Enzoic for Active Directory 2.5: Password enforcement and screening

• Author
• Recent Posts

Leos Marek

Leos has started in the IT industry in 1995. For the past 15+ years he focused on Windows Server, VMware administration and security. Recently, Leos is focusing on automation via Ansible. He is also a Certified Ethical Hacker.

Latest posts by Leos Marek (see all)

• Kill Windows a process with Tskill and Taskkill - Mon, Mar 13 2023
• Cannot delete a file or folder - Wed, Feb 22 2023
• Analyze Windows memory usage with RAMMap - Fri, Feb 3 2023

Enzoic for Active Directory 2.5 is relatively small software with great capabilities that will enhance your enterprise security. Enzoic works together with your existing Active Directory (AD) password policies (password complexity, minimum password length, etc.) to add an extra security layer with the following features:

• Protects exposed passwords with daily screening
• Blocks commonly used passwords
• Blocks expected passwords with fuzzy matching (leet speak, password reversing)
• Prevents use of similar passwords
• Provides a custom password dictionary

In this review, let's take a closer look at its main features and how it works behind the scenes.

System requirements and installation

As with any software, there are several system requirements:

• Microsoft .NET Framework 4.5
• Windows 2008 R2 Forest and Domain functional level
• Active internet connection from domain controllers – either direct or using a proxy
• Valid product key

I was surprised at how fast and easy it was to deploy Enzoic for Active Directory in my test environment. It took just a few minutes to install and configure the product. A reboot is required to finish the installation, as Enzoic is tightly integrated into the system.

After the reboot, a quick configuration wizard is launched. First, you are asked to configure a proxy server, if needed. Next, enter a product key, which is validated against Enzoic servers. It is not possible to continue the wizard without validating the product key. Next, specify whether you want to monitor all users in your AD or just specific users, groups, or OUs.

Select users to monitor

Next, in Monitoring Settings, you can configure how strict the behavior will be. The options are as follows:

• Reject common passwords found in cracking dictionaries (recommended) – Determines whether you want check the passwords against dictionaries used by hackers to crack passwords.
• Check passwords during password resets – When enabled, direct password resets (e.g., by helpdesk support personnel in an AD console) are also screened. By disabling this option, you allow your support team to use weak passwords during resets. This does not apply to standard password changes made by end users.
• Use fuzzy password matching – Fuzzy password matching prevents leet speak usage (Password vs. P4ssw0rd) and password reversing (Password vs. drowssaP)

Monitoring settings

In the next step, you can enable the Continuous Password Protection feature, described in more detail below. In the last step, you can test the configuration before completing the wizard. As an example, I have used dr0wss4P (P4ssw0rd backwards). As I have fuzzy password matching enabled, the password is not allowed.

Testing password status

That's it! At this point, you are protected against compromised passwords. Really easy, right?

NOTE: Enzoic for Active Directory must be installed on all domain controllers in your organization. The configuration settings are stored in Active Directory and replicated via standard AD replication, so I would recommend waiting for AD replication before deploying Enzoic to other domain controllers. The only setting that is DC-specific is the proxy server.

To obtain the installer and more details about installation steps, required firewall openings, or information about how to deploy Enzoic via GPO, visit their technical documentation page.

How it works

After the installation, Enzoic registers a Microsoft standard password filter. This allows the LSA process to notify the Enzoic password filter DLL when a password change is received. A partial password hash (first 10 hex characters) is then evaluated against Enzoic's continuously updated database of exposed passwords. Communication is achieved via an HTTPS call to the Enzoic Cloud API, which returns a list of hashes for local comparison. No data is stored by Enzoic. In fact, the partial hash is zeroed out of the Enzoic Cloud server's memory at the end of the call.

Enzoic for Active Directory How it works

Enzoic offers an optional Windows client application that can be installed on end-user machines to show the organization’s password policy on the password change screen. This includes both the policies established in Enzoic and those established natively in Windows (e.g., minimum length).

On any machine with the Windows client application installed, when a new password is entered that does not meet the Enzoic requirements, the end user will be presented with the appropriate messaging telling them why the password has failed.

Changing a password

Password change error message

If there is an internet connection outage, or the response from the Enzoic server exceeds the configured timeout (the default is 3000 ms), the password change is permitted without checking the compromise status.

Continuous password protection

New passwords are exposed every day. What was safe today might not be safe tomorrow or two weeks later. With Continuous Password Protection (CPP) enabled, Enzoic creates a local, encrypted database to store the raw passwords. (storing a user's password is required for dynamic checking of password variants).. The database is then screened daily by CPP to determine whether any password has become vulnerable.

What happens when CPP finds a vulnerable password? You can choose from several automated remediation actions, such as disabling the account or forcing a change at the next logon. You can also delay both of these for a maximum of 72 hours.

Continuous Password Protection settings

The last option is to send notification only to specified email addresses. Notification can be also sent directly to the user if the Notify affected user that their password is compromised option is selected. Below is an example of a notification sent to a user whose password was compromised.

Email notification about compromised password

Custom password dictionary

Another cool feature, which was just added in version 2.5, is a Custom Password Dictionary. As the name suggests, you can add your own words to be considered as unsafe passwords, such as your organization name and address, or language-specific words. I have used Praha as example, which means Prague in the Czech language.

Custom password dictionary

After updating the configuration, I can no longer use passwords that contain the word Praha at all. Since Enzoic also supports fuzzy matching, passwords such as MyPr4h4 are not allowed either.

Password similarity blocking

The last feature to cover today is Password Similarity Blocking. This prevents users from creating passwords similar to their previous ones by adding just one different character, such MyPassword vs MyPassword1. You can configure this to be anywhere from one to eight different characters. It also supports normalization and fuzzy matching.

Conclusion

Enzoic for Active Directory 2.5 made a really good impression on me. I was amazed at how such small (the installer is only 14 MB) and easily configurable software can provide such features. If you are looking for a powerful extra security layer for your Active Directory, or if you need to adopt NIST password requirements, Enzoic is the way to go. They offer a free 45-day trial version, which is more than enough to properly evaluate the product. For further information, check out their FAQ section.