Skip to main content

Enzoic for Active Directory 3.2

Setup Instructions


Please ensure you’ve reviewed the information on the Installation Prerequisites page prior to proceeding.

Download the Installer


The installer is available as both an MSI and an EXE. The EXE version will install the necessary version of the .NET Framework if it is not already available on your server, while the MSI will not. If in doubt, you should use the EXE installer.

Links to download the most current version (Domain Controllers must all run the same version):


THESE INSTALLERS ARE FOR A PRIOR RELEASE – CLICK HERE FOR THE CURRENT RELEASE INSTALLERS

https://cdn.enzoic.com/files/EnzoicForAD_3.2.319.0.exe (MD5: 7350a7a6970521546940ac6a8ce16c9c)
https://cdn.enzoic.com/files/EnzoicForAD_3.2.319.0.msi (MD5: f2f8e753df7d6437afa4bafa27098c88)
https://cdn.enzoic.com/files/EnzoicForADClient_3.2.318.0.msi (MD5: fefc3d152de7b86a8259f38c738c6ca4)

Read the current release notes.

Multiple Domain Controllers


Enzoic for Active Directory needs to be installed on every writable domain controller in the target domain – it is not necessary to install it on read only domain controllers. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain.

Setup Wizard Installation


Run the installer, and then reboot the domain controller when prompted. Future upgrades will not generally require a reboot, but the initial install does.

Enzoic for Active Directory needs to run on each domain controller; however, it only needs to be configured once. All configuration settings (with the exception of the optional proxy server settings) are stored in Active Directory and automatically shared with all instances of that domain.

After the initial reboot, the Setup Wizard will walk you through the configuration process with the following steps. All settings can be modified through the console after initial set-up:

1. Network Settings

Adjust the API timeout duration. This controls how long a user password change will be held waiting for a response from the Enzoic API. If the timeout is reached, the password change will be allowed to go through without checking the user password for compromise. The compromise status will be detected subsequently if Continuous Password Protection is enabled. Although it is completely dependent on your Internet connection, typical response times for the Enzoic API from most locations are less than 500 milliseconds.

OPTIONAL: Specify an HTTP proxy server to use if your DC does not have direct Internet access. This setting will need to be configured separately on each Domain Controller.

2. License

Enter the Enzoic License Key provided for your account.

You can register to obtain a free key

3. Monitored Entities

Specify which Active Directory accounts to protect. You can select any combination of individual users, groups, or containers/OUs.

For best performance with large domains, it is highly recommended to not use recursive groups and to enable the “Disable Recursive Membership Checks” setting. This will ensure your users have the lowest possible latency during password changes.

4. One-Click NIST Compliance

Choose if you’d like to accept the default settings recommended for NIST 800-63b compliance:

Custom dictionary for context-sensitive words for your business
Common passwords found in cracking dictionaries
Fuzzy matching for common password patterns and substitutions
Continuous monitoring to detect when existing user passwords become vulnerable

If you choose NIST 800-63b compliance mode, these settings will be automatically applied and you will get an overall status on the Enzoic Console dashboard indicating whether your current settings in compliance.

If you’re unfamiliar with the new NIST 800-63b standard, a quick rundown is here and the full standard can be found here.

5. Password Change Screening (not shown when One-Click NIST Compliance is selected)

Select whether you want Enzoic to screen user password changes. When enabled, users who are in one of the monitored groups or OU’s will have their new passwords checked whenever they are changed. Passwords that are either present on Enzoic’s compromised password list or don’t meet any of the other password complexity policies you have selected will be rejected and the user will be required to enter a different password.

You may want to disable this option if you’d prefer for Enzoic to do offline checks of user passwords and/or credentials and not interactively check passwords during change. It is highly recommended that you leave this setting enabled however.

The “Screen password resets performed by administrators” option controls whether administrators are exempt from this check when manually resetting a user’s password for them via Active Directory administrative tools.

6. User Password Monitoring

User Password Monitoring checks once every 24 hours to determine if any monitored users’ passwords have become compromised. The “Action to Take” dropdown allows you to select remediation actions to use when such a compromised password is detected. The following remediation actions are available:

User Must Change Password on Next LoginImmediately sets the User must change password at next logon setting in Active Directory for this user
User Must Change Password on Next Login (Delayed)Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period
Disable AccountImmediately sets the Account is disabled setting in Active Directory for this user
Disable Account (Delayed)Sets the Account is disabled setting in Active Directory for this user after the selected delay period
Notification OnlyThe administrators on the notify list (configured in step 7) as well as optionally the affected user will be notified via email that the password is compromised. No other action will be taken.

Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.

If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the “Action to Take” is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.

Clicking “Customize Email” gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email.

Lastly, you can select the Delegate Server used to run User Password Monitoring scans. This is the DC in your organization which will do the work of checking user passwords for compromise. This occurs in an evenly spaced out manner over the course of the day and is generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.

7. User Credentials Monitoring

Note that this page may be omitted if your license isn’t enabled for User Credentials Monitoring.

When enabled, User Credentials Monitoring (if available for your license level) checks once every 24 hours to determine if any monitored users’ credentials have become compromised. This is different from User Password Monitoring in that the exact email/password combination for the user is checked for compromise, rather than just the password. Since a compromise of this nature is much riskier, you may wish to select more stringent remediation options when this occurs.

The “Action to Take” dropdown allows you to select remediation actions to use when compromised credentials are detected for a user. The following remediation actions are available:

User Must Change Password on Next LoginImmediately sets the User must change password at next logon setting in Active Directory for this user
User Must Change Password on Next Login (Delayed)Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period
Disable AccountImmediately sets the Account is disabled setting in Active Directory for this user
Disable Account (Delayed)Sets the Account is disabled setting in Active Directory for this user after the selected delay period
Notification OnlyThe administrators on the notify list (configured in step 7) as well as optionally the affected user will be notified via email that the password is compromised. No other action will be taken.

Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.

If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the “Action to Take” is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.

Clicking “Customize Email” gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email. Note that these customization settings are distinct from those used for Password Monitoring, so you can use different text specific to this alert type if you prefer.

Lastly, you can select the Delegate Server used to run User Credentials Monitoring scans. This is the DC in your organization which will do the work of checking user credentials for compromise. This occurs in an evenly spaced out manner over the course of the day and is generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.

8. Password Policies (not shown when One-Click NIST Compliance is selected)

This page contains settings defining the specifics of how Enzoic will handle compromised password screening (i.e. inclusion of cracking dictionaries, fuzzy matching, etc.) and additional password complexity policies that can optionally be applied.

Compromised Password Screening Settings:

Reject common passwords found in cracking dictionaries
Enzoic’s database contains two types of passwords: those that have been exposed in data breaches and those that have been recovered in the dictionaries that hackers use to crack passwords. Disable this option if you’d prefer to only check your user passwords against those exposed in data breaches.

Use fuzzy password matching
Fuzzy password matching ignores case and performs common “leet speek” substitutions as part of the password screening process. For example, if the candidate password is “Georgie”, with this setting enabled variants like “georgie”, “g30rg13”, “G30RG13”, etc. would be checked as well. It is recommended to enable this setting.

Screen root passwords
Users will often add numbers and/or symbols at the beginning or end of their password in an attempt to reuse the same root password. This can be problematic if a hacker learns the root password and can make some rudimentary guesses as to the pattern. For example, a user might change their password from “Password123!” to “Password124!” during a required password change. Enabling this option will instruct Enzoic to attempt to identify such root passwords and check them for compromise as well.

Additional Password Policies

Reject passwords containing user’s first or last name
Enabling will reject passwords containing the user’s first or last name. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.

Reject passwords containing user’s login name
Enabling will reject passwords containing the user’s Windows login name. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.

Reject passwords containing user’s email address
Enabling will reject passwords containing the user’s corporate email address. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.

Reject passwords containing repeating characters
Enabling will reject passwords containing a repeating character that appears more than the threshold defined with the setting.

Password Similarity Blocking
Enabling will reject passwords that are too similar to the user’s existing password. You can define a Minimum Required Distance which is the minimum number of differences the new password must have from the current one. This distance is defined as the number of single character additions, substitutions or deletions that would be required to transform the current password to the new one. For example, if the original password was “Flatirons2018!” and the new password was “Flatirons!2019$”, the distance would be 3 (insert ‘!’, substitute ‘9’ for ‘8’, substitute ‘$’ for ‘!’). “Normalize Password First” performs this check with case insensitivity and uses common “leet speek” substitutions prior to checking.Note that either User Password Monitoring or User Credentials Monitoring must be enabled for Password Similarity Blocking to function.

9. Administrative Notifications

Include one or more email addresses to be notified for administrative events. These events include:

Detection of new user password compromise
Summary of all users’ compromise status
Alert about any service operation errors.

An optional Periodic Summary report is also available that can be sent to the administrators in the list, if selected here. This report can be sent Daily, Weekly or Monthly.

10. Test Settings

The Test Page allows you to test your settings are working as expected and that the Enzoic API Servers are reachable from your environment.

Entering a username here (either NT4 style or UPN) and a test password allows you to validate that:

Everything is working
The entered username is in one of the monitored OU’s or groups.
The entered password is allowed or not based on your selected policies.

A sample compromised password: uGetL0ckedOut!

If you receive an error indicating there is a problem reaching the Enzoic servers, please review the Troubleshooting section.