Enzoic for Active Directory helps you and your users to create safe, uncompromised passwords.

Leos Marek

Leos has worked in the IT industry for 15 years. Currently, he works as a Windows Server and VMware security specialist in a bank. He focuses mainly on Windows Server and VMware administration. Recently he's been scripting everything in PowerShell.

Enzoic for Active Directory 2.5 is relatively small software with great capabilities that will enhance your enterprise security. Enzoic works together with your existing Active Directory (AD) password policies (password complexity, minimum password length, etc.) to add an extra security layer with the following features:

  • Protects exposed passwords with daily screening
  • Blocks commonly used passwords
  • Blocks expected passwords with fuzzy matching (leet speak, password reversing)
  • Prevents use of similar passwords
  • Provides a custom password dictionary

In this review, let's take a closer look at its main features and how it works behind the scenes.

System requirements and installation ^

As with any software, there are several system requirements:

  • Microsoft .NET Framework 4.5
  • Windows 2008 R2 Forest and Domain functional level
  • Active internet connection from domain controllers – either direct or using a proxy
  • Valid product key

I was surprised at how fast and easy it was to deploy Enzoic for Active Directory in my test environment. It took just a few minutes to install and configure the product. A reboot is required to finish the installation, as Enzoic is tightly integrated into the system.

After the reboot, a quick configuration wizard is launched. First, you are asked to configure a proxy server, if needed. Next, enter a product key, which is validated against Enzoic servers. It is not possible to continue the wizard without validating the product key. Next, specify whether you want to monitor all users in your AD or just specific users, groups, or OUs.

Select users to monitor

Select users to monitor

Next, in Monitoring Settings, you can configure how strict the behavior will be. The options are as follows:

  • Reject common passwords found in cracking dictionaries (recommended) – Determines whether you want check the passwords against dictionaries used by hackers to crack passwords.
  • Check passwords during password resets – When enabled, direct password resets (e.g., by helpdesk support personnel in an AD console) are also screened. By disabling this option, you allow your support team to use weak passwords during resets. This does not apply to standard password changes made by end users.
  • Use fuzzy password matching – Fuzzy password matching prevents leet speak usage (Password vs. P4ssw0rd) and password reversing (Password vs. drowssaP)
Monitoring settings

Monitoring settings

In the next step, you can enable the Continuous Password Protection feature, described in more detail below. In the last step, you can test the configuration before completing the wizard. As an example, I have used dr0wss4P (P4ssw0rd backwards). As I have fuzzy password matching enabled, the password is not allowed.

Testing password status

Testing password status

That's it! At this point, you are protected against compromised passwords. Really easy, right?

NOTE: Enzoic for Active Directory must be installed on all domain controllers in your organization. The configuration settings are stored in Active Directory and replicated via standard AD replication, so I would recommend waiting for AD replication before deploying Enzoic to other domain controllers. The only setting that is DC-specific is the proxy server.

To obtain the installer and more details about installation steps, required firewall openings, or information about how to deploy Enzoic via GPO, visit their technical documentation page.

How it works ^

After the installation, Enzoic registers a Microsoft standard password filter. This allows the LSA process to notify the Enzoic password filter DLL when a password change is received. A partial password hash (first 10 hex characters) is then evaluated against Enzoic's continuously updated database of exposed passwords. Communication is achieved via an HTTPS call to the Enzoic Cloud API, which returns a list of hashes for local comparison. No data is stored by Enzoic. In fact, the partial hash is zeroed out of the Enzoic Cloud server's memory at the end of the call.

Enzoic for Active Directory How it works

Enzoic for Active Directory How it works

If the password is identified as compromised, the user receives a standard Windows error message that the password does not comply with domain policies.

Password change error message

Password change error message

If there is an internet connection outage, or the response from the Enzoic server exceeds the configured timeout (the default is 3000 ms), the password change is permitted without checking the compromise status.

Continuous password protection ^

New passwords are exposed every day. What was safe today might not be safe tomorrow or two weeks later. With Continuous Password Protection (CPP) enabled, Enzoic creates a local, encrypted database to store the raw passwords. (storing a user's password is required for dynamic checking of password variants).. The database is then screened daily by CPP to determine whether any password has become vulnerable.

What happens when CPP finds a vulnerable password? You can choose from several automated remediation actions, such as disabling the account or forcing a change at the next logon. You can also delay both of these for a maximum of 72 hours.

Continuous Password Protection settings

Continuous Password Protection settings

The last option is to send notification only to specified email addresses. Notification can be also sent directly to the user if the Notify affected user that their password is compromised option is selected. Below is an example of a notification sent to a user whose password was compromised.

Email notification about compromised password

Email notification about compromised password

Custom password dictionary ^

Another cool feature, which was just added in version 2.5, is a Custom Password Dictionary. As the name suggests, you can add your own words to be considered as unsafe passwords, such as your organization name and address, or language-specific words. I have used Praha as example, which means Prague in the Czech language.

Custom password dictionary

Custom password dictionary

After updating the configuration, I can no longer use passwords that contain the word Praha at all. Since Enzoic also supports fuzzy matching, passwords such as MyPr4h4 are not allowed either.

Password similarity blocking ^

The last feature to cover today is Password Similarity Blocking. This prevents users from creating passwords similar to their previous ones by adding just one different character, such MyPassword vs MyPassword1. You can configure this to be anywhere from one to eight different characters. It also supports normalization and fuzzy matching.

Conclusion ^

Enzoic for Active Directory 2.5 made a really good impression on me. I was amazed at how such small (the installer is only 14 MB) and easily configurable software can provide such features. If you are looking for a powerful extra security layer for your Active Directory, or if you need to adopt NIST password requirements, Enzoic is the way to go. They offer a free 45-day trial version, which is more than enough to properly evaluate the product. For further information, check out their FAQ section.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+

Users who have LIKED this post:

  • avatar
Share
4 Comments
  1. Tom Pallone 3 weeks ago

    Program looks promising - but I would like to know about pricing even before I try it.

    Like to gauge a value to the product while testing it out.

    1+

    • Author
      Leos Marek 3 weeks ago

      Hello Tom,

      unfortunatelly the price list is not public. All I know is its based on number of users. You can ask a price query at the same form you ask for the trial tho 🙂

      Cheer L

      0

  2. Martin 2 weeks ago

    The product looks good but the hidden price is what will make me skip it. What's the point in wasting time to test something if it doesn't fit my budget?

    0

    • Author
      Leos Marek 2 weeks ago

      Hi Martin,

      you can ask for price before spending your time with test at their Contact page. It is quite common that such products do not have public price list.

      Cheers Leos

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account