IT Policies

Product Spotlight: Desktop Authority Password Self-Service

Derek Schauland introduces the Desktop Authority Password Self-Service app from ScriptLogic that allows users to reset their own passwords.

Keeping track of passwords is increasingly difficult, with PIN numbers, bank passwords, Web site logons, Windows passwords, and more; it's an ever-increasing list to manage. It's also no wonder that the password reset feature gets used so often.

In business, the Windows logon password is the key to many employees' work lives. Occasionally, they are going to forget their password or enter it incorrectly too many times, which may lock them out for a period of time. This is where Desktop Authority Password Self-Service (DAPSS) by ScriptLogic comes in, helping out users and help desk staff in a pinch.

Specifications

DAPSS requires SQL 2000 or 2005 for data storage and reporting and Internet Information Server on the server end.

Supported operating systems:
  • Windows 2000
  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows Server 2003 SP1 or higher

Who's it for?

DAPSS is great for organizations of all sizes where resources are stretched thin or at a premium because of other challenges. The product also licenses for about US$7 per user, less if you are already a Desktop Authority customer, which makes the application very affordable for organizations of any size.

What problem does it solve?

The application puts password control in the hands of the users. Allowing a user to change an expired or forgotten password or unlock a user account by answering some challenge questions eliminates the need for the user to call the help desk. It also makes the password accessible 24 hours per day. This improves the convenience for the users as well.

Standout features

DAPSS is very easy to configure. The user information is imported from Active Directory to speed setup and avoid record duplication. The tool also comes with a help desk component which allows users to get help if they have not yet registered with the service or need help getting the hang of it. Because the help desk does not need to access the user account directly to reset the password or unlock the account, the users needing help will get it much faster.

The user experience within the application is very simple. You can search for a user's account by certain characteristics from the user name to partial first or last name. Challenge questions are configured during the initial setup and used to aid with the account actions going forward.

DAPSS includes a free trial to allow you to test it in your environment with a pilot group or to get it configured and ensure it works as needed before paying for a license.

Figure A

Click to enlarge.

The user experience for registered users of Password Self-Service

Figure B

Click to enlarge.

The Admin console

What's wrong?

Changing the password policies at any organization can be a challenge for IT, but will be a benefit for the users in the long run. It will take some time to change the habit of your users to manage their own passwords rather than calling the help desk.

Because users are allowed to manage their own passwords through a Web interface, some vulnerability is introduced. Social engineering scammers (or just employees who already know a lot about each other) could guess the answers to challenge questions for their fellow users, leaving the door open to unauthorized use of accounts.

The application can set the questions to be configured by the user, and the answers to these questions are specific to the user, but employees should be cautioned to create questions that are "secret" or at least, would be very hard to guess. In production, it would make sense to refresh the challenge questions every year or so, just to keep things more secure.

Competitive products

Bottom line for business

If your help desk staff is overwhelmed by projects or day to day operations, allowing users to maintain their own passwords can be a huge time saver for everyone. Allowing password resets and account unlocking to be handled completely by the user can also removes frustration on the part of the employee because the employee does not need to contact the help desk and wait until they have time to assist.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

3 comments
Lepide
Lepide

Lepide Software Pvt. Ltd has this tool for password reset. http://www.lepide.com/active-directory-self-service.html. Lepide AD Self-Service is one such tool that has been developed to cater to these needs along with various in-built capabilities as well such as.... -Self-reset and self-unlock -Self information update(Persoanl/Contact) -Authorise Co-workers for password reset and account unlock - ability of the employee -Automatic account unlock/password reset - ability of the Admin -User Identity Verfication - Through multiple security questions -Reports(On Locked-out Users, Soon-to-expire passwords, Expired passwords, Enrolled and Un-enrolled Users). -Audit Reports - Password Reset, Unlock Account and Self Update. -Email Notification/Alerts. Lepide ADSS is a very handy tool to take the load out of your HelpDesk Team and at the same time give power to the employees to help themselves. Piyush piyush@lepide.com

mattgoldman
mattgoldman

This looks very interesting indeed, but with regards to your 'What's Wrong?' section: "Changing the password policies at any organization can be a challenge for IT, but will be a benefit for the users in the long run. It will take some time to change the habit of your users to manage their own passwords rather than calling the help desk." This is really a symptom rather than a specific issue. It's a challenge faced by IT in any organization beyond a certain size, and that is that messages from IT get drowned out in the signal-to-noise that overwhelms staff on a day to day basis. Basically, the challenge is getting people to actually read 'and absorb' email from IT rather than just disregarding them. This obviously applies to all policies, and also all other business support services, not just IT. "Because users are allowed to manage their own passwords through a Web interface, some vulnerability is introduced. Social engineering scammers (or just employees who already know a lot about each other) could guess the answers to challenge questions for their fellow users, leaving the door open to unauthorized use of accounts. The application can set the questions to be configured by the user, and the answers to these questions are specific to the user, but employees should be cautioned to create questions that are ?secret? or at least, would be very hard to guess." This is really just the same problem inherited from password security policies. Force users to use complex passwords, and they forget them. Force them to use obscure questions, and they will forget the answers. What this highlights is the need to introduce two-factor authentication into the enterprise. Rather than replacing traditional passwords with fingerprint scanners or smartcards, use both. Allow a user to log in only when a correct password and matching smartcard or fingerprint is presented, and use the same system with DAPSS; the user must correctly answer the challenge questions and provide trhe smartcard or biometric that matches their account, in order for the password to be reset (which must still be used with the matching secdond factor in order to allow login).

Senrats
Senrats

Another produect to check out is SSRPM by Tools 4 Ever: http://www.tools4ever.com/products/self-service-reset-password-management/ It was easy to setup and manage. After installing this product, I really haven't had any problems. One thing I wish it did was send an email to the user when the password has been reset or unlocked. You can add an administrator or service desk email alert, but it doesn't work per user. One note, I would change the default challenge questions. You can pick from a list or create your own. From their website: Key Features- Self Service Operation: Users reset passwords and recover accounts on their own. Password Reset Anywhere: Recover passwords from any login dialog. SSRPM adds a "Recover Your Password" button to any organization's login dialog or Web portal. 24/7 Availability: Unlike most help desks, users have access 24 hours a day, every day, including weekends and holidays. Password Policy Enforcement: Administrators maintain full control over password policy. Custom Challenge Questions: Set any question you like, from pet names to place of birth. Secure Interface: Users are authenticated through a series of challenge and response questions. Administrators set the number of failed attempts before users are locked out Multi-platform Support: SSRPM operates with Windows, Unix, Mainframe, Novell, Lotus Notes, AS/400, Citrix and Web applications such as OWA and NFuse. Clean, Customizable Design: Our administrator console puts all pertinent info at your fingertips. Detailed configuration, GUI appearance, reporting functions and Web presence can be customized to meet your organization's individual needs.