Enzoic for Active Directory

Release History and Notes

NOTE: All Domain Controllers need to run the same Enzoic version. Unless noted, no reboot is required during upgrade and it is permissible to leapfrog versions.

3.0.378.0 Patch Release Notes

This patch fixes an issue where Continuous Password Protection could fail to run for a day when one or more monitored users were deleted from Active Directory in the midst of CPP processing. In large domains where turnover is frequent and users are being deleted from the domain on a daily basis, this can result in prolonged periods where Continuous Password Protection is not able to fully run.

This patch is recommended for large domains where user accounts are frequently deleted.

3.0 Release Notes

  • Windows Client

    A Windows Client is now available. This can be installed on client systems joined to the monitored domain and provides additional information on the built-in Windows Change Password screen. It will provide domain users information about password policy requirements and feedback as to why an entered password does not meet policy.

  • Initial Compromised Passwords Scan

    There is now an option at the end of the initial Setup Wizard to perform a Compromised Passwords Scan. This will scan selected users in your organization to identify any who might have compromised passwords. Remediation options are available for these users at the end of the scan.

  • Significant Performance Enhancements to Password Checks

    Password change checks are now significantly faster, resulting in less user wait time.

  • More Complete Continuous Password Protection Coverage

    Continuous Password Protection now no longer requires an initial password change to start protecting user accounts. A limited check will be performed automatically for these users. The limited check leverages Enzoic's ability to check for exact matches with the underlying NTLM password hashes against the Enzoic compromised password database. What this means in practice is that while users who have not completed an initial password change will still not receive all the benefits of advanced features like fuzzy matching and root password detection, they will still be protected from the case where their exact password has been exposed in a compromise or data breach. When viewing the Monitored Users report from the Enzoic Console Reporting tab, you will now see these users listed as "Limited (Password Change Required)" under the Continuous Monitoring Active column to reflect this fact.

    Note that if you are upgrading from a previous release and have a number of users who are not currently being monitored due to not having completed the initial password change, you may get a bump in the number of compromised passwords detected after upgrading to 3.0.

  • Stability and Performance Improvement

2.9 Release Notes

  • Installer Configuration File
  • Installation options can now be driven by a preconfigured configuration file for headless installs and deployments.
  • Server Offline Health Checks Now Require Manual Dismissal
  • Previously there was no way to remove the health check alert for an offline server that had been removed from service. Now these alerts stay persistent, but can be manually dismissed.
  • Enhancements to Periodic Summary Email
  • Periodic summary email now includes a value for "Total # Users Selected for Monitoring", with a breakdown of how many of that total are protected by Continuous Password Protection.
  • Stability and Performance Improvement

2.8 Release Notes

  • Adjusted Health Check error alert thresholds to make them more intelligent and less likely to raise false alarms
  • Resolution emails will be sent for Health Check errors once the failure is resolved
  • Dashboard now has a Health Check area to show open error conditions
  • Temporary Exchange health mailbox accounts are longer included in usage statistics
  • Server name is added to Health Check error alerts
  • Fixed some incorrect usage counts on Summary Email Report
  • More useful information is now included in default logging level
  • Stability improvements
  • Various console UI improvements Patch

  • Resolved a tombstoned object bug which may consume recycling bin space in some situations.

2.7 Release Notes

Periodic Summary Report for Administrators
Option to email a report to administrators on daily/weekly/monthly frequency showing product activity. Report will detail how many password changes were screened, how many were flagged for compromised passwords, how many compromised user passwords were found, and a detailed summary of which users were found with compromised passwords and what the current remediation status is for each.

New Password Policy Blocking Passwords Containing:

  • User’s First or Last Name
  • User's Login Name
  • User's User's Email Address

User password changes can now be optionally screened to prevent users from using their first or last name, their login name, and their email address anywhere within the new password. If "fuzzy" password matching is enabled, variants of the password using leetspeak substitutions will also be blocked.

Customizable and Brandable User Notification Emails
Emails sent to users by Continuous Password Protection whenever their password becomes compromised can now be customized. Your company name and logo can now be used in the email and the intro and outro text of the email can be set.

Admin Error Reporting
Product now has the ability to send critical error reports or misconfigurations via email to a list of administrators.

Improved UI Organization
Settings are now grouped together in a more logical manner and more context appropriate help is available.

Stability and Performance Improvements

  • Improved performance of user password change checks.
  • Improved load performance of users list on Reports tab.
  • Allow modification of Product Key without reinstalling.
  • Better installer behavior on upgrades: no longer prompt to kill the Enzoic service.
  • Better retry logic when calls to the Enzoic API fail. In prolonged network outage scenarios, administrator and user alerts could get lost previously.
  • Console UI now only uses specified proxy settings. Prior versions would use Windows proxy server settings instead, resulting in potentially different behaviors between the console UI test page and the actual Enzoic service when proxy server settings were specified in Windows, but not in the Enzoic configuration.

Improved UI Organization
Settings are now grouped together in a more logical manner and more context appropriate help is available.

Whitelist Changes
The following additional IP addresses should be whitelisted for outbound communications over TCP port 443 from your domain controllers:

2.6 Release Notes

One-Click NIST Compliance Setting
A new one-click wizard to guide the user through configuring the application options to ensure compliance with NIST 800-63b password guidelines. This includes:

  • Rejecting common passwords
  • Enable fuzzy password matching
  • Turning on continuous password protection
  • Accessing the custom password dictionary
  • Checking passwords during password resets

NIST Compliance Status on Dashboard
A dashboard widget that provides "at a glance" indication of whether the current settings are NIST password guideline compliant.

New Wizard Messaging to Recommend Global Password Reset
After the initial setup is complete, a message is displayed indicating that a global password reset needs to be performed. This is necessary to initiate continuous password monitoring.

New Monitored Users Report
A report displaying the status of all protected user accounts. Compromised accounts are clearly indicated. If an account is not being monitored, the reason is shown.

  • There are two views for the report: All Users and Compromised Users.
  • These report views can be exported to a CSV file that can be used by automation scripts or opened in applications such as Excel.

Root Password Detection
Root Password Detection optionally will check user passwords for so-called "root" passwords that are common or compromised. It does this by removing trailing numbers and symbols that users often will use to prefix or suffix a less secure password in order to meet complexity or uniqueness guidelines.

  • For example: The password Blackberry1234!!! has a root password of Blackberry.
  • If this option is enabled, the root password on Blackberry is checked with the other calculated variants.

Ignore Domain Trust Accounts in User Count
Defect fixed where Trust Accounts were being counted as users.

Clean Up Server Containers on Uninstall
Defect fixed where domain controller specific data used by Enzoic was being orphaned in Active Directory.

Remove Servers from Delegate Dropdown
Remove servers from Delegate dropdown if they haven't been seen for > 24 hours. Enzoic for Active Directory now prevents selecting a server which may be offline as the Delegate Server. A Delegate Server is the domain controller in your environment you have chosen to perform the work of Continuous Password Protection. Previously, if you selected a server that was offline or unresponsive, you would not know that Continuous Password Protection was not running.

New Dashboard Widget to List Compromised Users
A widget on the dashboard which displays the usernames of the first few compromised users (if any) and a link to the Users Report if there are too many to display. The widget is red if any user is compromised, otherwise, it is green.

Delete Orphan Containers on Install/Upgrade
When installing Enzoic (either upgrade or re-install), we now find and remove any orphaned application data used by Enzoic previously. An example of this would be server-specific settings for a DC which has since been removed.

Various Stability Improvements

  • The determination of whether a user password change should be checked is now more robust and faster. There was a rarely occurring defect in which a protected user would not have their password checked.
  • Fixed the defect of partially missing output on the Test Page.
  • Removed some unneeded debug logging.
  • Fixed a defect where Enzoic GUI would crash if it didn't have the debug process permission. This is needed to determine whether the EnzoicFilter.dll is loaded into LSASS.exe. However, on some installations, the permission to do this is denied, and we now fail open, allowing the Enzoic GUI to run.
  • Other various improvements.

2.5 Release Notes

Custom Password Dictionary
Up to 5,000 custom passwords can be stored locally. Candidate passwords and those being protected through continuous monitoring will be evaluated using a partial match comparison (i.e. If dictionary includes “Summer”, then “SummerVacation2020” will also be blocked).

Fuzzy Password Matching
Fuzzy matching checks multiple variants of the password, controlling for case sensitivity as well as common substitutions, including: case insensitivity; L33T speak substitutions; reverse spelling. Fuzzy password matching is applied to comparisons against Enzoic’s password database and your local dictionary - if enabled.

Password Similarity Blocking
New candidate passwords will be screened by similarity to the prior password using a Damerau-Levenshtein distance. Distance refers to the minimum number of changes and is configurable. Please refer to the help icon in the console interface for examples.

Continuous Password Monitoring - User Notification
Users can be notified when their password is found to be compromised. Notification uses the email address as stored AD.

Continuous Password Monitoring - Delayed Remediation
The remediation options for “Change Password on Next Login” and “Disable Account” can now be set to wait a configurable number of hours after the password is found to be compromised. If the user changes password prior to delay, the remediation action will not be taken, and administrators will be notified accordingly. Administrators are also notified when remediation action is taken after delay. If user notification is enabled, users will be notified of both as well. Note there is a change in behavior where users in a compromised password condition will no longer trigger notification each subsequent day when the monitoring is run.

Enhanced Usage Tracking
Password Change and Continuous Password Protection usage displayed on the Results tab now include the following counters: Number of Operations, Number of Detections (By Total, Fuzzy Matching, Similarity Blocking).

SIEM Friendly Logging
Log files are now stored in a JSON format more friendly for import to SIEM and log management tools.

Update Check
Enzoic Console application will now perform a version update check and let admin know if an update to Enzoic for Active Directory is available, along with a link to download subsequent new versions.

Reboot Check
Enzoic Console application will now display a message on the Dashboard if a reboot of the local system is needed to assist with troubleshooting.

UI Enhancements
Settings were reorganized into tabs to support future UI scalability.

2.0 Release Notes

Continuous Password Monitoring
When Continuous Password Protection finds a vulnerable password, there are several automated actions that can be configured in the Monitoring Settings tab. The Email Addresses to be Notified setting provides the listed recipients with a real-time notification indicating the affected user’s account and if the configuration was set to automatically require password change on next login or disable the account. Note that these automated remediation action are optional.

Select a Delegate Server
Allows the client to select which domain controller will be responsible for performing the continuous monitoring function. Results will then be propagated to any other Domain Controllers that are connected. Enzoic for AD seamlessly manages syncing of configuration across multiple domain controllers.