- Prepare AD synchronization with Azure Active Directory using IdFix - Tue, Jan 31 2023
- Manage Windows security and optimization features with Microsoft’s free PC Manager - Mon, Jan 23 2023
- IIS and Exchange Server security with Windows Extended Protection (WEP) - Wed, Jan 18 2023
When it comes to security, one of the important components of ensuring business-critical data is safe is verifying identity. With users carrying out work from multiple devices, networks, and connecting to both on-premises and cloud environments, it is essential to secure the identity of the end user.
The absolute weakest link with identity for end users today is the password. End users have a tendency to use weak passwords that are easy to remember and type into login forms. This makes their accounts easy targets for hackers who use a variety of means to compromise or "crack" passwords. Current industry best practice and compliance requirements, including NIST, all require preventing the use of passwords compromised in data breaches. This present challenges to traditional password auditing methods.
Microsoft's Active Directory serves as the identity source for many enterprise networks today. Even with the "password policies" we can provision, users can still use passwords possibly already compromised or known variations easily guessed. Let's take a look at a handy little tool called Enzoic for Active Directory Lite and see how it can help give a view into weak, compromised and reused passwords in your environment.
Enzoic is a free password-audit tool that lets you check your Active Directory environment for weak, compromised and reused passwords. The tool provides a simple installer that you run to install a client on your server or workstation. After installation, it will scan your Active Directory environment for weak passwords and those exposed in password breaches. Enzoic has a massive database of exposed passwords found in breaches. The database contains over some seven billion entries.
What does it check in the comparison of passwords configured in Active Directory and the Enzoic database? Enzoic maintains an up-to-date database with two types of passwords: weak and exposed. What is the difference between these two types via the Enzoic comparison?
Enzoic defines weak and exposed passwords in this way:
- Weak: These passwords show up in cracking dictionaries readily available—passwords a hacker could easily crack given enough time.
- Exposed: These passwords occur in data breaches. In other words, hackers have been able to dump these passwords in previous breaches and would likely attempt to use them in future breach attempts.
The AD Lite tool also identifies when exact same password has been reused on multiple accounts within Active Directory. Password reuse is a major vulnerability because the exposure of one account would immediately jeopardize the others.
The requirements for running the tool itself are minimal. As far as what Enzoic lists for the tool to run, you need the following:
- Enzoic for Active Directory supports any 64-Bit Windows Client or Server.
- The system you run the utility from will need to be a domain-joined workstation or server.
- You will need a domain admin-level account to perform the audit.
The requirements are easily meetable, and most will be able to install the tool on an administrative workstation or utility server.
How it works
You might wonder how Enzoic compares the passwords in use in your environment in a timely manner with the over seven billion passwords it maintains in its database. Once you install the Enzoic for Active Directory Lite utility, it uses a partial hash comparison approach to checking the Enzoic database.
When you install the utility on your workstation or server, it does not pull down the database locally. The utility communicates through the Enzoic API via an encrypted SSL channel to run the partial hash comparison.
Performed in this way, this allows Enzoic to check whether you have a password known to be compromised without sending the exact password hash to Enzoic or it leaving on-premises altogether. To run this comparison efficiently and securely, Enzoic sends only the first 10 hex characters of a hash to the Enzoic API.
Enzoic then quickly runs a compare on the first 10 hex characters and returns a list of candidate password hashes based on these 10 hex characters sent for comparison. It then checks the candidate hashes locally with your on-premises passwords to see if there is an exact match with the passwords configured for your Active Directory users.
This provides both an efficient and secure means of checking the passwords configured on end-user accounts. If you are worried about sending this data to Enzoic, according to their documentation of the tool, they do not store the partial hash sent to them via the API in any way. Also, Enzoic deletes the password hash data from memory once the password hash comparison process has finished.
Scanning Active Directory
At the time of this review, I have downloaded v22.214.171.124. The download was a very slim 8 MB. Installing the utility is a simple "Next, next, finish" process.
Running the Enzoic for Active Directory scan is a simple click of the Check Now button after installing the utility.
Once you click the Check Now button, Enzoic begins the process of scanning your Active Directory environment.
As you can see below, the interface highlights the weak or compromised passwords in red that match accounts in your Active Directory database. There are other really great features in the Lite version. These include:
- The ability to export the results to a .csv file
- The count of users with weak or compromised passwords
- The number of accounts that are sharing passwords
Enzoic for Active Directory Lite vs. paid
The Lite version of Enzoic for Active Directory provides excellent features for a free audit tool as shown. What features do you get with the full Enzoic for Active Directory tool?
- It automatically adds a password policy in Active Directory to protect against unsafe passwords. This includes a custom password dictionary, blocks usernames in passwords, and adds fuzzy matches. It also confirms that a user’s new password is not too similar to their previous password.
- Automatic and continuous auditing of the Active Directory environment determines when a safe password becomes vulnerable due to new breaches and such.
- Automated remediation of passwords includes notifications as well as forced password resets or disabling accounts.
The capabilities of the full Enzoic for Active Directory are important to being able to comply with NIST 800-63B password requirements and current industry best practices generally.
Final thoughts and impressions
I found the Enzoic for Active Directory Lite tool extremely easy to install and quickly use to scan passwords configured in Active Directory. You will most likely find the information presented to be eye-opening across larger Active Directory environments.
Enzoic quickly gives visibility into accounts configured in Active Directory with weak or compromised passwords as well as how many accounts may be sharing passwords in the environment. You can also export the results of the scan to a .csv file for further data examination or use. This is a great tool, especially for free.
Subscribe to 4sysops newsletter!
Be sure to check out the free download of Enzoic for Active Directory Lite here.