Enzoic for Active Directory

Enzoic for Active Directory is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials. Unlike products that only check passwords after they are saved, thus requiring subsequent reset by the user, Enzoic validates the password at the time it is being selected. Passwords are then continuously monitored to detect if they become compromised – with automated remediation and alerts.

Learn more in our technical FAQ on Enzoic for Active Directory

System Requirements


Enzoic for Active Directory supports any Windows Server 2008 R2 or greater for Forest and Domain functional level.  Microsoft .NET Framework 4.5 is required.

Enzoic for Active Directory requires an active Internet connection. You can
 specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. Please see Firewall Requirements below for the required IP whitelist.

Download the Installer


The installer is available via both an MSI and an EXE file type. The .exe version installs the necessary version of the .NET Framework if it is not already available on your server. If in doubt, you should use the .exe installer file.

Link to download the most current version:

https://cdn.enzoic.com/files/EnzoicForAD.exe

https://cdn.enzoic.com/files/EnzoicForAD.msi

Installation


Run the installer, and then reboot the domain controller when prompted. Note that subsequent upgrades will not generally require a reboot.

Enzoic for Active Directory needs to run on each domain controller; however, it only needs to be configured once. All configuration settings (with the exception of the optional proxy settings) are stored in Active Directory and automatically shared with all instances of that domain.

After the initial reboot, the Setup Wizard will walk you through the configuration process with the following steps:

1. Network Settings:
Adjust the timeout for API Calls to the Enzoic servers. If operation exceeds this time, the password change will be
 allowed to go through without checking the compromise status of the new password.

OPTIONAL: specify a proxy server if you do not want Enzoic for Active Directory communicating directly over the Internet. Any HTTP proxy server can be used. Proxy Settings are specific to the Domain Controller on which they are configured, therefore will need to be configured separately on each Domain Controller.

2. License:
Enter your Enzoic License Key provided for your account.

Contact us to request a trial.

3. Monitored Entities:
Specify which Active Directory accounts require compromised password checks. You can select individual Users, Groups, Containers, Organizational Units, any combination therein, or simply monitor all users in Active Directory.

4. Monitoring Settings:
Choose to reject just those passwords exposed in data breaches or also reject common passwords found in cracking dictionaries. Inclusion of cracking dictionaries is recommended to check against repetitive characters, keyboard walking, dictionary words and variations thereof.

5: Continuous Password Protection Settings:
Choose to monitor passwords daily to detect subsequent compromise and the desired remediation action. The “Email Addresses to Notify” entered will receive messages with any of the “Action To Take” option selected. The “Delegate Server” is used to consolidate and process all continuous monitoring checks:

6: Test Settings:
Enter a username (either NT4 style or UPN) and a password to ensure the user is included (or excluded) as desired, and that the application can reach the Enzoic servers. If you are seeing problems reaching the Enzoic servers, please review your proxy server settings as well as the Firewall Requirements section below.

Sample compromised password: uGetL0ckedOut!

Troubleshooting


You can use the following checks to verify the installation completed as expected.

  1. Check windows\system32 and confirm the presence of EnzoicFilter.dll
  2. Check the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa for presence of Enzoic in the notifications packages value
  3. Check the Event viewer system logs after reboot to confirm there are no errors about the failure to load the EnzoicFilter.dll
  4. Check the C:\ProgramData\EnzoicService logs to confirm data is populating (Use Test Settings described above to verify a call is added)

Firewall Requirements


Enzoic (PasswordPing) for Active Directory must be able to contact its servers to look up the compromised status for passwords.  The IP addresses below should be whitelisted for outbound communications over TCP port 443 from your domain controllers.

35.163.59.86
34.214.110.33
52.89.197.157

52.192.30.99
52.199.52.28

52.212.218.163
52.51.10.65
52.48.142.122

Multiple Domain Controllers


Enzoic for Active Directory needs to be installed on each domain controller. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain.

Deploying Enzoic for Active Directory via GPO


You can use GPO push installs to easily install Enzoic for Active Directory across multiple domain controllers in your environment.  Note that Enzoic for Active Directory requires .NET Framework 4.5, which does not get installed automatically when running the MSI installer.  If you are deploying to Windows Server 2008R2, you will need to deploy .NET Framework 4.5 prior to deploying Enzoic for Active Directory.

Create a distribution point:

  1. Log on to a server as an administrator.
  2. Create a shared network folder to distribute the files from.
  3. Give the “Domain Controllers” security group read access to the share, and limit write access to authorized personnel only.
  4. Copy EnzoicForAD.msi into the distribution point
  5. Give the “Domain Controllers” security group read access to the EnzoicForAD.msi
    file in the distribution point.
  6. Click Finish.

Create a Group Policy Object:

  1. Start the Group Policy Management Console (gpmc.msc).
  2. Expand the forest and domain items in the left pane.
  3. Right-click the Domain Controllers OU in the left pane, and then click Create a GPO in this domain, and Link it here…
  4. Type “Enzoic for Active Directory” and then press ENTER.

Prepare the Group Policy Object:

  1. Right-click the ” Enzoic for Active Directory” GPO, and then click Edit…
  2. Expand the Computer Configuration, Policies, and Software Settings
  3. Right-click the Software installation item, and then select New > Package…
  4. Type the full UNC path to EnzoicForAD.msi in the Open dialog box. You must enter a UNC path so that other computers can access this file over the network. For example, \\file server\distribution point share\EnzoicForAD.msi
  5. Click Open.
  6. Select the Assigned deployment method, and then click OK.
  7. Close the Group Policy Management Editor.

Complete the Installation:

Restart each domain controller to complete the installation. Windows installs Enzoic for Active Directory during startup, and then immediately restarts the computer a second time to complete the installation.