Enzoic for Active Directory Releases

Fix: Properly handle domain controllers in nested OUs A bug was identified where domain controllers that were in a sub-OU under the DCs OU would not be properly identified, causing the product to erroneously reject these as read-only DCs. There are legitimate use cases for temporarily moving DCs out of the DCs OU and into sub-OUs in this manner. This fix allows Enzoic for AD to look for DCs in nested OUs like this. This fix is unnecessary for customers who do not move their DCs out of the default location in AD.

The new Enzoic Web Product Console allows you to monitor many aspects of the function of Enzoic for Active Directory from a browser.

Allow for usage of customer's SMTP server for sending email notifications to admins and users to improve email deliverability.

New policies for password minimum length, maximum length, require uppercase character, require lowercase character, require symbol, and require numeric character are now available.

It is now possible to set a timezone to use for date/times in administrative notification emails.

Adds an additional option for the Periodic Summary email to send at the end of the calendar month, e.g. at the beginning of June it will send out a report with stats for May.

A list of all the users detected by monitoring scans with out-of-policy passwords or compromised credentials.

This report shows you a list of all the users who have been detected as currently sharing a password.

This report shows you a list of all the users in your domain who have been detected as having a password which never expires.

This report shows you a list of all the user accounts in your domain with no password set.

This report shows you a list of all the user accounts which have not been logged into in the last 6 months.

When a password change is rejected, the Enzoic Client will now provide some additional level of detail to the user about why: - if the password is rejected due to being in the Custom Dictionary, the Client will now indicate which term in the Custom Dictionary it is matching - if the password is rejected due to a Fuzzy Match, the Client will now display the compromised password it matched with

Reduce occrence of duplicative rejection reasons that could be confusing. For example, in prior releases a password may be rejected for both being an exact match with a compromised password or a fuzzy match with a compromised password. It will now just show that it was an exact match with a compromised password.

Locally Installed Enzoic Console No Longer Needs Domain Admin Privileges The locally installed Enzoic Product Console can now be run by users who are not Domain Admin if they have the required privileges. It is only necessary to add users who should be able to run the Enzoic Console to the new Enzoic Admins group.

Reduce Impact of Monitoring Scans Monitoring scans should now have a reduced performance impact on the delegate server in most domains by being attenuated out over the full 24 hour scan period.

Improve Performance of Privileged Account Password Change Checks

Fix: Do not allow delegate uninstall if there are still non-delegates remaining This is a fix to prevent orphaning of non-delegate DCs if the delegate DC is uninstalled first.

Additional fixes and stability improvements.

Improvement: Performance of LDAP queries This update contains significant performance improvements to the LDAP query logic in Enzoic for Active Directory. This should result in greatly decreased performance impact from continuous monitoring scans on large or complex domains.

Fix: Possible deadlock condition in Enzoic Filter driver This update resolves a condition in the Enzoic Windows filter driver that could result in a deadlock when multiple password changes occurred concurrently. Customers who are not having issues can just take the new version of the driver the next time their servers reboot after installing the upgrade, but customers who are experiencing performance problems from password change operations or who have a high volume of password changes on one ore more DCs in their environments should reboot after upgrading.

Fix: Issue with email validation logic in the Enzoic Console An issue was discovered where email addresses containing a dash in the subdomain or domain portions of the email address would be rejected as invalid (e.g. admin@some-domain.com). This prevented using these addresses for things like administrative notifications.

Enzoic Client Feature: Support for wrapping 3rd party credential providers The Enzoic Client now supports credential providers other than the Windows default provider. This makes it possible to wrap 3rd party credential providers which provide MFA, for example, such as DUO. For more information about how to configure this feature, see the .

Fix: Null GUIDs sometimes returned by Active Directory are now handled properly This release fixes an issues where NULL native GUIDs returned from Active Directory on rare occasions would result in the Monitored Users report erroring out.

Fix: Console application can once again be installed on non-DCs An issue was introduced in the previous release that prevented installation of the Enzoic Console on non-domain controllers. This has been resolved.

Fix: Log files were being erroneously purged in some cases Under certain circumstances, product log files could get purged earlier than expected.

Fix: Console performance degradation when large number of compromised users When there were an exceedingly large number of compromised users (> 10,000) the Enzoic Console could exhibit reduced performance, causing sluggishness and slow response. This has been optimized and corrected.

Fix: When Active Directory permissions were restricted, the Enzoic Service would excessively log the failure When Active Directory permissions were restricted to the point where the Enzoic Service was not allowed to delete its configuration containers, the service would repetitively log the failure and potentially use large amounts of hard drive space with log files. This has been corrected.

Fix: When Trace level logging was enabled on large domains, log files could grow to problematic sizes In large domains (> 100,000 users) with trace/debug level logging enabled the Enzoic log files could grow to be multiple gigabytes in size. Unnecessary logging messages were removed to mitigate this. Better handling for archiving log files will be introduced in 3.5.

Improvement: Allow up to a week for delayed remediations In previous versions, delayed remediations (e.g. forcing a user to change a compromised password on next login X hours after notifying them) could only stretch up to 72 hours after a compromise was detected by Password or Credentials Monitoring scans. Now up to a week is allowed.

Improvement: Global password change will no longer be required if Password/Credentials Monitoring is disabled and then reenabled In previous versions, if Passwords and Credentials Monitoring were switched off on all policies and then subsequently reenabled, all users would go back to a Limited check state until their next password change. This is no longer the case and users who were in a Full check state will remain in that state even if Passwords and Credentials Monitoring are disabled and then subsequently reenabled.

Fix: Fix LDAP error handling LDAP errors were in some cases being interpreted as negative responses rather than errors. For instance, in the case where user existence was being checked, if an error response was received this was being interpreted as the user no longer existing in the domain. This could cause false resolutions to be sent out for users who were in a compromised state when we incorrectly determined the user account had been deleted.

Fix: Some Enzoic Console settings changes were not being logged in the audit log

Fix: Uninstaller was leaving being some files

Fix: Enzoic Client would still attempt to connect to domain even when system was offline This had the effect of introducing an unnecessary delay into the login process for users whose system was offline or not connected to the domain network.

Fix: Trace level logging was generating too much log data

Fix: When a user had a compromised password, a change was always assumed to have resolved the compromise Previous behavior was to assume any successful password change operation had resolved an open compromise for a user. This was not the case if the Enzoic API check failed for some reason during the password change. This could result in a password resolution alert being sent out and then a subsequent recompromise alert for the same user if the new password chosen was still a compromised password.

Improvement: Filter driver is now signed by Microsoft WHQL This will allow password change filtering on domain controllers which have the Additional LSA Protection feature enabled (https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection).

Upgrades to this release only require a reboot if you were previously having issues loading the LSA Password Filter Driver due to having Additional LSA Protection enabled.

Improvement: Default to longer timeout for password change checks The default timeout for password change checks was raised to 20 seconds. We were seeing too many cases where Active Directory latency in larger customer environments was contributing to unnecessary timeouts. As part of this, also fixed an issue where there was a spurious log message indicating password change checks had failed due to timeout, even when they had actually succeeded.

Fix: The password policy for rejecting passwords containing user’s first or last name was not always working properly Passwords containing the user’s last name were not always being blocked.

Fix: Health check failures for permanently decommissioned DCs could linger When a DC is permanently removed from service, the health check for it could begin failing in the Enzoic console. Once this happened, there was no way to permanently remove it, as the Permanently Remove button was failing due to permissions issue.

Fix: Conflict containers from AD replication were not being handled properly CNF conflict containers during AD replication could cause errors in the Enzoic service.

Fix: Nonstandard permission restrictions in Active Directory could cause Monitored Users Report to fail to run In cases where read permissions had been restricted to object attributes in Active Directory for Domain Admin users, the Monitored Users report could hang or fail to run. New handling is to skip users where we do not have sufficient permissions to read them in Active Directory and log the failure.

Fix: Only the delegate is now allowed to update shared settings when a newer version of the product is deployed This reduces the possibility of replication conflicts from multiple DCs upgrading shared setting at once. The delegate should always be the first DC upgraded to a newer version.

Fix: Administrative password resets were being screened even when the setting was disabled The “Screen password resets performed by administrators” setting was not being respected.

Improvement: Password Monitoring and Credentials Monitoring scans will now run as soon as the initial configuration is completed Previously they were waiting for up to 24 hours after configuration was complete before running for the first time.

Fix: Selection of the root domain for monitoring is now no longer allowed by the console UI Selecting the root domain was an invalid configuration and would cause errors.

Improvement: Significantly Improved Performance for Enzoic for AD Client We’ve improved the performance of the Enzoic for AD Client substantially. Delays seen when between a password change operation being initiated and the list of policies being displayed on the password change screen have been greatly reduced.

Fix: Behavior with Delayed Remediations In the case where a monitoring policy had a delayed action set once a user’s password or credentials had been detected as compromised, there was previously an issue if the policy subsequently changed during the delay period. In the case where an immediate action was selected while a delayed action was still pending, the delayed action would never be executed and the immediate action would be ignored for the user with the compromised password. This behavior has been addressed. Now once a user is detected as compromised and a delayed action is queued (force password change after 72 hours for instance), the action will continue executing even if the underlying policy is changed. More details can be found at the end of the section here.

Fix: Directly Monitored Users Were Not Always Being Protected Users who were monitored directly (not part of a monitored group or OU) were not always being included for protection.

Fix: Errors on Health Check Page During Rolling Updates of Enzoic for Active Directory When an organization is updating Enzoic for Active Directory in a rolling manner (not all DCs updated to the new version immediately), the Health Check page in the Enzoic console could throw an error when accessed.

Fix: When a New Custom Dictionary Entry is Added, Existing Passwords in Violation Were Not Being Properly Handled When a new entry was added to the custom dictionary, any existing monitored passwords that included the new term would be flagged as compromised, but the remediation action was not being executed, i.e. if the policy had the Action to Take set to “Force Password Change on Next Login” this was not happening.

Improvement: Timestamps in Enzoic log files now include timezone offset

Fix: Minor bug fixes in UI and UI updates

This patch addresses the following issues:

• In rare cases where network connectivity was interrupted at the beginning of a scan, Continuous Password Monitoring would clear out cached data, resulting in monitored users potentially reverting to “Limited” monitoring mode.

• Credentials Monitoring checks were using case sensitive usernames.

This patch addresses the following issues:

• In cases where the local TCP socket used by the password filter driver and service for communications is overridden via the registry entry, if a string type was used rather than a DWORD, the value would be ignored and the default socket would still be used.

• If a monitored group or OU contained more than 1500 nested users or groups, the remaining users would be ignored and not monitored.

This patch fixes a bug with password change timeouts. The UI setting to increase the timeout for checking the Enzoic API during password change operations allows it to be configured as high as 20 seconds, but the filter driver was enforcing a maximum of 2 seconds for the operation. This update allows the timeout to be set all the way to 10 seconds. This update is not necessary unless you are having issues with the password change operation timeout not being long enough. Note that while this installation does not require a reboot when upgrading from an earlier version, the timeout fix won’t be applied until the next reboot of the server.

This patch fixes an issue where Root Password Detection transformations were erroneously being applied to usernames, user first names and user last names prior to comparison checks. This could result in some passwords being rejected that should not have been. The problem only occurred when Root Password Detection was being used alongside the “Reject passwords containing user’s first or last name” and “Reject passwords containing user’s login name” policies. If you were not using these policies together, you can ignore this patch.

Multi-Policy Support (Premium Feature) For customers on the Premium or Enterprise product plans, the ability to define multiple policies is now supported. This allows customers to customize the product behavior, monitoring rules, and remediation options for different OU’s and security groups.

User Credentials Monitoring (Premium Feature) For customers on the Premium or Enterprise product plans, we’ve introduced User Credentials Monitoring. This feature monitors your users’ exact email and password combination for compromise. If a user’s credentials become compromised, several different remediation actions are available, ranging from forcing a password change at the next login to disabling the account.

Repeating Characters Policy for Passwords A new password policy option is available to block user passwords which contain repeating characters (e.g. Paaaasword123!). The threshold for number of repeating characters is configurable.

Significant Performance Enhancements to Password Checks Password change checks are now significantly faster, resulting in less user wait time.

Added Ability to Disable Checking of User Password Changes We’ve added the ability to disable checking user passwords for compromise during password changes. This was added for customers who desired the ability to only periodically scan user passwords in AD for compromise, rather than actively checking passwords during password changes.

Group Administrator Notification Emails Admin notification emails will now be grouped more intelligently in an effort to reduce the number of emails sent. Rather than a notification email per compromised user password which was found during a Password Monitoring scan, for instance, notifications will now be grouped together and a single digest email will be sent out with a list of user accounts which were found to have compromised passwords.

Stability and Performance Improvements

This patch fixes an issue where Continuous Password Protection could fail to run for a day when one or more monitored users were deleted from Active Directory in the midst of CPP processing. In large domains where turnover is frequent and users are being deleted from the domain on a daily basis, this can result in prolonged periods where Continuous Password Protection is not able to fully run.

This patch is recommended for large domains where user accounts are frequently deleted.

Windows Client A Windows Client is now available. This can be installed on client systems joined to the monitored domain and provides additional information on the built-in Windows Change Password screen. It will provide domain users information about password policy requirements and feedback as to why an entered password does not meet policy.

Initial Compromised Passwords Scan There is now an option at the end of the initial Setup Wizard to perform a Compromised Passwords Scan. This will scan selected users in your organization to identify any who might have compromised passwords. Remediation options are available for these users at the end of the scan.

Significant Performance Enhancements to Password Checks Password change checks are now significantly faster, resulting in less user wait time.

More Complete Continuous Password Protection Coverage Continuous Password Protection now no longer requires an initial password change to start protecting user accounts. A limited check will be performed automatically for these users. The limited check leverages Enzoic’s ability to check for exact matches with the underlying NTLM password hashes against the Enzoic compromised password database. What this means in practice is that while users who have not completed an initial password change will still not receive all the benefits of advanced features like fuzzy matching and root password detection, they will still be protected from the case where their exact password has been exposed in a compromise or data breach. When viewing the Monitored Users report from the Enzoic Console Reporting tab, you will now see these users listed as “Limited (Password Change Required)” under the Continuous Monitoring Active column to reflect this fact.Note that if you are upgrading from a previous release and have a number of users who are not currently being monitored due to not having completed the initial password change, you may get a bump in the number of compromised passwords detected after upgrading to 3.0.

Stability and Performance Improvements

Installer Configuration File Installation options can now be driven by a preconfigured configuration file for headless installs and deployments.

Server Offline Health Checks Now Require Manual Dismissal Previously there was no way to remove the health check alert for an offline server that had been removed from service. Now these alerts stay persistent, but can be manually dismissed.

Enhancements to Periodic Summary Email Periodic summary email now includes a value for “Total # Users Selected for Monitoring”, with a breakdown of how many of that total are protected by Continuous Password Protection.

Stability and Performance Improvements

• Adjusted Health Check error alert thresholds to make them more intelligent and less likely to raise false alarms

• Resolution emails will be sent for Health Check errors once the failure is resolved

• Dashboard now has a Health Check area to show open error conditions

• Temporary Exchange health mailbox accounts are no longer included in usage statistics

• Server name is added to Health Check error alerts

• Fixed some incorrect usage counts on Summary Email Report

• More useful information is now included in default logging level

• Stability improvements

• Various console UI improvements

Resolved a tombstoned object bug which may consume recycling bin space in some situations.

Periodic Summary Report for Administrators Option to email a report to administrators on daily/weekly/monthly frequency showing product activity. Report will detail how many password changes were screened, how many were flagged for compromised passwords, how many compromised user passwords were found, and a detailed summary of which users were found with compromised passwords and what the current remediation status is for each.

New Password Policy - Allows Blocking of Passwords Containing:

• User’s First or Last Name

• User’s Login Name

• User’s User’s Email Address

User password changes can now be optionally screened to prevent users from using their first or last name, their login name, and their email address anywhere within the new password. If “fuzzy” password matching is enabled, variants of the password using leetspeak substitutions will also be blocked.

Customizable and Brandable User Notification Emails Emails sent to users by Continuous Password Protection whenever their password becomes compromised can now be customized. Your company name and logo can now be used in the email and the intro and outro text of the email can be set.

Admin Error Reporting Product now has the ability to send critical error reports or misconfigurations via email to a list of administrators.

Improved UI Organization Settings are now grouped together in a more logical manner and more context appropriate help is available.

Stability and Performance Improvements

• Improved performance of user password change checks.

• Improved load performance of users list on Reports tab.

• Allow modification of Product Key without reinstalling.

• Better installer behavior on upgrades: no longer prompt to kill the Enzoic service.

• Better retry logic when calls to the Enzoic API fail. In prolonged network outage scenarios, administrator and user alerts could get lost previously.

• Console UI now only uses specified proxy settings. Prior versions would use Windows proxy server settings instead, resulting in potentially different behaviors between the console UI test page and the actual Enzoic service when proxy server settings were specified in Windows, but not in the Enzoic configuration.

Improved UI Organization Settings are now grouped together in a more logical manner and more context appropriate help is available.

Whitelist Changes The following additional IP addresses should be whitelisted for outbound communications over TCP port 443 from your domain controllers:

75.2.9.104
99.83.177.145

One-Click NIST Compliance Setting A new one-click wizard to guide the user through configuring the application options to ensure compliance with NIST 800-63b password guidelines. This includes:

• Rejecting common passwords

• Enable fuzzy password matching

• Turning on continuous password protection

• Accessing the custom password dictionary

• Checking passwords during password resets

NIST Compliance Status on Dashboard A dashboard widget that provides “at a glance” indication of whether the current settings are NIST password guideline compliant.

New Wizard Messaging to Recommend Global Password Reset After the initial setup is complete, a message is displayed indicating that a global password reset needs to be performed. This is necessary to initiate continuous password monitoring.

New Monitored Users Report A report displaying the status of all protected user accounts. Compromised accounts are clearly indicated. If an account is not being monitored, the reason is shown.

• There are two views for the report: All Users and Compromised Users.

• These report views can be exported to a CSV file that can be used by automation scripts or opened in applications such as Excel.

Root Password Detection Root Password Detection optionally will check user passwords for so-called “root” passwords that are common or compromised. It does this by removing trailing numbers and symbols that users often will use to prefix or suffix a less secure password in order to meet complexity or uniqueness guidelines.

• For example: The password Blackberry1234!!! has a root password of Blackberry.

• If this option is enabled, the root password on Blackberry is checked with the other calculated variants.

Ignore Domain Trust Accounts in User Count Defect fixed where Trust Accounts were being counted as users.

Clean Up Server Containers on Uninstall Defect fixed where domain controller specific data used by Enzoic was being orphaned in Active Directory.

Remove Servers from Delegate Dropdown Remove servers from Delegate dropdown if they haven’t been seen for > 24 hours. Enzoic for Active Directory now prevents selecting a server which may be offline as the Delegate Server. A Delegate Server is the domain controller in your environment you have chosen to perform the work of Continuous Password Protection. Previously, if you selected a server that was offline or unresponsive, you would not know that Continuous Password Protection was not running.

New Dashboard Widget to List Compromised Users A widget on the dashboard which displays the usernames of the first few compromised users (if any) and a link to the Users Report if there are too many to display. The widget is red if any user is compromised, otherwise, it is green.

Delete Orphan Containers on Install/Upgrade When installing Enzoic (either upgrade or re-install), we now find and remove any orphaned application data used by Enzoic previously. An example of this would be server-specific settings for a DC which has since been removed.

Various Stability Improvements

• The determination of whether a user password change should be checked is now more robust and faster. There was a rarely occurring defect in which a protected user would not have their password checked.

• Fixed the defect of partially missing output on the Test Page.

• Removed some unneeded debug logging.

• Fixed a defect where Enzoic GUI would crash if it didn’t have the debug process permission. This is needed to determine whether the EnzoicFilter.dll is loaded into LSASS.exe. However, on some installations, the permission to do this is denied, and we now fail open, allowing the Enzoic GUI to run.

• Other various improvements.

Custom Password Dictionary Up to 5,000 custom passwords can be stored locally. Candidate passwords and those being protected through continuous monitoring will be evaluated using a partial match comparison (i.e. If dictionary includes “Summer”, then “SummerVacation2020” will also be blocked).

Fuzzy Password Matching Fuzzy matching checks multiple variants of the password, controlling for case sensitivity as well as common substitutions, including: case insensitivity; L33T speak substitutions; reverse spelling. Fuzzy password matching is applied to comparisons against Enzoic’s password database and your local dictionary – if enabled.

Password Similarity Blocking New candidate passwords will be screened by similarity to the prior password using a Damerau-Levenshtein distance. Distance refers to the minimum number of changes and is configurable. Please refer to the help icon in the console interface for examples.

Continuous Password Monitoring – User Notification Users can be notified when their password is found to be compromised. Notification uses the email address as stored AD.

Continuous Password Monitoring – Delayed Remediation The remediation options for “Change Password on Next Login” and “Disable Account” can now be set to wait a configurable number of hours after the password is found to be compromised. If the user changes password prior to delay, the remediation action will not be taken, and administrators will be notified accordingly. Administrators are also notified when remediation action is taken after delay. If user notification is enabled, users will be notified of both as well. Note there is a change in behavior where users in a compromised password condition will no longer trigger notification each subsequent day when the monitoring is run.

Enhanced Usage Tracking Password Change and Continuous Password Protection usage displayed on the Results tab now include the following counters: Number of Operations, Number of Detections (By Total, Fuzzy Matching, Similarity Blocking).

SIEM Friendly Logging Log files are now stored in a JSON format more friendly for import to SIEM and log management tools.

Update Check Enzoic Console application will now perform a version update check and let admin know if an update to Enzoic for Active Directory is available, along with a link to download subsequent new versions.

Reboot Check Enzoic Console application will now display a message on the Dashboard if a reboot of the local system is needed to assist with troubleshooting.

UI Enhancements Settings were reorganized into tabs to support future UI scalability.

Continuous Password Monitoring When Continuous Password Protection finds a vulnerable password, there are several automated actions that can be configured in the Monitoring Settings tab. The Email Addresses to be Notified setting provides the listed recipients with a real-time notification indicating the affected user’s account and if the configuration was set to automatically require password change on next login or disable the account. Note that these automated remediation action are optional.

Select a Delegate Server Allows the client to select which domain controller will be responsible for performing the continuous monitoring function. Results will then be propagated to any other Domain Controllers that are connected. Enzoic for AD seamlessly manages syncing of configuration across multiple domain controllers.