When a third-party data breach exposes your Active Directory users’ credentials, criminals have an open door to your enterprise.
With SpyCloud Active Directory Guardian, you can prevent, detect, and reset compromised AD passwords automatically — checking credentials for exposure against the largest collection of recaptured breach data in the world.
Alvarez & Marsal protects 6,000 employees across 54 global office locations with Active Directory Guardian, supporting their continued compliance with regulations like GDPR and CCPA.
Catch data breach risks that fall within security blind spots by checking 200 common variations of each employee password, and screening passwords against SpyCloud’s entire database to stop password reuse across corporate and personal usernames.
EBSCO has saved over 1,000 hours by using SpyCloud to check Active Directory credentials against fresh breach data and reset compromised passwords automatically.
Active Directory Guardian has saved us more than 1,000 man hours. It has significantly lowered the amount of time multiple teams had to spend searching the dark web to confirm compromise — let alone remediate it.
For the first 18-24 months after a breach, criminals limit access to stolen data to a small group of trusted advisors. That period of time is the most lucrative for criminals, and the most dangerous for organizations whose users may have been exposed. By the time the breach trickles out to the deep and dark web where anyone can access it, the worst damage has been done.
With SpyCloud Active Directory Guardian, you can reset compromised passwords before criminals have a chance to use them against you. SpyCloud researchers use human intelligence and proprietary tradecraft to gain access to stolen data early in the breach timeline, giving you an advantage.
Compromised Active Directory accounts put enterprises at risk—and create work for security and IT teams who need to investigate, respond, and remediate.
With Active Directory Guardian, you can:
A criminal who finds your users’ Active Directory credentials through a third-party breach can easily log into your network or access services like remote file shares, Microsoft Exchange email servers, or SharePoint collaboration tools. To protect your enterprise, you need to take action quickly.
SpyCloud Active Directory Guardian includes a password filter, enabling you to prevent employees from setting weak or compromised passwords. Automatically filter out bad passwords such as dictionary words, repeated or sequential characters, and passwords that have ever appeared in SpyCloud’s breach database before. On an ongoing basis, you can also schedule scans of your AD to automatically detect and reset compromised passwords that could put your enterprise at risk, including:
Some NIST password guidelines can be satisfied using the built-in settings within directory services like Active Directory. Others require additional support—most notably, NIST’s guidance to check for and reset “commonly-used, expected, or compromised” passwords.
With SpyCloud Active Directory Guardian, you can dramatically reduce the time, cost, and resources required to align with NIST guidelines by preventing employees from setting passwords that fail to meet NIST’s standards. Block passwords in a custom dictionary of up to 30,000 entries, passwords containing sequential or repeated characters, and billions of previously-compromised passwords that have ever appeared in SpyCloud’s database.
To make sure your employees’ passwords remain secure as new breaches emerge, you can also identify and reset breached Active Directory passwords automatically using scheduled or manual scans.
Employee password reuse extends to personal accounts, creating a blind spot for security professionals. When an employee’s personal credentials are compromised in a data breach, it’s easy for a criminal to connect the dots and target that user’s Active Directory account.
Active Directory Guardian enables you to screen your AD accounts for any password that has ever appeared in SpyCloud’s database of billions of exposed passwords—whether or not your users were involved—and enables you to detect when employees select passwords that criminals are actively using in credential stuffing and password spraying attacks. Block employees from setting these passwords in the first place, and detect new exposures that could put your enterprise at risk as new breaches compromise additional passwords.
SpyCloud Active Directory Guardian includes two components that can be implemented together or separately: a password filter that runs on the domain controller, and a browser-based application that installs as a service and runs locally in your environment. Its code goes through internal and third-party security reviews upon every major release.
Active Directory Guardian installs in minutes and requires minimal effort to maintain, with:
Interested in a free trial? Contact us to try Active Directory Guardian today.