Comment on page
Enzoic for Active Directory v3.0 and Earlier
Links to download the most current version (Domain Controllers must all run the same version):
!!! THESE INSTALLERS ARE FOR A PRIOR RELEASE – CLICK HERE FOR THE CURRENT RELEASE INSTALLERS !!! Server Installer for Domain Controllers (must be installed on all domain controllers): https://cdn.enzoic.com/files/EnzoicForAD_3.0.378.0.msi MD5: 61b29101a9fa2edafe16d972520673cc Client Installer (optional, see Client Setup Instructions for more details): https://cdn.enzoic.com/files/EnzoicForADClient_3.0.378.0.msi MD5: 41112b102564bb359f85c1aabb883b66
Enzoic for Active Directory needs to be installed on every writable domain controller in the target domain – it is not necessary to install it on read only domain controllers. Note that Enzoic for Active Directory stores its configuration settings in Active Directory, so once it is configured on one domain controller, the configuration settings will replicate to all the domain controllers in the domain.
Enzoic for Active Directory runs at the domain level and does not support interacting with multiple domains. Its configuration and state are all stored at the domain level. If you have an environment with a multi-domain forest or parent-child domain relationships, Enzoic for Active Directory must be installed and managed separately on each domain in your environment. After installing Enzoic for Active Directory on the first DC in each domain, you will need to run the console application as a domain admin on that domain and go through first time configuration.
Run the installer, and then reboot the domain controller when prompted. Future upgrades will not generally require a reboot, but the initial install does.
Enzoic for Active Directory needs to run on each domain controller; however, it only needs to be configured once. All configuration settings (with the exception of the optional proxy server settings) are stored in Active Directory and automatically shared with all instances of that domain.
After the initial reboot, the Setup Wizard will walk you through the configuration process with the following steps. All settings can be modified through the console after initial set-up:
Adjust the API timeout duration. This controls how long a user password change will be held waiting for a response from the Enzoic API. If the timeout is reached, the password change will be allowed to go through without checking the user password for compromise. The compromise status will be detected subsequently if Continuous Password Protection is enabled. Although it is completely dependent on your Internet connection, typical response times for the Enzoic API from most locations are less than 500 milliseconds.
OPTIONAL: Specify an HTTP proxy server to use if your DC does not have direct Internet access. This setting will need to be configured separately on each Domain Controller.
Specify which Active Directory accounts to protect. You can select any combination of individual users, groups, or containers/OUs.
For best performance with large domains, it is highly recommended to not use recursive groups and to enable the “Disable Recursive Membership Checks” setting. This will ensure your users have the lowest possible latency during password changes.
Choose if you’d like to accept the default settings recommended for NIST 800-63b compliance:
- Custom dictionary for context-sensitive words for your business
- Common passwords found in cracking dictionaries
- Fuzzy matching for common password patterns and substitutions
- Continuous monitoring to detect when existing user passwords become vulnerable
If you choose NIST 800-63b compliance mode, these settings will be automatically applied and you will get an overall status on the Enzoic Console dashboard indicating whether your current settings in compliance.
Add Words Specific to Your Business to the Custom Dictionary (only shown when One-Click NIST Compliance is selected)
If you choose NIST 800-63b compliance mode, you should add words specific to your business and office locations. Add product name(s), your business name(s), names of cities your offices are in, local sports teams, etc. These will be added to the local dictionary and used to prevent passwords containing these terms. Make sure not to include words that are too short or generic, as this will prevent any passwords containing these strings from being used.
Continuous Password Protection checks once every 24 hours to determine if any monitored users’ passwords have become compromised. The “Action to Take” dropdown allows you to select remediation actions to use when such a compromised password is detected. The following remediation actions are available:
- User Must Change Password on Next Login Immediately sets the User must change password at next logon setting in Active Directory for this user
- User Must Change Password on Next Login (Delayed) Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period
- Disable Account Immediately sets the Account is disabled setting in Active Directory for this user
- Disable Account (Delayed) Sets the Account is disabled setting in Active Directory for this user after the selected delay period
- Notification Only The administrators on the notify list (configured in step 7) as well as optionally the affected user will be notified via email that the password is compromised. No other action will be taken.
Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.
If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the “Action to Take” is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.
Clicking “Customize Email” gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email.
Lastly, you can select the Delegate Server used to run Continuous Password Protection scans. This is the DC in your organization which will do the work of checking user passwords for compromise. This occurs in an evenly spaced out manner over the course of the day and is generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.
(not shown when One-Click NIST Compliance is selected)
This page contains settings defining the specifics of how Enzoic will handle compromised password screening (i.e. inclusion of cracking dictionaries, fuzzy matching, etc.) and additional password complexity policies that can optionally be applied.
Compromised Password Screening Settings:
- Reject common passwords found in cracking dictionaries Enzoic’s database contains two types of passwords: those that have been exposed in data breaches and those that have been recovered in the dictionaries that hackers use to crack passwords. Disable this option if you’d prefer to only check your user passwords against those exposed in data breaches.
- Use fuzzy password matching Fuzzy password matching ignores case and performs common “leet speek” substitutions as part of the password screening process. For example, if the candidate password is “Georgie”, with this setting enabled variants like “georgie”, “g30rg13”, “G30RG13”, etc. would be checked as well. It is recommended to enable this setting.
- Screen root passwords Users will often add numbers and/or symbols at the beginning or end of their password in an attempt to reuse the same root password. This can be problematic if a hacker learns the root password and can make some rudimentary guesses as to the pattern. For example, a user might change their password from “Password123!” to “Password124!” during a required password change. Enabling this option will instruct Enzoic to attempt to identify such root passwords and check them for compromise as well.
Additional Password Policies
- Reject passwords containing user’s first or last name Enabling will reject passwords containing the user’s first or last name. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.
- Reject passwords containing user’s login name Enabling will reject passwords containing the user’s Windows login name. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.
- Reject passwords containing user’s email address Enabling will reject passwords containing the user’s corporate email address. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.
- Password Similarity Blocking Enabling will reject passwords that are too similar to the user’s existing password. You can define a Minimum Required Distance which is the minimum number of differences the new password must have from the current one. This distance is defined as the number of single character additions, substitutions or deletions that would be required to transform the current password to the new one. For example, if the original password was “Flatirons2018!” and the new password was “Flatirons!2019$”, the distance would be 3 (insert ‘!’, substitute ‘9’ for ‘8’, substitute ‘$’ for ‘!’). “Normalize Password First” performs this check with case insensitivity and uses common “leet speek” substitutions prior to checking.Note that either User Password Monitoring or User Credentials Monitoring must be enabled for Password Similarity Blocking to function.
Include one or more email addresses to be notified for administrative events. These events include:
- 1.Detection of new user password compromise
- 2.Summary of all users’ compromise status
- 3.Alert about any service operation errors.
An optional Periodic Summary report is also available that can be sent to the administrators in the list, if selected here. This report can be sent Daily, Weekly or Monthly.
The Test Page allows you to test your settings are working as expected and that the Enzoic API Servers are reachable from your environment.
Entering a username here (either NT4 style or UPN) and a test password allows you to validate that:
- 1.Everything is working
- 2.The entered username is in one of the monitored OU’s or groups.
- 3.The entered password is allowed or not based on your selected policies.
A sample compromised password:
After you have finished the Setup Wizard, you will be placed on the Enzoic Console Dashboard. You will receive a prompt asking if you’d like to run an initial scan of your domain for users with compromised passwords. If you are familiar with the Enzoic AD Lite product, this is essentially the same scan.
Proceeding will scan all user passwords in your Active Directory domain to see if the exact password is present in Enzoic’s database of bad passwords (note this scan can take some time for very large domains). At the end of the scan, you will see a dialog with a report showing which users had weak or compromised passwords. From the report, you can select users to perform remediations such as disabling their account or forcing a password change on next login. You may also export the results to a CSV for reference.
Completing the setup process above will get you started with some initial settings. You can always tweak the settings from the Monitoring Settings area.