Introduction:

During the early stages of rollout, one of the most frequently asked questions we receive is how to see what users will be impacted by Enzoic during rollout. This configuration guide will walk you through setting up Enzoic so that your admins are sent email notifications of compromised users without interacting or interfering with those users.  


Disclaimer: 

The remediation step in this policy is the notification email. Meaning that if a user in this policy is flagged as compromised, and the notification email is sent, no other remediation steps will be taken until they change their password. This is true even if the compromised user is moved into a different policy. Once the remediation flag is triggered, it does not reset until a password change is made. 


Additionally, this policy does not alert end users, enforce policy settings during password resets, or force password changes in any way. Because of this, we do not recommend keeping users in this policy indefinitely.  


Prerequisite: 

This guide assumes that you have already installed Enzoic onto every read/write domain in your environment. If you have not done this yet, please see our installation guide


Monitoring Policies:

To get started, start by navigating to the Monitored Policies section of the Enzoic console. Select your Primary policy (or create a new policy if your Primary policy is in use) and click on either ‘Add User/Group’ or ‘Add Container/OU’, depending on which users you want to add. For a general POC we recommend selecting the Domain Users group to check all of the end users in your domain. In the following screenshots we will operate off of a second policy, however if you wish to use your Primary policy the steps are the exact same.


 

    Password Changes: 

  • Navigate to the Password Changes tab and Uncheck ‘Screen Password Changes’. This will mean that end user password changes, as well as administrative resets from ADUC or command line will not be screened.



    Password Monitoring: 

  • Check ‘Enabled’.

  • Action to take: Notify Only.

  • Uncheck ‘Notify affected users by email when their password is compromised'.



    Credentials Monitoring:

  • Check ‘Enabled’.

  • Action to take: Notify Only.

  • Uncheck ‘Notify affected users by email when their password is compromised’.


    Password Policies:

  • Check the policy settings that you plan on using in your primary policy. 
  • Update Configuration.


Settings:

     Admin Notifications:

  • Add the email address(es) of the admin(s) you want the notifications to be sent to. 
  • Update Configuration.


Conclusion:

Once this is done, allow 24 hours for Continuous Password Monitoring to run its daily check. For users who have reset their password since the installation of Enzoic, a full check of their cached credentials will be done. For users that have not reset their passwords yet, an NTLM limited check will be performed. For more information on limited checks, check out this KB article. After the initial 24 hours have passed, admins should start to receive notifications from compromised users' passwords. Admins can also see this information in the Reporting tab under 'Monitored Users Report'.