Educause Security Discussion mailing list archives
Re: AD self service password reset ?
From: Mike C <hawaiiguy () GMAIL COM>
Date: Wed, 16 Mar 2011 12:09:49 -0700
Hello- I would like to propose Password Reset PRO from www.sysoptools.com- Network overview diagrams, docs etc are located at http://www.sysoptools.com/password-reset-pro.aspx Top 10 Reasons: 1. does not require any DB install, does not store sensitive user data outside of AD. uses native AD fields for enrollment data, very cool approach as you would have to lose your AD to lose user enrollments. 2. very easy to set up (literally 5 mins), can run in a two tier architecture for increased perimeter security, no changes to domain required and extremely small change control footprint. 3. it is very secure and will pass PCI/DSS, Sox, HIPAA, SaS70 etc, and is actually designed for 100% external use. Event history auditing is stellar and log data is accessbile via several methods. Software like SMOP, JiJI, and other low-dollar products will not pass most if not all current regulatory compliance requirements, are not designed securely for external perimeter use, and do not have DDOS or brute force countermeasures built in. Some of these products even have a "central admin page" built directly into the public facing web portal- scary! There are only 3 truly secure external self service solutions I've found (Password Reset PRO, Hitachi-ID and MS FIM). I know with certainty that this particular Reset PRO product is used by a dept of the Whitehouse and also by two depts of the Treasury. 4. low cost of about $3/user w/ unlimited user key issued at 7500 or more password expiring users in domain. They only require licensing for your enabled, password expiring user accounts (UAC=512) - Very efficient since you do not have to pay for disabled or static password user accounts. 5. standard ASPNET2 web portal (web tier) and separate back end service (application tier) , nothing new or proprietary to learn as the web portal uses IIS6/7 and all components are supported on 2008R2. The web portal can be installed on a non-domain DMZ box separate from the internal application master service, and the web portal contains no user data or domain credentials. It is also easy to set up load balancing for the web portal for failover / redundancy just like any typical ASP website. 6. works in very large domains without issue- I know one of the admins for KCTCS who deployed this in their 300k-user domain and have been really happy with it, as they looked through several products and this one was the best by far. 7. tech support is incredible, all sr. support staff are experienced AD admins, typical 8x5x7 access via phone / email. 8. USA-based company and nothing is outsourced (Los Angeles) 9. all aspects of the web portal, branding, look / feel are customizable right down to the CSS and aspx pages (they do support this) 10. Licensing is a one time buy, so you do not have to constantly keep paying the same price each year to keep using it. If you decide to try it, contact their support about new version 3 which is available by request. Version 3 adds three different deployment modes for the web portal, so basically you have three different ways to have your users access self service. All modes use native AD information as a basis for enrollment or secure access without enrollment. One key feature of note, which I have not found in any other product: Users can enroll with a temp password (must change on next logon) or even an expired password (as long as they type it in correctly). This is huge, because you no longer have to give out permanent passwords to new users. Or, if users wait until *after* their password expires to finally go and enroll (which is typical), they can still do so without IT assistance. Give them a temp password, have them enroll, the web portal informs them of the expired password and wlks them through creating a new permanent password. Neat. Also, since the software uses native AD fields for the enrollment data storage, it is easy to build logon scripts that check for enrollment at user logon time and ask the user to enroll. Also neat. As far as SSO, this product only works with AD authentication. If your peripheral systems are using AD auth for user logon then you should be good to go. If you have separate authenticated systems outside of AD (not syncronized or connected), then this will not work for you, and you should probably look at Hitachi-ID as they have a lot of SSO integration modules for various directory authentication platforms. Hope this helps- I am writing all of this because it is extremely important to take a hard look at security and reliability when considering a web based self service product. Last thing yoyu want to do is provide end user convenience and the expense of security, or find out later that losing a single database means you lose all of your user enrollments. If you take a close hard look at many of these commercially available products (especially the budget priced offerings), you are going to find some very scary deficiencies in architecture and coding. A vendor should be able to tell you with certaintly if 100% public use of the web facing portal is supported, what security measures are built in, if it will pass a simple PCI/DSS pen test, and how the software will react / prevent specific threat situations (bot scripts, ddos, etc). Of course, your own DD and testing should validate this as well- MC On Mon, Mar 7, 2011 at 7:43 AM, Witmer, Robert <r.witmer () snhu edu> wrote:
Anyone using a (shrink wrapped) AD self service password reset utility for student, staff, & faculty accounts that would be willing to share experiences, thoughts, etc? Does it work with single sign on? If so, home grown or shrink wrapped? Please contact me off-list if desired. Regards, Bob r.witmer () snhu edu Please consider the environment before printing this e-mail.
Current thread:
- Re: Firewall replacement, (continued)
- Re: Firewall replacement schilling (Mar 07)
- Re: Firewall replacement Entwistle, Bruce (Mar 07)
- Re: Firewall replacement Dexter Caldwell (Mar 07)
- Re: Firewall replacement King, Ronald A. (Mar 07)
- Re: Firewall replacement Jeff Kell (Mar 07)
- Re: AD self service password reset ? Russ Leathe (Mar 07)
- Re: AD self service password reset ? Gallese, Brady T. (Mar 07)
- Re: AD self service password reset ? Chris Green (Mar 07)
- Re: AD self service password reset ? Francis, Greg (Mar 16)
- Re: AD self service password reset ? Rich Graves (Mar 17)