How to configure Enzoic into a silent audit mode.
During the early stages of rollout, one of the most frequently asked questions we receive is how to see what users Enzoic will impact without actually impacting them. Because of this, we've designed a way to configure Enzoic into a silent audit mode. This configuration guide will walk you through setting up Enzoic so that your admins are sent email notifications of compromised users without actually interacting or interfering with those users.
Prerequisite:
This guide assumes that you have already installed Enzoic onto every read/write domain in your environment. If you have not done this yet, please see our installation guide.
Warning:
This policy does not alert users, enforce policy settings during password resets, or remediate compromised passwords in any way. Because of this, we do not recommend keeping users in this policy indefinitely. We advise admins to move users into a primary remediation policy as soon as it is viable in your environment.
Monitoring Policies:
To get started, you'll first need to create a new policy. Start by navigating to the Monitored Policies section of the Enzoic console. Once there, click on the ‘Add’ button, followed by ‘Start with a blank policy template’, then click OK. Give the policy a name and click on either ‘Add User/Group’ or ‘Add Container/OU’, depending on which users you want to add.
Password Changes:
Uncheck ‘Screen Password Changes’.
Password Monitoring:
Check ‘Enabled’.
Action to take: Notify Only.
Uncheck ‘Notify affected users by email when their password is compromised'.
Credentials Monitoring:
Check ‘Enabled’.
Action to take: Notify Only.
Uncheck ‘Notify affected users by email when their password is compromised’.
Password Policies:
- Check the policy settings that you plan on using in your primary policy.
- Update Configuration.
Settings:
Admin Notifications:
- Add the email address(es) of the admin(s) you want the notifications to be sent to.
- Update Configuration.
Conclusion:
Once this is done, allow 24 hours for continuous password protection to run its daily check in your environment. For users that have reset their password since the installation of Enzoic, a full policy check will be done. For users that have not reset their passwords yet, an NTLM limited check will be performed. For more information on limited checks, check out this KB article. After the initial 24 hours have passed, admins should start to receive notifications from compromised users' passwords. Admins can also see this information in the Reporting tab under 'Monitored Users Report'.