Latest posts by Leos Marek (see all)
- Windows Server 2016/2019 audit policy best practice - Mon, Dec 2 2019
- Enzoic for Active Directory 2.5: Password enforcement and screening - Thu, Nov 14 2019
- Security options in Windows Server 2016: Network security - Wed, Oct 2 2019
Enzoic for Active Directory 2.5 is relatively small software with great capabilities that will enhance your enterprise security. Enzoic works together with your existing Active Directory (AD) password policies (password complexity, minimum password length, etc.) to add an extra security layer with the following features:
- Protects exposed passwords with daily screening
- Blocks commonly used passwords
- Blocks expected passwords with fuzzy matching (leet speak, password reversing)
- Prevents use of similar passwords
- Provides a custom password dictionary
In this review, let's take a closer look at its main features and how it works behind the scenes.
System requirements and installation ^
As with any software, there are several system requirements:
- Microsoft .NET Framework 4.5
- Windows 2008 R2 Forest and Domain functional level
- Active internet connection from domain controllers – either direct or using a proxy
- Valid product key
I was surprised at how fast and easy it was to deploy Enzoic for Active Directory in my test environment. It took just a few minutes to install and configure the product. A reboot is required to finish the installation, as Enzoic is tightly integrated into the system.
After the reboot, a quick configuration wizard is launched. First, you are asked to configure a proxy server, if needed. Next, enter a product key, which is validated against Enzoic servers. It is not possible to continue the wizard without validating the product key. Next, specify whether you want to monitor all users in your AD or just specific users, groups, or OUs.
Next, in Monitoring Settings, you can configure how strict the behavior will be. The options are as follows:
- Reject common passwords found in cracking dictionaries (recommended) – Determines whether you want check the passwords against dictionaries used by hackers to crack passwords.
- Check passwords during password resets – When enabled, direct password resets (e.g., by helpdesk support personnel in an AD console) are also screened. By disabling this option, you allow your support team to use weak passwords during resets. This does not apply to standard password changes made by end users.
- Use fuzzy password matching – Fuzzy password matching prevents leet speak usage (Password vs. P4ssw0rd) and password reversing (Password vs. drowssaP)
In the next step, you can enable the Continuous Password Protection feature, described in more detail below. In the last step, you can test the configuration before completing the wizard. As an example, I have used dr0wss4P (P4ssw0rd backwards). As I have fuzzy password matching enabled, the password is not allowed.
That's it! At this point, you are protected against compromised passwords. Really easy, right?
NOTE: Enzoic for Active Directory must be installed on all domain controllers in your organization. The configuration settings are stored in Active Directory and replicated via standard AD replication, so I would recommend waiting for AD replication before deploying Enzoic to other domain controllers. The only setting that is DC-specific is the proxy server.
To obtain the installer and more details about installation steps, required firewall openings, or information about how to deploy Enzoic via GPO, visit their technical documentation page.
How it works ^
After the installation, Enzoic registers a Microsoft standard password filter. This allows the LSA process to notify the Enzoic password filter DLL when a password change is received. A partial password hash (first 10 hex characters) is then evaluated against Enzoic's continuously updated database of exposed passwords. Communication is achieved via an HTTPS call to the Enzoic Cloud API, which returns a list of hashes for local comparison. No data is stored by Enzoic. In fact, the partial hash is zeroed out of the Enzoic Cloud server's memory at the end of the call.
If the password is identified as compromised, the user receives a standard Windows error message that the password does not comply with domain policies.
If there is an internet connection outage, or the response from the Enzoic server exceeds the configured timeout (the default is 3000 ms), the password change is permitted without checking the compromise status.
Continuous password protection ^
New passwords are exposed every day. What was safe today might not be safe tomorrow or two weeks later. With Continuous Password Protection (CPP) enabled, Enzoic creates a local, encrypted database to store the raw passwords. (storing a user's password is required for dynamic checking of password variants).. The database is then screened daily by CPP to determine whether any password has become vulnerable.
What happens when CPP finds a vulnerable password? You can choose from several automated remediation actions, such as disabling the account or forcing a change at the next logon. You can also delay both of these for a maximum of 72 hours.
The last option is to send notification only to specified email addresses. Notification can be also sent directly to the user if the Notify affected user that their password is compromised option is selected. Below is an example of a notification sent to a user whose password was compromised.
Custom password dictionary ^
Another cool feature, which was just added in version 2.5, is a Custom Password Dictionary. As the name suggests, you can add your own words to be considered as unsafe passwords, such as your organization name and address, or language-specific words. I have used Praha as example, which means Prague in the Czech language.
After updating the configuration, I can no longer use passwords that contain the word Praha at all. Since Enzoic also supports fuzzy matching, passwords such as MyPr4h4 are not allowed either.
Password similarity blocking ^
The last feature to cover today is Password Similarity Blocking. This prevents users from creating passwords similar to their previous ones by adding just one different character, such MyPassword vs MyPassword1. You can configure this to be anywhere from one to eight different characters. It also supports normalization and fuzzy matching.
Enzoic for Active Directory 2.5 made a really good impression on me. I was amazed at how such small (the installer is only 14 MB) and easily configurable software can provide such features. If you are looking for a powerful extra security layer for your Active Directory, or if you need to adopt NIST password requirements, Enzoic is the way to go. They offer a free 45-day trial version, which is more than enough to properly evaluate the product. For further information, check out their FAQ section.