One of the most time consuming administrative tasks is the password reset issue. Research shows that help desk calls may consist of up to 40% of password reset related issues. When I’ve learned about a new tool that was designed to help mitigate these issues I wanted to test it out. The tool is called Specops Password Reset or SPR for short, and it is designed to allow the end user the ability to reset a lost password without the help of administrative personnel.
However, when trying to solve this problem, one must be cautious about verifying the identity of a user, so that they can only reset their own password and not somebody else’s. Here is where Specops Password Reset introduces uses two different techniques to verify users’ identities: secret questions and mobile verification codes.
To use secret questions for user verification, users must enroll in the Password Reset Service. When enrolling they are asked a number of questions. A question can be for example “What was your mother’s maiden name?” The nature of the questions should be such that the user easily will remember the answer to them, whereas other users should not be likely to know the answer, or easily find it out. What questions and how many questions to be answered are configured by the administrator.
All the users’ secret answers are stored in Active Directory using one-way encryption (SHA-256) and they are also protected against reading through an ACL (access control list).
Mobile verification codes
In addition to secret questions user identities can also be verified using mobile phone verification codes. This means that a text message with a verification code is sent to the user’s mobile phone. The user is then required to enter this code into the web application when attempting to reset their password. If possible, it is recommended to use both secret question and mobile verification codes. When addressing Help Desk calls, this mobile verification code in Specops Password Reset helps the Help Desk personnel to identify the person calling them. In addition to asking the user about login name, full name, mobile number a verification code can also be sent to the user who then will be asked to read the code out to the Help Desk personnel. By adding the mobile verification code feature to Specops Password Reset, the product stands out even more from a security point of view. No similar product offers the same feature.
In addition to resetting passwords, Specops Password Reset also contains an alternative method to change a password instead of using the normal method from the logon screen or from the CTRL-ALT-DEL screen. This alternative user interface is a huge improvement for users, especially if complex password policies are enforced. The users receive instant feedback about what password rules are being enforced as they type their new password. The list of password rules that is presented to the end user when changing, or resetting their password is based on what specific password rules apply to that user. The password rules can come from any of the following three:
- Built-in domain password policy
- Active Directory Fine-grained password policies (when using Windows Server 2008)
Note: For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.
- Specops Password Policy
Help Desk personnel can use Password Reset’s web interface to display detailed information about the user and allow the Help Desk personnel to reset a user’s password. To grant users access to the Helpdesk Web page they must be added to the “Specops Password Helpdesk Admins” local group on the server where the Specops Password Reset Service is installed.
When a user calls the help desk the help desk personnel can search the user’s name and instantly get detailed information about the user. This information includes user logon name, full name, mobile phone number, email address, enrollment status etc. From the user information page the help desk personnel can also send a temporary verification code to the end users mobile phone, to help validate the user’s identity.
Text Messages Setup
In Specops Password Reset you can configure the product to send text messages to the users’ mobile phones. This feature can be used in a number of different scenarios, for example when helpdesk wants to verify that the user calling in is actually the correct user.
Reset user’s password
Help Desk personnel can reset a user’s password. This feature would be used in cases where a user has forgotten his or her password and cannot reset the password themselves. Reasons for this can be that the user has not enrolled, cannot remember the answer to his or her questions or has been locked out from the service. A password that meets the password requirements for the user can be automatically generated and also sent to the user’s mobile phone.
Some of Specops Password Reset’s benefits include:
- Removes the most common reasons (users forgot their password or locked themselves out) to call help desk thus reducing help desk call volume.
- Makes Password Reset and account unlock more secure by combining answering secret questions and/or sending a one-use-only verification code to the user’s cell phone.
Specops Password Reset consists of several different components:
- Web server – The web server component consists of the web applications that make up the primary end user interface for the Specops Password Reset product.
- Service – The service component is the backend application that serves requests from the web server.
- GPMC Snap-in – The GPMC (Group Policy Management Console) snap-in is added to the Group Policy Object Editor. This is where administrators configure password reset settings for a certain Group Policy Object. By using GPO for Specops Password Reset, integrating the product into the clients existing environment is much easier than competing products, since everyone has Group Policy setup and working for them.
- Client – The client is a small application that has two purposes, informing the end users about enrolling for Password Reset and displaying a link on the logon screen enabling the user to reach the Reset Password web page. The Specops Password Reset client also exists in the notification area, on the start bar, that will be displayed only when needed.
- Active Directory Users and Computers extension – SPR adds an extension to the ADUC console. If you right-click a user object a new menu item called Specops Password Reset will appear. Selecting that menu item will take you directly to the Helpdesk web page and detailed information about the user will be shown.
In order to install Specops Password Reset, your systems must meet the following minimum requirements:
- Windows XP or higher
- Microsoft Management Console 3.0
- Microsoft .NET Framework 2.0
- Group Policy Management Console or GPMC
- Active Directory Users and Computers MMC snap-in
- Windows 2003 Service Pack 2 or higher
- Microsoft .NET Framework 3.5
- Windows 2003 Service Pack 2 or higher
- Microsoft .NET Framework 2.0
- Windows 2000 Service Pack 4 or higher
- Internet Explorer 6 SP1
- Be a domain member
Installation of Password Reset is easy and can be done either by using a one click installation, or by running separate MSI files. All setups are available in 32 bit and 64 bit versions, suited for today’s 64-bit platforms.
Overall, I was very impressed of Specop’s Password Reset tool, and I would like to recommend that you take a look at it at http://www.specopssoft.com/products/password%20reset%20self%20service/