Protect Your Enterprise from Account Takeover with Active Directory Guardian

When a third-party data breach exposes your Active Directory users’ credentials, criminals have an open door to your enterprise.

With SpyCloud Active Directory Guardian, you can prevent, detect, and reset compromised AD passwords automatically — checking credentials for exposure against the largest collection of recaptured breach data in the world.

Protect Your Global Workforce Automatically

6,000

Alvarez & Marsal protects 6,000 employees across 54 global office locations with Active Directory Guardian, supporting their continued compliance with regulations like GDPR and CCPA.

Control Risk Tied to Employees’ Personal Identities

200

Catch data breach risks that fall within security blind spots by checking 200 common variations of each employee password, and screening passwords against SpyCloud’s entire database to stop password reuse across corporate and personal usernames.

Respond to New Exposures Instantly

1,000

EBSCO has saved over 1,000 hours by using SpyCloud to check Active Directory credentials against fresh breach data and reset compromised passwords automatically.

Stay Ahead of Criminals with Early Breach Notification

For the first 18-24 months after a breach, criminals limit access to stolen data to a small group of trusted advisors. That period of time is the most lucrative for criminals, and the most dangerous for organizations whose users may have been exposed. By the time the breach trickles out to the deep and dark web where anyone can access it, the worst damage has been done.

With SpyCloud Active Directory Guardian, you can reset compromised passwords before criminals have a chance to use them against you. SpyCloud researchers use human intelligence and proprietary tradecraft to gain access to stolen data early in the breach timeline, giving you an advantage.

Timeline of a data breach showing what cybercriminals do with stolen credentials, starting with targeted account takeover attacks of high-value victim. Ultimately, stolen logins will end up on the deep and dark web and used in high-volume credential stuffing attacks.

Reduce Your Team’s Workload Using Automation

Compromised Active Directory accounts put enterprises at risk—and create work for security and IT teams who need to investigate, respond, and remediate.

With Active Directory Guardian, you can:

  • Prevent employees from setting weak or compromised passwords in the first place with a password filter for Active Directory
  • Detect new credential exposures swiftly with regular updates from the SpyCloud research team
  • Reduce the time your team spends investigating and remediating potentially compromised accounts
  • Schedule scans to run automatically, with reports emailed to you
  • Reset exposed passwords automatically or with the click of a button
  • Install in minutes—without endangering your domain controller or risking account lockouts

Detect and Reset Exposed Passwords Quickly

A criminal who finds your users’ Active Directory credentials through a third-party breach can easily log into your network or access services like remote file shares, Microsoft Exchange email servers, or SharePoint collaboration tools. To protect your enterprise, you need to take action quickly.

SpyCloud Active Directory Guardian includes a password filter, enabling you to prevent employees from setting weak or compromised passwords. Automatically filter out bad passwords such as dictionary words, repeated or sequential characters, and passwords that have ever appeared in SpyCloud’s breach database before. On an ongoing basis, you can also schedule scans of your AD to automatically detect and reset compromised passwords that could put your enterprise at risk, including:

  • Exact username and password matches that have been exposed in a third-party breach
  • “Fuzzy” variations of exposed passwords, such as changing Password to Password1!
  • Commonly-used passwords
  • Any previously-exposed password in the SpyCloud breach database

Easily Align with NIST Password Guidelines

Some NIST password guidelines can be satisfied using the built-in settings within directory services like Active Directory. Others require additional support—most notably, NIST’s guidance to check for and reset “commonly-used, expected, or compromised” passwords.

With SpyCloud Active Directory Guardian, you can dramatically reduce the time, cost, and resources required to align with NIST guidelines by preventing employees from setting passwords that fail to meet NIST’s standards. Block passwords in a custom dictionary of up to 30,000 entries, passwords containing sequential or repeated characters, and billions of previously-compromised passwords that have ever appeared in SpyCloud’s database.

To make sure your employees’ passwords remain secure as new breaches emerge, you can also identify and reset breached Active Directory passwords automatically using scheduled or manual scans.

Download the NIST Best Practices Guide

  • Previous Breach Exposures
  • Less than 8 Characters
  • Context-specific Words
  • Dictionary Words
  • Repetitive Characters
  • Password Hints

Catch Password Reuse Across Work and Personal Accounts

Employee password reuse extends to personal accounts, creating a blind spot for security professionals. When an employee’s personal credentials are compromised in a data breach, it’s easy for a criminal to connect the dots and target that user’s Active Directory account.

Active Directory Guardian enables you to screen your AD accounts for any password that has ever appeared in SpyCloud’s database of billions of exposed passwords—whether or not your users were involved—and enables you to detect when employees select passwords that criminals are actively using in credential stuffing and password spraying attacks. Block employees from setting these passwords in the first place, and detect new exposures that could put your enterprise at risk as new breaches compromise additional passwords. 

Minimal Maintenance, Maximum Security

SpyCloud Active Directory Guardian includes two components that can be implemented together or separately: a password filter that runs on the domain controller, and a browser-based application that installs as a service and runs locally in your environment. Its code goes through internal and third-party security reviews upon every major release.

Active Directory Guardian installs in minutes and requires minimal effort to maintain, with:

  • No risk of locking out users through brute force attempts
  • No passwords exposed to SpyCloud
  • No password data cached or stored on disk
  • No data sent to SpyCloud by default
  • Flexible implementation options that don’t need to run on the domain controller
  • Safeguards for installation options that do involve the domain controller, such as “failing open” to avoid any disruption to your AD environment in the case of an error

Download the Solution Brief

Interested in a free trial? Contact us to try Active Directory Guardian today.