Continuous Monitoring (formally known as Continuous Password Protection) is a process in which Enzoic will evaluate all cached passwords against our database daily. This feature is enabled through the checkbox in the console within the Password and Credentials Monitoring tab in the Monitored Policies settings.

Enzoic for Active Directory carries out this check every day to ensure that even passwords that were strong when created remain secure over time. The philosophy is that just because a password is strong today, does not mean that it'll be strong tomorrow.

Continuous Monitoring works by encrypting a user’s password locally on the DC using DPAPI with secondary entropy. When it is time to perform the 24 horu scan for the user, Enzoic decrypts the local credential, calculates the hash for the password or credential pair, and sends the first 10 characters of the hash to our backend database. From there, Enzoic will send all possible matches back to the Delegate DC and compare the full hash locally on the machine. If a password matches to a value that’s compromised, the admin is sent a notification email, and the remediation process that the user is in kicks off. If no match is found, the user’s password is still good, and the process repeats the next day.

Credentials Monitoring can be enabled independently of Password Monitoring. In the event Password Monitoring is disabled but Credentials Monitoring is enabled we will only check credentials during the 24 hour scan cycle. Enabling Credentials Monitoring also means that credentials will be checked at the time of password change/creation if screen password changes is enabled.


A few things to consider with Continuous Monitoring:

  1. For this process to function properly users must reset their password after Enzoic is installed (on all read/write DC's) so that the new password to be picked up and cached.
  2. CPM checks a user’s password against both the backend and the policy enforcement settings set within the monitored user policy that they are in. This means that if you move users into different policies, their password may come back compromised. Not necessarily because it's compromised, but because it potentially violates a policy setting.
  3. This process is the same for credentials monitoring as well. The only difference is that the daily check is searching our credential pairs database, looking specifically for email/username and password pairs.
  4. This process is the same for credentials monitoring as well. The only difference is that the daily check is searching our credential pairs database, looking specifically for email/username and password pairs.
  5. Starting in version 3.3.150 the scan starts every day at 2AM local time.
  6. In the event the service starts after 2AM or the product is installed after 2AM, it will be scheduled to run the next day at 2AM.
  7. Enzoic will spread out the monitored users in your domain as evenly as possible across the 24 hour time period. However, in the event there are more users that can be scanned within 24 hours the scan could potentially take longer than 24 hours to complete.
  8. You can customize different remediation options as well as email branding on a per setting, per policy basis.
  9. Customize emails are only customized for end users, admins will always receive emails from Enzoic.
  10. Delayed remediations have a minimum of 1 hour and a maximum of 168 hours (7 days) for delay hours.