Enzoic for Active Directory Technical Docs

Enzoic for Active Directory is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials. Unlike products that only check passwords after they are saved, thus requiring subsequent reset by the user, Enzoic validates the password at the time it is being selected. Passwords are then continuously monitored to detect if they become compromised – with automated remediation and alerts. It helps organizations with NIST Password Guideline compliance in Active Directory.

Learn more in our technical FAQ on Enzoic for Active Directory

System Requirements

Enzoic for Active Directory supports any Windows Server 2008 R2 or greater for Forest and Domain functional level.  Microsoft .NET Framework 4.5 is required.

Enzoic for Active Directory requires an active Internet connection. You can specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. Please see Firewall Requirements below for the required IP whitelist.

Download the Installer

The installer is available via both an MSI and an EXE file type. The .exe version installs the necessary version of the .NET Framework if it is not already available on your server. If in doubt, you should use the .exe installer file.

Link to download the most current version (Domain Controllers must all run the same version):

https://cdn.enzoic.com/files/EnzoicForAD.exe

https://cdn.enzoic.com/files/EnzoicForAD.msi

Read the current release notes.

Setup Wizard Installation

Run the installer, and then reboot the domain controller when prompted. Upgrades will not generally require a reboot.

Enzoic for Active Directory needs to run on each domain controller; however, it only needs to be configured once. All configuration settings (with the exception of the optional proxy settings) are stored in Active Directory and automatically shared with all instances of that domain.

After the initial reboot, the Setup Wizard will walk you through the configuration process with the following steps. All settings can be modified through the console after initial set-up:

1. Network Settings:
Adjust the API timeout duration after which the password change will be allowed to go through without checking. The compromise status will be detected subsequently if Continuous Password Protection is enabled.

OPTIONAL: Specify any HTTP proxy server if you wish to route traffic to Enzoic’s server. This setting will need to be configured separately on each Domain Controller.

2. License:
Enter your Enzoic License Key provided for your account.

You can register to obtain a free key

3. Monitored Entities:
Specify which Active Directory accounts to protect. You can select all Active Directory users, individual users, groups, or containers/ou.

4. One Click NIST Compliance:
Choose if you’d like to accept the default settings recommended for NIST 800-63b:

  • Custom dictionary for context-sensitive words for your business
  • Common passwords found in cracking dictionaries
  • Fuzzy matching for common patterns and substitutions
  • Continuous monitoring to detect when existing password becomes vulnerable

5. Password Policies (not shown when One Click NIST Compliance is selected):
Define how Enzoic will handle compromised password screening (inclusion of cracking dictionaries, fuzzy matching, etc.) and additional password policies (passwords that include user’s information).

6. Continuous Password Protection Settings:
Choose to monitor passwords daily to detect subsequent compromise and configure the desired remediation actions. You have the option to customize email templates for alerts sent via Amazon Simple Email Services. You can also select the Delegate Server, which is the Domain Controlled that handles the continuous monitoring process.

7. Administrative. Notifications:
Include one or more email addresses to be notified for events, including: a) detection of new password compromise, b) summary of all users’ compromise status, and c) alert to any service operation errors.

8. Test Settings:
Validate a username (either NT4 style or UPN) and a test password to ensure the user account is included (or excluded) as desired, and that the application can reach the Enzoic servers. If you are seeing problems reaching the Enzoic servers, please review your proxy server settings as well as the Firewall Requirements section below.

Sample compromised password: uGetL0ckedOut!

Logs for SIEM Integration

Enzoic for Active Directory logs important events to a JSON format log file which can be used for ingestion into SIEM systems. The following describes the information contained in these log entries. Logs are stored at ..\ProgramData\Enzoic\Enzoic for Active Directory\Logs.

Read documentation for SIEM Logging

Troubleshooting

You can use the following checks to verify the installation completed as expected.

  1. Check windows\system32 and confirm the presence of EnzoicFilter.dll
  2. Check the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa for presence of Enzoic in the notifications packages value
  3. Check the Event viewer system logs after reboot to confirm there are no errors about the failure to load the EnzoicFilter.dll
  4. Check the logs ..\ ProgramData\Enzoic\Enzoic (Log files should typically be retrieved from the DC configured as Delegate Server)

Firewall Requirements

Enzoic (PasswordPing) for Active Directory must be able to contact its servers to look up the compromised status for passwords.  The IP addresses below should be whitelisted for outbound communications over TCP port 443 from your domain controllers.

13.235.194.196
13.48.121.56
13.48.96.148
15.206.40.21
18.196.181.48
3.10.99.236
3.124.25.136
3.231.37.171
3.24.50.155
3.24.93.121
3.9.236.117
34.214.110.33
35.153.27.185
35.163.59.86
35.168.85.109
35.180.249.238
35.181.124.196
52.192.30.99
52.199.52.28
52.212.218.163
52.48.142.122
52.51.10.65
52.79.68.108
52.89.197.157
54.172.238.226
54.180.42.79
54.233.211.111
54.233.236.93
75.2.9.104
99.83.177.145

Multiple Domain Controllers

Enzoic for Active Directory needs to be installed on each domain controller. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain.

Deploying Enzoic for Active Directory via GPO

You can use GPO push installs to easily install Enzoic for Active Directory across multiple domain controllers in your environment.  Note that Enzoic for Active Directory requires .NET Framework 4.5, which does not get installed automatically when running the MSI installer.  If you are deploying to Windows Server 2008R2, you will need to deploy .NET Framework 4.5 prior to deploying Enzoic for Active Directory.

Create a distribution point:

  1. Log on to a server as an administrator.
  2. Create a shared network folder to distribute the files from.
  3. Give the “Domain Controllers” security group read access to the share, and limit write access to authorized personnel only.
  4. Copy EnzoicForAD.msi into the distribution point
  5. Give the “Domain Controllers” security group read access to the EnzoicForAD.msi
    file in the distribution point.
  6. Click Finish.

Create a Group Policy Object:

  1. Start the Group Policy Management Console (gpmc.msc).
  2. Expand the forest and domain items in the left pane.
  3. Right-click the Domain Controllers OU in the left pane, and then click Create a GPO in this domain, and Link it here…
  4. Type “Enzoic for Active Directory” and then press ENTER.

Prepare the Group Policy Object:

  1. Right-click the ” Enzoic for Active Directory” GPO, and then click Edit…
  2. Expand the Computer Configuration, Policies, and Software Settings
  3. Right-click the Software installation item, and then select New > Package…
  4. Type the full UNC path to EnzoicForAD.msi in the Open dialog box. You must enter a UNC path so that other computers can access this file over the network. For example, \\file server\distribution point share\EnzoicForAD.msi
  5. Click Open.
  6. Select the Assigned deployment method, and then click OK.
  7. Close the Group Policy Management Editor.

Complete the Installation:

Windows installs Enzoic for Active Directory during startup, and then immediately requires a manual restart to load the Password Filter. Restart each Domain Controller to complete the installation.