Enzoic for Active Directory 3.3

Adjust the API timeout duration. This controls how long a user password change will be held waiting for a response from the Enzoic API. If the timeout is reached, the password change will be allowed to go through without checking the user password for compromise. The compromise status will be detected subsequently if Continuous Password Protection is enabled. Although it is completely dependent on your Internet connection, typical response times for the Enzoic API from most locations are less than 500 milliseconds.

OPTIONAL: Specify an HTTP proxy server to use if your DC does not have direct Internet access. This setting will need to be configured separately on each Domain Controller.

Enter the Enzoic License Key provided for your account.

You can register to obtain a free key

Specify which Active Directory accounts to protect. You can select any combination of individual users, groups, or containers/OUs.

For best performance with large domains, it is highly recommended to not use recursive groups and to enable the “Disable Recursive Membership Checks” setting. This will ensure your users have the lowest possible latency during password changes.

Choose if you’d like to accept the default settings recommended for NIST 800-63b compliance:

• Custom dictionary for context-sensitive words for your business
• Common passwords found in cracking dictionaries
• Fuzzy matching for common password patterns and substitutions
• Continuous monitoring to detect when existing user passwords become vulnerable

If you choose NIST 800-63b compliance mode, these settings will be automatically applied and you will get an overall status on the Enzoic Console dashboard indicating whether your current settings in compliance.

If you’re unfamiliar with the new NIST 800-63b standard, a quick rundown is here and the full standard can be found here.

If you choose NIST 800-63b compliance mode, you should add words specific to your business and office locations. Add product name(s), your business name(s), names of cities your offices are in, local sports teams, etc. These will be added to the local dictionary and used to prevent passwords containing these terms. Make sure not to include words that are too short or generic, as this will prevent any passwords containing these strings from being used.

Select whether you want Enzoic to screen user password changes. When enabled, users who are in one of the monitored groups or OU’s will have their new passwords checked whenever they are changed. Passwords that are either present on Enzoic’s compromised password list or don’t meet any of the other password complexity policies you have selected will be rejected and the user will be required to enter a different password.

You may want to disable this option if you’d prefer for Enzoic to do offline checks of user passwords and/or credentials and not interactively check passwords during change. It is highly recommended that you leave this setting enabled however.

The “Screen password resets performed by administrators” option controls whether administrators are exempt from this check when manually resetting a user’s password for them via Active Directory administrative tools.

User Password Monitoring checks once every 24 hours to determine if any monitored users’ passwords have become compromised. The “Action to Take” dropdown allows you to select remediation actions to use when such a compromised password is detected. The following remediation actions are available:

• User Must Change Password on Next Login
  Immediately sets the User must change password at next logon setting in Active Directory for this user
• User Must Change Password on Next Login (Delayed)
  Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period
• Disable Account
  Immediately sets the Account is disabled setting in Active Directory for this user
• Disable Account (Delayed)
  Sets the Account is disabled setting in Active Directory for this user after the selected delay period
• Notification Only
  The administrators on the notify list (configured in step 7) as well as optionally the affected user will be notified via email that the password is compromised. No other action will be taken.

Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.

If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the “Action to Take” is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.

Clicking “Customize Email” gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email.

Lastly, you can select the Delegate Server used to run User Password Monitoring scans. This is the DC in your organization which will do the work of checking user passwords for compromise. This occurs in an evenly spaced out manner over the course of the day and is generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.

Note that this page may be omitted if your license isn’t enabled for User Credentials Monitoring.

When enabled, User Credentials Monitoring (if available for your license level) checks once every 24 hours to determine if any monitored users’ credentials have become compromised. This is different from User Password Monitoring in that the exact email/password combination for the user is checked for compromise, rather than just the password. Since a compromise of this nature is much riskier, you may wish to select more stringent remediation options when this occurs.

The “Action to Take” dropdown allows you to select remediation actions to use when compromised credentials are detected for a user. The following remediation actions are available:

• User Must Change Password on Next Login
  Immediately sets the User must change password at next logon setting in Active Directory for this user
• User Must Change Password on Next Login (Delayed)
  Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period
• Disable Account
  Immediately sets the Account is disabled setting in Active Directory for this user
• Disable Account (Delayed)
  Sets the Account is disabled setting in Active Directory for this user after the selected delay period
• Notification Only
  The administrators on the notify list (configured in step 7) as well as optionally the affected user will be notified via email that the password is compromised. No other action will be taken.

Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.

If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the “Action to Take” is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.

Clicking “Customize Email” gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email. Note that these customization settings are distinct from those used for Password Monitoring, so you can use different text specific to this alert type if you prefer.

Lastly, you can select the Delegate Server used to run User Credentials Monitoring scans. This is the DC in your organization which will do the work of checking user credentials for compromise. This occurs in an evenly spaced out manner over the course of the day and is generally a light workload on the server, but it is recommended to choose a lightly loaded or more powerful DC for this role to avoid introducing any potential performance problems.

This page contains settings defining the specifics of how Enzoic will handle compromised password screening (i.e. inclusion of cracking dictionaries, fuzzy matching, etc.) and additional password complexity policies that can optionally be applied.

Compromised Password Screening Settings:

• Reject common passwords found in cracking dictionaries
  Enzoic’s database contains two types of passwords: those that have been exposed in data breaches and those that have been recovered in the dictionaries that hackers use to crack passwords. Disable this option if you’d prefer to only check your user passwords against those exposed in data breaches.
• Use fuzzy password matching
  Fuzzy password matching ignores case and performs common “leet speek” substitutions as part of the password screening process. For example, if the candidate password is “Georgie”, with this setting enabled variants like “georgie”, “g30rg13”, “G30RG13”, etc. would be checked as well. It is recommended to enable this setting.
• Screen root passwords
  Users will often add numbers and/or symbols at the beginning or end of their password in an attempt to reuse the same root password. This can be problematic if a hacker learns the root password and can make some rudimentary guesses as to the pattern. For example, a user might change their password from “Password123!” to “Password124!” during a required password change. Enabling this option will instruct Enzoic to attempt to identify such root passwords and check them for compromise as well.

Additional Password Policies

• Reject passwords containing user’s first or last name
  Enabling will reject passwords containing the user’s first or last name. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.
• Reject passwords containing user’s login name
  Enabling will reject passwords containing the user’s Windows login name. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.
• Reject passwords containing user’s email address
  Enabling will reject passwords containing the user’s corporate email address. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.
• Reject passwords containing repeating characters
  Enabling will reject passwords containing a repeating character that appears more than the threshold defined with the setting.
• Password Similarity Blocking
  Enabling will reject passwords that are too similar to the user’s existing password. You can define a Minimum Required Distance which is the minimum number of differences the new password must have from the current one. This distance is defined as the number of single character additions, substitutions or deletions that would be required to transform the current password to the new one. For example, if the original password was “Flatirons2018!” and the new password was “Flatirons!2019$”, the distance would be 3 (insert ‘!’, substitute ‘9’ for ‘8’, substitute ‘$’ for ‘!’). “Normalize Password First” performs this check with case insensitivity and uses common “leet speek” substitutions prior to checking.Note that either User Password Monitoring or User Credentials Monitoring must be enabled for Password Similarity Blocking to function.

Include one or more email addresses to be notified for administrative events. These events include:

1. Detection of new user password compromise
2. Summary of all users’ compromise status
3. Alert about any service operation errors.

An optional Periodic Summary report is also available that can be sent to the administrators in the list, if selected here. This report can be sent Daily, Weekly or Monthly.

The Test Page allows you to test your settings are working as expected and that the Enzoic API Servers are reachable from your environment.

Entering a username here (either NT4 style or UPN) and a test password allows you to validate that:

1. Everything is working
2. The entered username is in one of the monitored OU’s or groups.
3. The entered password is allowed or not based on your selected policies.

A sample compromised password: uGetL0ckedOut!

If you receive an error indicating there is a problem reaching the Enzoic servers, please review the Troubleshooting section.