Re: AD self service password reset ?

[Mike C <hawaiiguy () GMAIL COM>]

Hello-  I would like to propose Password Reset PRO from
www.sysoptools.com-  Network overview diagrams, docs etc are located
at
http://www.sysoptools.com/password-reset-pro.aspx

Top 10 Reasons:

1. does not require any DB install, does not store sensitive user data
outside of AD. uses native AD fields for enrollment data, very cool approach
as you would have to lose your AD to lose user enrollments.

2. very easy to set up (literally 5 mins), can run in a two tier
architecture for increased perimeter security, no changes to domain required
and extremely small change control footprint.

3. it is very secure and will pass PCI/DSS, Sox, HIPAA, SaS70 etc, and is
actually designed for 100% external use. Event history auditing is stellar
and log data is accessbile via several methods. Software like SMOP, JiJI,
and other low-dollar products will not pass most if not all current
regulatory compliance requirements, are not designed securely for external
perimeter use, and do not have DDOS or brute force countermeasures built in.
Some of these products even have a "central admin page" built directly into
the public facing web portal- scary!
There are only 3 truly secure external self service solutions I've found
(Password Reset PRO, Hitachi-ID and MS FIM). I know with certainty that this
particular Reset PRO product is used by a dept of the Whitehouse and also by
two depts of the Treasury.

4. low cost of about $3/user w/ unlimited user key issued at 7500 or more
password expiring users in domain. They only require licensing for your
enabled, password expiring user accounts (UAC=512) - Very efficient since
you do not have to pay for disabled or static password user accounts.

5. standard ASPNET2 web portal (web tier) and separate back end service
(application tier) , nothing new or proprietary to learn as the web portal
uses IIS6/7 and all components are supported on 2008R2. The web portal can
be installed on a non-domain DMZ box separate from the internal application
master service, and the web portal contains no user data or domain
credentials.  It is also easy to set up load balancing for the web portal
for failover / redundancy just like any typical ASP website.

6. works in very large domains without issue- I know one of the admins for
KCTCS who deployed this in their 300k-user domain and have been really happy
with it, as they looked through several products and this one was the best
by far.

7. tech support is incredible, all sr. support staff are experienced AD
admins, typical 8x5x7 access via phone / email.

8. USA-based company and nothing is outsourced (Los Angeles)

9. all aspects of the web portal, branding, look / feel are customizable
right down to the CSS and aspx pages (they do support this)

10. Licensing is a one time buy, so you do not have to constantly keep
paying the same price each year to keep using it.
If you decide to try it, contact their support about new version 3 which is
available by request. Version 3 adds three different deployment modes for
the web portal, so basically you have three different ways to have your
users access self service. All modes use native AD information as a basis
for enrollment or secure access without enrollment.

One key feature of note, which I have not found in any other product:  Users
can enroll with a temp password (must change on next logon) or even an
expired password (as long as they type it in correctly). This is huge,
because you no longer have to give out permanent passwords to new users. Or,
if users wait until *after* their password expires to finally go and enroll
(which is typical), they can still do so without IT assistance. Give them a
temp password, have them enroll, the web portal informs them of the expired
password and wlks them through creating a new permanent password. Neat.
Also, since the software uses native AD fields for the enrollment data
storage, it is easy to build logon scripts that check for enrollment at user
logon time and ask the user to enroll. Also neat.

As far as SSO, this product only works with AD authentication. If your
peripheral systems are using AD auth for user logon then you should be good
to go. If you have separate authenticated systems outside of AD (not
syncronized or connected), then this will not work for you, and you should
probably look at Hitachi-ID as they have a lot of SSO integration modules
for various directory authentication platforms.

Hope this helps- I am writing all of this because it is extremely important
to take a hard look at security and reliability when considering a web based
self service product. Last thing yoyu want to do is provide end user
convenience and the expense of security, or find out later that losing a
single database means you lose all of your user enrollments.  If you take a
close hard look at many of these commercially available products (especially
the budget priced offerings), you are going to find some very scary
deficiencies in architecture and coding. A vendor should be able to tell you
with certaintly if 100% public use of the web facing portal is supported,
what security measures are built in, if it will pass a simple PCI/DSS pen
test, and how the software will react / prevent specific threat situations
(bot scripts, ddos, etc).
Of course, your own DD and testing should validate this as well-

MC

On Mon, Mar 7, 2011 at 7:43 AM, Witmer, Robert <r.witmer () snhu edu> wrote:

>  Anyone using a (shrink wrapped) AD self service password reset utility
> for student, staff, & faculty accounts that would be willing to share
> experiences, thoughts, etc?  Does it work with single sign on?  If so, home
> grown or shrink wrapped?  Please contact me off-list if desired.
>
> Regards,
> Bob
>
>
>
> r.witmer () snhu edu
>
> Please consider the environment before printing this e-mail.