- Pulseway 9.2: Remote monitoring with workflow automation - Thu, May 18 2023
- ENow Active Directory Monitoring & Reporting - Tue, May 16 2023
- Auditing and restricting NTLM authentication using Group Policy - Thu, May 11 2023
Compromising user accounts and passwords is arguably the top goal of attackers. Passwords are often one of the weakest links in the overall cybersecurity posture of most organizations. Adding complexity is the vast bulk of cloud-based solutions that businesses use today, including cloud SaaS environments. ManageEngine ADSelfService Plus is an identity security solution that helps companies meet the authentication challenges of the hybrid workforce and bolster security.
What is ManageEngine ADSelfService Plus?
ManageEngine's ADSelfService Plus is an identity security solution that helps meet today's hybrid SaaS challenges faced by organizations leveraging hybrid infrastructure and cloud SaaS solutions and the well-known "forgotten password" problem among end users with Microsoft Active Directory.
However, the solution transcends self-service password resets and includes a suite of tools that help improve cybersecurity posture, password hygiene, user experience, and many other benefits. Note the following features of the solution:
- Self-service password reset
- Password synchronization
- Single sign-on
- Enforce password security
- Endpoint multi-factor authentication (MFA)
- Up-to-date corporate and employee directory
Let's consider these features.
Self-service password reset
One of the most time-consuming and burdensome activities for help desk technicians is password resets for end users. Unfortunately, while modern cloud environments provide self-service password reset capabilities, on-premises Active Directory Domain Services still do not have built-in native self-service password reset functionality.
ADSelfService Plus helps organizations fill this functionality gap by providing a self-service password reset feature for employees. ADSelfService Plus provides this to users right from their Windows/Linux/macOS logon screen.
Password reset and unlock account integration at Windows logon
It also allows admins to choose the types and security levels required for users to verify their identity and reset their passwords.
Defining multi factor authentication services for SSPR capabilities
ManageEngine also offers mobile apps for the ADSelfService Plus solution, enabling users to control their identity from a mobile device. For example, users can use the mobile app to reset forgotten passwords and unlock a locked Active Directory account.
These and other features lead to benefits for both users and administrators alike. For example, users get a quicker resolution to account lockouts or forgotten passwords. In addition, the burden on the help desk diminishes since users can resolve account-related issues, allowing technicians to triage and troubleshoot other issues and problems in the environment.
Password synchronization
One of the challenges for enterprise IT is the explosion of third-party services, including cloud services and solutions. As a result, users can have difficulty keeping their Active Directory password set correctly and remembering it. When you add in dozens of other services and solutions, it can be overwhelming for users to maintain multiple passwords.
For compliance and security reasons, having a centralized identity and access management solution is vital for a single source of truth and allows passwords to be managed from one identity solution. Since most organizations use Active Directory Domain Services on premises, it is logical to use AD DS as this centralized identity source.
ADSelfService Plus has an excellent feature for synchronizing Active Directory credentials with multiple solutions and cloud services. Instead of relying on numerous password synchronization services specific to only one service, ADSelfService Plus provides a way to synchronize your Active Directory password with 18 cloud services.
Password sync applications in ADSelfService Plus
Single sign-on
Rounding out the offering of features from ADSelfService Plus, organizations can configure single sign-on (SSO) for users. Unfortunately, single sign-on can be challenging to configure and set up. For example, Microsoft's SSO solution is powerful, allowing you to federate access with Microsoft 365 and Azure. However, it requires substantial configuration.
However, ADSelfService Plus provides the capabilities and built-in tools out of the box to configure SSO for end users, where they have a seamless experience logging into other services used by their organization.
One of the solution's great features is the custom cloud application support for SSO. In addition, you don't have to figure out the complexities of configuring these integrations, as ADSelfService Plus does this for you. Note the following catalog of SSO integrations, including over 100 services and solutions:
ADSelfService supports many SSO integrations out of the box
Enforce password security
As mentioned at the outset, user passwords are often the weakest link in the overall cybersecurity posture of most organizations. Many users may reuse passwords, increment passwords, use easily guessed passwords, or use other weak passwords and password techniques.
As part of the capabilities offered by ADSelfService Plus, it provides additional benefits above and beyond traditional Active Directory password policies, such as the following:
- Restricting length
- Restricting certain patterns
- Restricting repetition
- Banning compromised passwords (breached password protection)
Other interesting options found in ADSelfService Plus help encourage passphrase support, such as Override all complexity rules if password length is at least.
In addition, it provides out-of-the-box reports that give admins relevant password information, including the user's password expiration, account lockout status, enrollment data, and self-service activities.
Password Policy Enforcer rules
Endpoint multi-factor authentication (MFA)
ADSelfService Plus also helps roll out multi-factor authentication for Active Directory user identities. As a result, MFA drastically reduces the attack surface for machines, VPNs, and other web services, such as email web access, in addition to self-service password resets and SSO access. With ADSelfService Plus, you can enable MFA on both cloud and on-premises applications and endpoints with an Endpoint MFA add-on package.
ADSelfService Plus allows admins to configure different authentication workflows based on the type of user, the groups they are a member of, or other factors, such as the location of their user account in a specific OU.
MFA for endpoints using ADSelfService
Up-to-date corporate and employee directory
ADSelfService Plus also provides a self-service corporate directory search, AKA employee or people search. This feature allows employees to search the company directory and find employees quickly. In addition, it has several filter-based key options, allowing users to filter based on common search fields, such as email addresses.
Admins can choose which options are available for users and the specific search criteria they can select for their employee search.
Directory search and self service
Users can find the employee search in their self-service portal.
Using the employee search as an end user
Pricing and editions
ADSelfService Plus comes in two editions: Standard and Professional. These are purchased as annual subscriptions based on incremental bundles of users in your organization. You can also receive a quote from ManageEngine for specific user requirements to align with your organization. To make the transition easier, ManageEngine’s Implementation services can help you with the installation, configuration and onboarding of ADSelfService Plus.
You can find the pricing details and a comparison of features between Standard and Professional editions here: ADSelfService Plus Pricing Details.
Subscribe to 4sysops newsletter!
Wrapping up
I found the ManageEngine ADSelfService Plus solution fully featured and capable of meeting many of the challenges associated with passwords for modern organizations today, supporting a hybrid workforce. It goes beyond a simple SSPR solution to allow companies to bolster security with password enforcement and MFA authentication. It also helps alleviate the heavy lifting for IT when configuring SSO and password synchronization between numerous cloud SaaS services.
Hi Brandon.
I would expect every comfortable solution to have a downside, security-wise.
And that should be considered as well.
For example: how secure are security question? NIST no longer recognizes those as an acceptable authenticator by SP 800-63.
As your screenshot shows, those can be combined with SMS verification and push notifications and so on, but who is able to tell how secure this is against abuse? Try to put a number to it, that will be hard. Ideally, every pw reset system needs to be as secure as the pw itself; providing reset options should make it easier for an attacker to steal an identity, so giving an estimate of how secure this combination of reset verifications is, should be mandatory.
Furthermore, I would like to know whether this software works with passwords only or whether it can also reset forgotten SmartCard PINs (for windows authentication).