Enzoic for Active Directory v3.3

The Settings page of the Enzoic Console allows you to modify settings that aren’t specific to a monitoring policy, such as the local DC’s proxy server settings, your organization’s Custom Password Dictionary, Administrative Notification settings, Enzoic Client settings, the DC used as the Delegate Server, and the 1-click NIST Compliance feature.

Network Settings

This tab contains settings for the password change check timeout and the local DC’s proxy server settings.

  • Password Check Timeout This setting controls the timeout when making calls to the Enzoic API during user password change operations. If this timeout is exceeded while waiting for a response from the Enzoic API, the operation will fail and the password change will be allowed through.

  • Proxy Server Settings These are the proxy server settings in use for the DC that you are running the console on. Proxy server settings are stored locally to each DC and must be edited from the local Enzoic Console on that system.

Custom Password Dictionary

The Custom Password Dictionary allows you to add words or terms you wish to block from inclusion in user passwords. These can be words specific to your business or your location, e.g. local sports teams, your city name, etc. If a user password contains one of these words, it will be rejected.

Admin Notifications

This is the list of Administrator email addresses to be notified for administrative events. These events include:

  • Detection of new user password compromise

  • Summary of all users’ compromise status

  • Alert about any service operation errors

An optional Periodic Summary report is also available that can be sent to the administrators in the list, if selected here. This report can be sent Daily, Weekly or Monthly. The Periodic Summary contains a digest of the activity for the time period covered: users with compromised passwords, users with compromised credentials, remediation actions being taken and their current status, etc.

Client Settings

These are settings specific to the Enzoic Client, which is installed on user Windows systems. The Enzoic Client provides additional information to users on the Windows password change screen, including what the policy requirements are for a new password and the reasons a password was rejected. For more information on deploying the Enzoic Client, see Client Setup. The settings on this page control the following:

  • Disable Enzoic Password Credential Provider This can be used as a bailout if for some reason a problem with the Enzoic Client is blocking a user from being able to sign into their system. Checking this allows you to temporarily disable the Enzoic Clients throughout this domain.

  • Alternate Credential Provider GUID By default, the Enzoic Client will wrap the default Windows system credential provider (which just provides a password prompt for users). If your organization uses a different credential provider, to provide MFA services for instance, you will need to add the GUID for this provider in this field. This will instruct the Enzoic Client to wrap this provider instead. Note that you will likely need to whitelist the Enzoic credential provider in the 3rd party product or it will typically disable the Enzoic provider. The Enzoic credential provider's GUID is C6522CF0-8F6E-4E5A-BC65-9D3B7E8390C2.

  • Credential Provider Whitelist GUIDs By default, the Enzoic Client will disable other credential providers when it is installed. This reduces user confusion when there are multiple providers enabled. In the case where you wish for users to be able to use alternate credential providers in addition to the Enzoic provider, add the GUIDs for those providers to this whitelist. Doing this will ensure the Enzoic Client does not disable these other providers.

Other Settings

This page is where the 1-click NIST Compliance feature can be enabled or disabled and where you may change the DC currently set as your Delegate Server.

  • 1-Click NIST Compliance Enabling this setting will enable a new widget on your Enzoic Console Dashboard, showing you your current NIST 800.63b compliance status. When the option is initially checked, it will automatically update all of your policy settings to compliant values. However, you can subsequently manually modify policy settings and break compliance. If you do this, the widget will warn you about which settings/policies are out of compliance. NIST Compliance ensures the following settings are enabled:

    • Screen Password Changes

    • Screen Password Resets Performed by Administrators

    • Reject Common Passwords Found in Cracking Dictionaries

    • Use Fuzzy Password Matching

    • Continuous Password Monitoring

      • Action to Take will be set to User Must Change Password on Next Login, with a 72 hour delay

      • Notify Affected Users by Email When Their Password is Compromised will be enabled

  • Delegate Server The Delegate Server is the DC in your organization which performs the Password and Credentials Monitoring scans. These scans occur in an evenly spaced out manner over the course of the day and are generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.

Last updated