Monitoring Policies

Enzoic for Active Directory v3.2

The Monitoring Policies page of the Enzoic Console allows you to add, edit, and delete new Monitoring Policies. Note that if you are on a Business level license, you will be limited to a single policy named “Primary”, but for other license levels you will be able to define multiple monitoring policies to target different groups and OU’s with different monitoring settings.

Adding or Removing Policies

Adding or Removing policies can be done from the left hand pane, titled Policies, by using the Add and Remove buttons at the bottom of the list view. Note that it is not possible to remove the default policy.

To add a new policy, click Add, select whether you want to copy the settings from an existing policy or start blank, and click OK. The new policy will appear on the right hand pane and you may edit from there. Remember to click “Update Configuration” when finished. It is necessary to select at least one OU/group/user to monitor on the Monitored Entities page in order to save the new policy. See the Policy Settings section below for more details about the various settings available.

Policy Precedence

Enzoic does not prevent you from including the same user under multiple policies, since it’s possible a user could end up under multiple policies later as group, OU or container memberships change. Instead policies are applied in order of precedence. If a user is included under multiple policies, the first matching policy in precedence order would be used, as follows: the (Default) policy will be checked first, then remaining policies in alphabetical order.

If you are in doubt which policy is being applied to a specific user, you can enter their username on the Test Page to check which policy is being used. You can also view which policy they are falling under with the Monitored Users Report under Reporting.

Policy Settings

The following settings are available on each policy, grouped by tab title:

Monitored Entities

Specifies which Active Directory accounts to protect with this policy. You can select any combination of individual users, groups, or containers/OUs.For best performance with large domains, it is highly recommended to not use recursive groups and to enable the “Disable Recursive Membership Checks” setting. This will ensure your users have the lowest possible latency during password changes.

Password Changes

Specifies whether you want Enzoic to screen user password changes for users covered by this policy. When enabled, users will have their new passwords checked whenever they are changed. Passwords that are either present on Enzoic’s compromised password list or don’t meet any of the other password complexity policies you have selected will be rejected and the user will be required to enter a different password.You may want to disable this option if you’d prefer for Enzoic to do offline checks of user passwords and/or credentials and not interactively check passwords during change. It is highly recommended that you leave this setting enabled however.The “Screen password resets performed by administrators” option controls whether administrators are exempt from this check when manually resetting a user’s password for them via Active Directory administrative tools.

Password Monitoring

User Password Monitoring checks once every 24 hours to determine if any monitored users’ passwords have become compromised. The “Action to Take” dropdown allows you to select remediation actions to use when such a compromised password is detected. The following remediation actions are available:

  • User Must Change Password on Next Login Immediately sets the User must change password at next logon setting in Active Directory for this user

  • User Must Change Password on Next Login (Delayed) Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period

  • Disable Account Immediately sets the Account is disabled setting in Active Directory for this user

  • Disable Account (Delayed) Sets the Account is disabled setting in Active Directory for this user after the selected delay period

  • Notification Only The administrators on the administrative notification list, as well as optionally the affected user, will be notified via email that the password is compromised. No other action will be taken.

Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.

If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the “Action to Take” is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.

Clicking “Customize Email” gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email.

Credentials Monitoring

When enabled, User Credentials Monitoring (if available for your license level) checks once every 24 hours to determine if any monitored users’ credentials have become compromised. This is different from User Password Monitoring in that the exact email/password combination for the user is checked for compromise, rather than just the password. Since a compromise of this nature is much riskier, you may wish to select more stringent remediation options when this occurs.The “Action to Take” dropdown allows you to select remediation actions to use when compromised credentials are detected for a user. The following remediation actions are available:

  • User Must Change Password on Next Login Immediately sets the User must change password at next logon setting in Active Directory for this user

  • User Must Change Password on Next Login (Delayed) Sets the User must change password at next logon setting in Active Directory for this user after the selected delay period

  • Disable Account Immediately sets the Account is disabled setting in Active Directory for this user

  • Disable Account (Delayed) Sets the Account is disabled setting in Active Directory for this user after the selected delay period

  • Notification Only The administrators on the administrative notification list, as well as optionally the affected user, will be notified via email that the password is compromised. No other action will be taken.

Regardless of the remediation setting, administrators on the notify list (configured in a later step) will always receive an email notification of a compromise.

If the “Notify affected users” setting on this page is selected, and an email address is available for the user in Active Directory, the affected user will also be notified by email. If the “Action to Take” is set to one of the delayed remediation actions, the user will be notified that if they do not change their password within the remediation delay period, that action will take affect. For an immediate remediation, users will simply be notified that the selected remediation has occurred.

Clicking “Customize Email” gives you have the ability to customize the alert emails sent to users. You can add your company name, corporate logo and customize the Intro and Footer text in the email. Note that these customization settings are distinct from the email customization settings that may be configured for Password Monitoring, so you can use different text specific to credentials alerts here if you prefer.

Password Policies

This page contains settings defining the specifics of how Enzoic will handle compromised password screening (i.e. inclusion of cracking dictionaries, fuzzy matching, etc.) and additional password complexity policies that can optionally be applied.

Compromised Password Screening Settings:

  • Reject common passwords found in cracking dictionaries Enzoic’s database contains two types of passwords: those that have been exposed in data breaches and those that have been recovered in the dictionaries that hackers use to crack passwords. Disable this option if you’d prefer to only check your user passwords against those exposed in data breaches.

  • Use fuzzy password matching Fuzzy password matching ignores case and performs common “leet speek” substitutions as part of the password screening process. For example, if the candidate password is “Georgie”, with this setting enabled variants like “georgie”, “g30rg13”, “G30RG13”, etc. would be checked as well. It is recommended to enable this setting.

  • Screen root passwords Users will often add numbers and/or symbols at the beginning or end of their password in an attempt to reuse the same root password. This can be problematic if a hacker learns the root password and can make some rudimentary guesses as to the pattern. For example, a user might change their password from “Password123!” to “Password124!” during a required password change. Enabling this option will instruct Enzoic to attempt to identify such root passwords and check them for compromise as well.

Additional Password Policies

  • Reject passwords containing user’s first or last name Enabling will reject passwords containing the user’s first or last name. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.

  • Reject passwords containing user’s login name Enabling will reject passwords containing the user’s Windows login name. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.

  • Reject passwords containing user’s email address Enabling will reject passwords containing the user’s corporate email address. If Fuzzy Password Matching is enabled, “leet speek” variants will also be disallowed.

  • Reject passwords containing repeating characters Enabling will reject passwords containing a repeating character that appears more than the threshold defined with the setting.

  • Password Similarity Blocking Enabling will reject passwords that are too similar to the user’s existing password. You can define a Minimum Required Distance which is the minimum number of differences the new password must have from the current one. This distance is defined as the number of single character additions, substitutions or deletions that would be required to transform the current password to the new one. For example, if the original password was “Flatirons2018!” and the new password was “Flatirons!2019$”, the distance would be 3 (insert ‘!’, substitute ‘9’ for ‘8’, substitute ‘$’ for ‘!’). “Normalize Password First” performs this check with case insensitivity and uses common “leet speek” substitutions prior to checking. Note that either User Password Monitoring or User Credentials Monitoring must be enabled for Password Similarity Blocking to function.

Last updated