The installer is available as both an MSI and an EXE. The EXE version will install the necessary version of the .NET Framework if it is not already available on your server, while the MSI will not. If in doubt, you should use the EXE installer.
Links to download the most current version (Domain Controllers must all run the same version):
https://cdn.enzoic.com/files/EnzoicForAD_3.0.378.0.exe (MD5: 7199edd48b27b18b093e8fa532effc78)
https://cdn.enzoic.com/files/EnzoicForAD_3.0.378.0.msi (MD5: 61b29101a9fa2edafe16d972520673cc)
https://cdn.enzoic.com/files/EnzoicForADClient_3.0.378.0.msi (MD5: 41112b102564bb359f85c1aabb883b66)
Read the current release notes.
Enzoic for Active Directory needs to be installed on every writable domain controller in the target domain – it is not necessary to install it on read only domain controllers. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain.
Enzoic for Active Directory uses a local port for communications between its processes. The default port is 6164. If this port is being used by other software on the system, unexpected behaviors may result. If necessary, the port can be changed using the following registry setting after install:
Registry Key: "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Enzoic\Enzoic for Active Directory" Value Name: ServicePort Value Type: DWORD Value: (new port to use)
Run the installer, and then reboot the domain controller when prompted. Future upgrades will not generally require a reboot, but the initial install does.
Enzoic for Active Directory needs to run on each domain controller; however, it only needs to be configured once. All configuration settings (with the exception of the optional proxy server settings) are stored in Active Directory and automatically shared with all instances of that domain.
After the initial reboot, the Setup Wizard will walk you through the configuration process with the following steps. All settings can be modified through the console after initial set-up:
1. Network Settings
Adjust the API timeout duration. This controls how long a user password change will be held waiting for a response from the Enzoic API. If the timeout is reached, the password change will be allowed to go through without checking the user password for compromise. The compromise status will be detected subsequently if Continuous Password Protection is enabled. Although it is completely dependent on your Internet connection, typical response times for the Enzoic API from most locations are less than 500 milliseconds.
OPTIONAL: Specify an HTTP proxy server to use if your DC does not have direct Internet access. This setting will need to be configured separately on each Domain Controller.
Enter the Enzoic License Key provided for your account.
You can register to obtain a free key
3. Monitored Entities
Specify which Active Directory accounts to protect. You can select all Active Directory users, individual users, groups, or containers/OUs.
4. One-Click NIST Compliance
Choose if you’d like to accept the default settings recommended for NIST 800-63b:
Custom dictionary for context-sensitive words for your business
Common passwords found in cracking dictionaries
Fuzzy matching for common password patterns and substitutions
Continuous monitoring to detect when existing user passwords become vulnerable
5. Continuous Password Protection Settings
Continuous Password Protection checks once every 24 hours to determine if any monitored users’ passwords have become compromised. You can select remediation actions to use when a compromised password is detected:
User Must Change Password on Next LoginImmediately sets the User must change password at next logon setting in Active Directory for this user
User Must Change Password on Next Login (Delayed)Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period
Disable AccountImmediately sets the Account is disabled setting in Active Directory for this user
Disable Account (Delayed)Sets the Account is disabled setting in Active Directory for this user after the selected delay period
Notification OnlyThe administrators on the notify list (configured in step 7) as well as optionally the affected user will be notified via email that the password is compromised. No other action will be taken.
Regardless of the remediation setting, administrators on the notify list will always receive an email notification of a compromise. If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified. In the case of a delayed remediation action, the user will be notified that if they do not change their password within the remediation delay period, the action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.
You have the option to customize email templates for the alerts that are sent.
Lastly, you can select the Delegate Server used to run Continuous Password Protection. This is the DC which will do the work of checking user passwords for compromise. This occurs in an evenly spaced out manner over the course of the day and is generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.
6. Password Policies (not shown when One-Click NIST Compliance is selected)
Define how Enzoic will handle compromised password screening (inclusion of cracking dictionaries, fuzzy matching, etc.) and additional password policies (passwords that include user’s information).
7. Administrative Notifications
Include one or more email addresses to be notified for events, including: a) detection of new password compromise, b) summary of all users’ compromise status, and c) alert to any service operation errors.
A Periodic Summary report is also available that will be sent to the administrators in the list.
8. Test Settings
Validate a username (either NT4 style or UPN) and a test password to ensure the user account is included (or excluded) as desired, and that the application can reach the Enzoic servers.
Sample compromised password: uGetL0ckedOut!