After installing Enzoic for Active Directory, you may have seen this in the reporting tab.
The green and red notifications are pretty straight forward:
Red = Yes, the user’s password is compromised, and remediation is needed.
Green = No, the user’s password is fully protected and is good to go.
But starting in v3.0 we now have a third state, Yellow = No, (Limited Check).
So what does yellow status mean, and what is a limited check?
To better explain what a limited check does, it’s best to give context to how Enzoic used to work. Before v3.0, admins would install Enzoic onto their DC’s, and end users would then need to reset their password in order for protection to begin. This is because Enzoic hooks into the LSA filter, and needs new passwords to come across the filter in order for Enzoic to capture them, and for protection to start.
However starting in v.3.0 Enzoic can now do some password checking without needing the user to reset their password right away. Now when Enzoic is installed it will grab the local NTLM hash of passwords that are already stored in Active Directory. Enzoic then matches these hashes against our backend database, and does a one to one comparison to check for compromises. This is why it is called a limited check. Enzoic is just comparing hashes and doesn’t yet ‘know’ the user's password. A password reset is still needed for full protection and for policy enforcement to begin, but this is a great way to start protection with less interruption to end users.
Is it safe to send our NTLM hashes to the Enzoic backend?
Yes. Just like with normal hash checks that Enzoic does with full policy enforcement, only the first ten characters are sent to the Enzoic backend. Enzoic then returns all possible matches and compares them locally. If a bad actor was attempting a man in the middle attack, they would only see the first ten characters of the NTLM hash.
Is a limited check enough protection?
This is entirely up to you and your security team. But for best practices, we do not recommend that you leave passwords in this state. Limited checks are not within NIST compliance and a password reset is still needed to meet this requirement. Limited checks are a great way to get started, and to see your worst offenders, without disruption to your entire environment of users. But until a reset is done, full policy enforcement is not in effect.