Documentation for Product Version:
NOTE: All Domain Controllers need to run the same Enzoic version. Unless noted, no reboot is required during upgrade and it is permissible to leapfrog versions.
Improvement: Allow up to a week for delayed remediations
In previous versions, delayed remediations (e.g. forcing a user to change a compromised password on next login X hours after notifying them) could only stretch up to 72 hours after a compromise was detected by Password or Credentials Monitoring scans. Now up to a week is allowed.
Improvement: Global password change will no longer be required if Password/Credentials Monitoring is disabled and then reenabled
In previous versions, if Passwords and Credentials Monitoring were switched off on all policies and then subsequently reenabled, all users would go back to a Limited check state until their next password change. This is no longer the case and users who were in a Full check state will remain in that state even if Passwords and Credentials Monitoring are disabled and then subsequently reenabled.
Fix: Fix LDAP error handling
LDAP errors were in some cases being interpreted as negative responses rather than errors. For instance, in the case where user existence was being checked, if an error response was received this was being interpreted as the user no longer existing in the domain. This could cause false resolutions to be sent out for users who were in a compromised state when we incorrectly determined the user account had been deleted.
Fix: Some Enzoic Console settings changes were not being logged in the audit log
Fix: Uninstaller was leaving being some files
Fix: Enzoic Client would still attempt to connect to domain even when system was offline
This had the effect of introducing an unnecessary delay into the login process for users whose system was offline or not connected to the domain network.
Fix: Trace level logging was generating too much log data
Fix: When a user had a compromised password, a change was always assumed to have resolved the compromise
Previous behavior was to assume any successful password change operation had resolved an open compromise for a user. This was not the case if the Enzoic API check failed for some reason during the password change. This could result in a password resolution alert being sent out and then a subsequent recompromise alert for the same user if the new password chosen was still a compromised password.
Improvement: Filter driver is now signed by Microsoft WHQL
This will allow password change filtering on domain controllers which have the Additional LSA Protection feature enabled (https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection). Upgrades to this release only require a reboot if you were previously having issues loading the LSA Password Filter Driver due to having Additional LSA Protection enabled.
Improvement: Default to longer timeout for password change checks
The default timeout for password change checks was raised to 20 seconds. We were seeing too many cases where Active Directory latency in larger customer environments was contributing to unnecessary timeouts. As part of this, also fixed an issue where there was a spurious log message indicating password change checks had failed due to timeout, even when they had actually succeeded.
Fix: The password policy for rejecting passwords containing user’s first or last name was not always working properly
Passwords containing the user’s last name were not always being blocked.
Fix: Health check failures for permanently decommissioned DCs could linger
When a DC is permanently removed from service, the health check for it could begin failing in the Enzoic console. Once this happened, there was no way to permanently remove it, as the Permanently Remove button was failing due to permissions issue.
Fix: Conflict containers from AD replication were not being handled properly
CNF conflict containers during AD replication could cause errors in the Enzoic service.
Fix: Nonstandard permission restrictions in Active Directory could cause Monitored Users Report to fail to run
In cases where read permissions had been restricted to object attributes in Active Directory for Domain Admin users, the Monitored Users report could hang or fail to run. New handling is to skip users where we do not have sufficient permissions to read them in Active Directory and log the failure.
Fix: Only the delegate is now allowed to update shared settings when a newer version of the product is deployed
This reduces the possibility of replication conflicts from multiple DCs upgrading shared setting at once. The delegate should always be the first DC upgraded to a newer version.
Fix: Administrative password resets were being screened even when the setting was disabled
The “Screen password resets performed by administrators” setting was not being respected.
Improvement: Password Monitoring and Credentials Monitoring scans will now run as soon as the initial configuration is completed
Previously they were waiting for up to 24 hours after configuration was complete before running for the first time.
Fix: Selection of the root domain for monitoring is now no longer allowed by the console UI
Selecting the root domain was an invalid configuration and would cause errors.
Improvement: Significantly Improved Performance for Enzoic for AD Client
We’ve improved the performance of the Enzoic for AD Client substantially. Delays seen when between a password change operation being initiated and the list of policies being displayed on the password change screen have been greatly reduced.
Fix: Behavior with Delayed Remediations
In the case where a monitoring policy had a delayed action set once a user’s password or credentials had been detected as compromised, there was previously an issue if the policy subsequently changed during the delay period. In the case where an immediate action was selected while a delayed action was still pending, the delayed action would never be executed and the immediate action would be ignored for the user with the compromised password. This behavior has been addressed. Now once a user is detected as compromised and a delayed action is queued (force password change after 72 hours for instance), the action will continue executing even if the underlying policy is changed. More details can be found at the end of the section here.
Fix: Directly Monitored Users Were Not Always Being Protected
Users who were monitored directly (not part of a monitored group or OU) were not always being included for protection.
Fix: Errors on Health Check Page During Rolling Updates of Enzoic for Active Directory
When an organization is updating Enzoic for Active Directory in a rolling manner (not all DCs updated to the new version immediately), the Health Check page in the Enzoic console could throw an error when accessed.
Fix: When a New Custom Dictionary Entry is Added, Existing Passwords in Violation Were Not Being Properly Handled
When a new entry was added to the custom dictionary, any existing monitored passwords that included the new term would be flagged as compromised, but the remediation action was not being executed, i.e. if the policy had the Action to Take set to “Force Password Change on Next Login” this was not happening.
Improvement: Timestamps in Enzoic log files now include timezone offset
Fix: Minor bug fixes in UI and UI updates
This patch addresses the following issues:
In rare cases where network connectivity was interrupted at the beginning of a scan, Continuous Password Monitoring would clear out cached data, resulting in monitored users potentially reverting to “Limited” monitoring mode.
Credentials Monitoring checks were using case sensitive usernames.
This patch addresses the following issues:
In cases where the local TCP socket used by the password filter driver and service for communications is overridden via the registry entry, if a string type was used rather than a DWORD, the value would be ignored and the default socket would still be used.
If a monitored group or OU contained more than 1500 nested users or groups, the remaining users would be ignored and not monitored.
This patch fixes a bug with password change timeouts. The UI setting to increase the timeout for checking the Enzoic API during password change operations allows it to be configured as high as 20 seconds, but the filter driver was enforcing a maximum of 2 seconds for the operation. This update allows the timeout to be set all the way to 10 seconds. This update is not necessary unless you are having issues with the password change operation timeout not being long enough. Note that while this installation does not require a reboot when upgrading from an earlier version, the timeout fix won’t be applied until the next reboot of the server.
This patch fixes an issue where Root Password Detection transformations were erroneously being applied to usernames, user first names and user last names prior to comparison checks. This could result in some passwords being rejected that should not have been. The problem only occurred when Root Password Detection was being used alongside the “Reject passwords containing user’s first or last name” and “Reject passwords containing user’s login name” policies. If you were not using these policies together, you can ignore this patch.
Multi-Policy Support (Premium Feature)
For customers on the Premium or Enterprise product plans, the ability to define multiple policies is now supported. This allows customers to customize the product behavior, monitoring rules, and remediation options for different OU’s and security groups.
User Credentials Monitoring (Premium Feature)
For customers on the Premium or Enterprise product plans, we’ve introduced User Credentials Monitoring. This feature monitors your users’ exact email and password combination for compromise. If a user’s credentials become compromised, several different remediation actions are available, ranging from forcing a password change at the next login to disabling the account.
Repeating Characters Policy for Passwords
A new password policy option is available to block user passwords which contain repeating characters (e.g. Paaaasword123!). The threshold for number of repeating characters is configurable.
Significant Performance Enhancements to Password Checks
Password change checks are now significantly faster, resulting in less user wait time.
Added Ability to Disable Checking of User Password Changes
We’ve added the ability to disable checking user passwords for compromise during password changes. This was added for customers who desired the ability to only periodically scan user passwords in AD for compromise, rather than actively checking passwords during password changes.
Group Administrator Notification Emails
Admin notification emails will now be grouped more intelligently in an effort to reduce the number of emails sent. Rather than a notification email per compromised user password which was found during a Password Monitoring scan, for instance, notifications will now be grouped together and a single digest email will be sent out with a list of user accounts which were found to have compromised passwords.
Stability and Performance Improvements
This patch fixes an issue where Continuous Password Protection could fail to run for a day when one or more monitored users were deleted from Active Directory in the midst of CPP processing. In large domains where turnover is frequent and users are being deleted from the domain on a daily basis, this can result in prolonged periods where Continuous Password Protection is not able to fully run.
This patch is recommended for large domains where user accounts are frequently deleted.
Periodic Summary Report for Administrators
Option to email a report to administrators on daily/weekly/monthly frequency showing product activity. Report will detail how many password changes were screened, how many were flagged for compromised passwords, how many compromised user passwords were found, and a detailed summary of which users were found with compromised passwords and what the current remediation status is for each.
New Password Policy Blocking Passwords Containing:
User password changes can now be optionally screened to prevent users from using their first or last name, their login name, and their email address anywhere within the new password. If “fuzzy” password matching is enabled, variants of the password using leetspeak substitutions will also be blocked.
Customizable and Brandable User Notification Emails
Emails sent to users by Continuous Password Protection whenever their password becomes compromised can now be customized. Your company name and logo can now be used in the email and the intro and outro text of the email can be set.
Admin Error Reporting
Product now has the ability to send critical error reports or misconfigurations via email to a list of administrators.
Improved UI Organization
Settings are now grouped together in a more logical manner and more context appropriate help is available.
Stability and Performance Improvements
Improved UI Organization
Settings are now grouped together in a more logical manner and more context appropriate help is available.
Whitelist Changes
The following additional IP addresses should be whitelisted for outbound communications over TCP port 443 from your domain controllers:
75.2.9.104
99.83.177.145
One-Click NIST Compliance Setting
A new one-click wizard to guide the user through configuring the application options to ensure compliance with NIST 800-63b password guidelines. This includes:
NIST Compliance Status on Dashboard
A dashboard widget that provides “at a glance” indication of whether the current settings are NIST password guideline compliant.
New Wizard Messaging to Recommend Global Password Reset
After the initial setup is complete, a message is displayed indicating that a global password reset needs to be performed. This is necessary to initiate continuous password monitoring.
New Monitored Users Report
A report displaying the status of all protected user accounts. Compromised accounts are clearly indicated. If an account is not being monitored, the reason is shown.
Root Password Detection
Root Password Detection optionally will check user passwords for so-called “root” passwords that are common or compromised. It does this by removing trailing numbers and symbols that users often will use to prefix or suffix a less secure password in order to meet complexity or uniqueness guidelines.
Ignore Domain Trust Accounts in User Count
Defect fixed where Trust Accounts were being counted as users.
Clean Up Server Containers on Uninstall
Defect fixed where domain controller specific data used by Enzoic was being orphaned in Active Directory.
Remove Servers from Delegate Dropdown
Remove servers from Delegate dropdown if they haven’t been seen for > 24 hours. Enzoic for Active Directory now prevents selecting a server which may be offline as the Delegate Server. A Delegate Server is the domain controller in your environment you have chosen to perform the work of Continuous Password Protection. Previously, if you selected a server that was offline or unresponsive, you would not know that Continuous Password Protection was not running.
New Dashboard Widget to List Compromised Users
A widget on the dashboard which displays the usernames of the first few compromised users (if any) and a link to the Users Report if there are too many to display. The widget is red if any user is compromised, otherwise, it is green.
Delete Orphan Containers on Install/Upgrade
When installing Enzoic (either upgrade or re-install), we now find and remove any orphaned application data used by Enzoic previously. An example of this would be server-specific settings for a DC which has since been removed.
Various Stability Improvements
Custom Password Dictionary
Up to 5,000 custom passwords can be stored locally. Candidate passwords and those being protected through continuous monitoring will be evaluated using a partial match comparison (i.e. If dictionary includes “Summer”, then “SummerVacation2020” will also be blocked).
Fuzzy Password Matching
Fuzzy matching checks multiple variants of the password, controlling for case sensitivity as well as common substitutions, including: case insensitivity; L33T speak substitutions; reverse spelling. Fuzzy password matching is applied to comparisons against Enzoic’s password database and your local dictionary – if enabled.
Password Similarity Blocking
New candidate passwords will be screened by similarity to the prior password using a Damerau-Levenshtein distance. Distance refers to the minimum number of changes and is configurable. Please refer to the help icon in the console interface for examples.
Continuous Password Monitoring – User Notification
Users can be notified when their password is found to be compromised. Notification uses the email address as stored AD.
Continuous Password Monitoring – Delayed Remediation
The remediation options for “Change Password on Next Login” and “Disable Account” can now be set to wait a configurable number of hours after the password is found to be compromised. If the user changes password prior to delay, the remediation action will not be taken, and administrators will be notified accordingly. Administrators are also notified when remediation action is taken after delay. If user notification is enabled, users will be notified of both as well. Note there is a change in behavior where users in a compromised password condition will no longer trigger notification each subsequent day when the monitoring is run.
Enhanced Usage Tracking
Password Change and Continuous Password Protection usage displayed on the Results tab now include the following counters: Number of Operations, Number of Detections (By Total, Fuzzy Matching, Similarity Blocking).
SIEM Friendly Logging
Log files are now stored in a JSON format more friendly for import to SIEM and log management tools.
Update Check
Enzoic Console application will now perform a version update check and let admin know if an update to Enzoic for Active Directory is available, along with a link to download subsequent new versions.
Reboot Check
Enzoic Console application will now display a message on the Dashboard if a reboot of the local system is needed to assist with troubleshooting.
UI Enhancements
Settings were reorganized into tabs to support future UI scalability.
Continuous Password Monitoring
When Continuous Password Protection finds a vulnerable password, there are several automated actions that can be configured in the Monitoring Settings tab. The Email Addresses to be Notified setting provides the listed recipients with a real-time notification indicating the affected user’s account and if the configuration was set to automatically require password change on next login or disable the account. Note that these automated remediation action are optional.
Select a Delegate Server
Allows the client to select which domain controller will be responsible for performing the continuous monitoring function. Results will then be propagated to any other Domain Controllers that are connected. Enzoic for AD seamlessly manages syncing of configuration across multiple domain controllers.