Self Service Reset Password Manager

More information

Less involvement of IT staff

Password reset requests form a substantial part of all helpdesk calls. Such requests often show a peak on Monday morning and during holiday seasons. Higher call volumes will not only require extra staff to cope with the frustrating task of resetting passwords. An organisation also runs the risk that other important Helpdesk tasks remain unattended or unresolved.

The password requests volume is also related to the password procedures in an organisation. The volume will increase significantly if the password complexity rules are enabled. The same will likely happen if the period allowed for a password reset is reduced.

With SSRPM, end-users can reset their own passwords. They do not have to wait until the helpdesk can service their requests. This will drastically reduce both user downtime and the number of calls to the Helpdesk.

Increased security

Few organisations have a strong policy in place for lodging and servicing reset password requests. Imagine the consequences if an employee calls the Helpdesk for a password reset request, pretending to be the senior financial officer ‘John Smith’.

SSRPM offers end-users an interface which is both secure and easy to use. At the same time, administrators are offered full control over the validation process. They determine the validation questions and specify how many questions must be correctly answered to allow a password reset. This virtually eliminates any possible errors in the reset password process.

How does it work?

Self Service Reset Password Management is based on the principle that an end-user can reset his own password, without involvement of the helpdesk, by simply answering a series of challenge questions (e.g. “What is the name of your best friend?”).

Self Service Reset Password Management consists of three main software components:

1. The SSRPM User Client Software

Based on a GPO on an OU/domain, a small piece of software needs to be installed on every workstation in the corresponding OU/domain. This software communicates with the central SSRPM service to allow end-users to reset their passwords and adds an extra "Forgot my password" to the standard Windows logon dialog.

When the end-user logs on, the software will check with the central SSRPM Service if the user has already enrolled into SSRPM. If not, the user will be asked automatically to enroll. The end-user is allowed to skip the enrollment. If the end-user hits the button “Forgot my password” and the end-user has enrolled, the software will retrieve the set of questions and answers from the central service and the end-user can start the process of resetting the password. The final password reset is performed by the central SSRPM Service.

After the reset, the end-user can log in immediately using the logon dialog.

2. The SSRPM Service

The central SSRPM service stores all the answers in the SSRPM database (as an MD5 encrypted irreversible hash value) and processes the reset password requests. The service is installed during the installation process of Self Service Reset Password Management. For a succesfull installation, the service must have access to a Windows Domain Controller. The service is managed by the SSRPM Admin Console.

3. The SSRPM Admin Console

The SSRPM Admin Console is operated by the sys admin and the helpdesk. It guides the sys admin through the installation of the central SSRPM service. The admin console also assists in the enrollment process and in monitoring service events (for instance: password resets or end-user enrollments) during normal operation through the SSRPM Dashboard and several overviews.

Features

General

"Forgot my password" button on the login dialog.
Multiplatform support, to be able to for instance reset the password of a user account on other systems, like: UNIX, Linux, Novell and a lot more.
Windows Vista support, with which a "Forgot My Password" link will be added to the Windows Vista logon screen.
Multilingual support for the languages: English, French, German, Italian, Spanish, Polish, Portuguese and Dutch.
COM interface to support full end-user web functionality, so that users can enroll and reset their passwords via a web browser.
End users can reset their password and unlock their account without intervention of the helpdesk.
Enrollment is integrated in the user login. If a user logs on when he/she is not yet enrolled he/she will be asked automatically to enroll.
Number of questions, which questions, number of retries can be determined by the sys admin with the SSRPM Admin Console
Password is reset and account is unlocked in Active Directory, other platforms and applications will follow shortly.

Sys admin features

Easy to use wizard interface to roll out SSRPM into the organisation.
SSRPM can be configured on domain or OU level.
Configurable number of questions.
Password complexity confirmation suggestions when an end-user resets his password. Like "Make sure that you password is 7 characters long".
Fully integrated logging of all SSRPM actions in the network by console and end-users.
Sys admin can be notified when an event occurs (for instance when a user enrolls or resets his or her password).

Security settings

Support for password policy enforcement capabilities: Password History, Minimum Password Age and Password Complexity.
End-user answers are encrypted and stored with MD5 irreversible hash key.
Number of retries can be set.
Number of predefined and end-user questions can be set.
Different security levels can be used from weak to strong.
Enable/disable the option to show end-user which answer is wrong.
Enable/disable readable answers typed in by end-user.
several answer comparison options to improve security.

SSRPM Admin Console

Global overview of end-users which are not enrolled, enrolled.
Overview of wrong password reset requests.
Dashboard overview of the current status of SSRPM.