One of the most time consuming administrative tasks is the password reset issue. Research shows that help desk calls may consist of up to 40% of password reset related issues. When I’ve learned about a new tool that was designed to help mitigate these issues I wanted to test it out. The tool is called “Specops Password Reset” or SPR for short (http://www.specopssoft.com/products/password%20reset%20self%20service), and it is designed to allow the end user the ability to reset a lost password without the help of administrative personnel.
However, when trying to solve this problem, one must be cautious about verifying the identity of a user, so that they can only reset their own password and not somebody else’s. Here is where Specops Password Reset introduces uses two different techniques to verify users’ identities: secret questions and mobile verification codes.
To use secret questions for user verification, users must enroll in the Password Reset Service. When enrolling they are asked a number of questions. A question can be for example “What was your mother’s maiden name?” The nature of the questions should be such that the user easily will remember the answer to them, whereas other users should not be likely to know the answer, or easily find it out. What questions and how many questions to be answered are configured by the administrator.
All the users’ secret answers are stored in Active Directory using one-way encryption (SHA-256) and they are also protected against reading through an ACL (access control list).
In addition to secret questions user identities can also be verified using mobile phone verification codes. This means that a text message with a verification code is sent to the user’s mobile phone. The user is then required to enter this code into the web application when attempting to reset their password. If possible, it is recommended to use both secret question and mobile verification codes. When addressing Help Desk calls, this mobile verification code in Specops Password Reset helps the Help Desk personnel to identify the person calling them. In addition to asking the user about login name, full name, mobile number a verification code can also be sent to the user who then will be asked to read the code out to the Help Desk personnel.
In addition to resetting passwords, Specops Password Reset also contains an alternative method to change a password instead of using the normal method from the logon screen or from the CTRL-ALT-DEL screen. This alternative user interface is a huge improvement for users, especially if complex password policies are enforced. The users receive instant feedback about what password rules are being enforced as they type their new password. The list of password rules that is presented to the end user when changing, or resetting their password is based on what specific password rules apply to that user. The password rules can come from any of the following three:
Note: For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.
Help Desk personnel can use Password Reset’s web interface to display detailed information about the user and allow the Help Desk personnel to reset a user’s password. To grant users access to the Helpdesk Web page they must be added to the “Specops Password Helpdesk Admins” local group on the server where the Specops Password Reset Service is installed.
When a user calls the help desk the help desk personnel can search the user’s name and instantly get detailed information about the user. This information includes user logon name, full name, mobile phone number, email address, enrollment status etc. From the user information page the help desk personnel can also send a temporary verification code to the end users mobile phone, to help validate the user’s identity.
In Specops Password Reset you can configure the product to send text messages to the users’ mobile phones. This feature can be used in a number of different scenarios, for example when helpdesk wants to verify that the user calling in is actually the correct user.
Help Desk personnel can reset a user’s password. This feature would be used in cases where a user has forgotten his or her password and cannot reset the password themselves. Reasons for this can be that the user has not enrolled, cannot remember the answer to his or her questions or has been locked out from the service. A password that meets the password requirements for the user can be automatically generated and also sent to the user’s mobile phone.
Some of Specops Password Reset’s benefits include:
Specops Password Reset consists of several different components:
In order to install Specops Password Reset, your systems must meet the following minimum requirements:
Installation of Password Reset is easy and can be done either by using a one click installation, or by running separate MSI files. All setups are available in 32 bit and 64 bit versions, suited for today’s 64-bit platforms.
Overall, I was very impressed of Specop’s Password Reset tool, and I would like to recommend that you take a look at it at http://www.specopssoft.com/products/password%20reset%20self%20service/