOut!
From the Monitoring Settings tab, you’ll find two additional sub-tabs for further configuration:
1: Custom Password Dictionary:
Allows adding your choice of context-specific words, such as the name of your company. If enabled, fuzzy matching (under Monitoring Settings > Password Changes) is applied to passwords checked against the custom dictionary.
2: Password Similarity Blocking:
Enables a restriction on users creating new passwords which are too similar to their previous password. The distance value refers to a Damerau-Levenshtein calculation of the number allowed insertions, deletions substitutions and transpositions.
3: Root Password Detection:
Root Password Detection optionally will check user passwords for so-called “root” passwords that are common or compromised. It does this by removing trailing numbers and symbols that users often will use to prefix or suffix a less secure password in order to meet complexity or uniqueness guidelines. For example: The password Blackberry1234!!! has a root password of Blackberry.
If this option is enabled, the root password on Blackberry is checked with the other calculated variants.
Logs for SIEM Integration
Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries. Logs are stored at ..\ProgramData\Enzoic\Enzoic for Active Directory\Logs.
You can use the following checks to verify the installation completed as expected.
- Check windows\system32 and confirm the presence of EnzoicFilter.dll
- Check the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa for presence of Enzoic in the notifications packages value
- Check the Event viewer system logs after reboot to confirm there are no errors about the failure to load the EnzoicFilter.dll
- Check the logs ..\ ProgramData\Enzoic\Enzoic to confirm data is populating (Use Test Settings described above to verify a call is added)
Enzoic (PasswordPing) for Active Directory must be able to contact its servers to look up the compromised status for passwords. The IP addresses below should be whitelisted for outbound communications over TCP port 443 from your domain controllers.
Multiple Domain Controllers
Enzoic for Active Directory needs to be installed on each domain controller. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain.
Deploying Enzoic for Active Directory via GPO
You can use GPO push installs to easily install Enzoic for Active Directory across multiple domain controllers in your environment. Note that Enzoic for Active Directory requires .NET Framework 4.5, which does not get installed automatically when running the MSI installer. If you are deploying to Windows Server 2008R2, you will need to deploy .NET Framework 4.5 prior to deploying Enzoic for Active Directory.
Create a distribution point:
- Log on to a server as an administrator.
- Create a shared network folder to distribute the files from.
- Give the “Domain Controllers” security group read access to the share, and limit write access to authorized personnel only.
- Copy EnzoicForAD.msi into the distribution point
- Give the “Domain Controllers” security group read access to the EnzoicForAD.msi
file in the distribution point.
- Click Finish.
Create a Group Policy Object:
- Start the Group Policy Management Console (gpmc.msc).
- Expand the forest and domain items in the left pane.
- Right-click the Domain Controllers OU in the left pane, and then click Create a GPO in this domain, and Link it here…
- Type “Enzoic for Active Directory” and then press ENTER.
Prepare the Group Policy Object:
- Right-click the ” Enzoic for Active Directory” GPO, and then click Edit…
- Expand the Computer Configuration, Policies, and Software Settings
- Right-click the Software installation item, and then select New > Package…
- Type the full UNC path to EnzoicForAD.msi in the Open dialog box. You must enter a UNC path so that other computers can access this file over the network. For example, \\file server\distribution point share\EnzoicForAD.msi
- Click Open.
- Select the Assigned deployment method, and then click OK.
- Close the Group Policy Management Editor.
Complete the Installation:
Restart each domain controller to complete the installation. Windows installs Enzoic for Active Directory during startup, and then immediately restarts the computer a second time to complete the installation.