- CodeTwo: Centrally manage email signatures for Microsoft 365 - Tue, Jul 27 2021
- Setting up a Windows 10 PC using Autopilot - Mon, Jul 26 2021
- Manage encrypted PCs remotely using BitLocker Network Unlock - Mon, Jul 19 2021
When organizations do not have a self-service password reset (SSPR) solution in place that allows end users to reset their passwords securely, the IT service desk has to get involved. At that point, the IT service desk has the responsibility of verifying the user's identity. Especially in larger SMBs or enterprise environments, the user base can be large enough that an IT service desk technician may not personally know everyone in the organization.
With Specops Secure Service Desk, the IT service desk has the tools needed to verify a user's identity using multifactor authentication mechanisms. It offers the following features:
- User verification before resetting or unlocking an account
- Numerous secure user verification methods, including Okta Verify, Symantec VIP, YubiKey and Duo Security
- Full system auditing and reporting
- Customizable user interface
- Multilanguage support
With Specops Secure Service Desk, organizations now have the tools to identify an impostor attempting to social-engineer the service desk.
New features added ^
Several new features and enhancements have been added since the previous review of the Specops Secure Service Desk. These include the following:
- Length of identity verification session is now configurable and displayed to the Service Desk agent
- Lockout settings for mobile code, email, and personal email identity services
- Service Desk settings for enforcing password change at the next logon after reset, either mandatory or selected by the Service Desk agent
- Support for third-party identity services as quick verification options, including Duo, Ping ID, Symantec VIP, and other enhancements
You can read the complete list and details of the various new features, fixes, and other enhancements here. While this review focuses on configuring Duo Security as an Identity Service in Specops Secure Service Desk, as mentioned above the solution supports other 3rd party authenction mehtods. But for the sake of brevity, I’ve focused on Duo to exemplify how 3rd party identity services already in place can be used to secure user verification at the IT service desk.
Installing Specops Secure Service Desk ^
There are two components to setting up the Specops Secure Service Desk. You will setup the following:
- Specops Secure Service Desk cloud account
- An on-premises “Gatekeeper” component
Additional details on installation and set up can be found in my previous review here.
Configuring Duo Security Identity Service ^
Before being able to configure Duo, it will have to be enabled by Specops Support. Once enabled, on the Specops Secure Service Desk admin dashboard, click Identity Services. Then click the settings icon (cog wheel) for Duo. The configuration page details the steps needed to configure your integration with Duo Security. The Secure Service Desk configuration is no different from setting up any other integration with Duo and involves configuring the following:
- Integration key
- Secret key
- API hostname
We will see how to get the values below for the fields.
Where do you get this information? It is found when you log in to your Duo Security admin dashboard. You will need to navigate to Applications > Protect an application. There, you will search for auth API. You will see the Partner Auth API. Click the Protect button.
Duo automatically provisions the three pieces of information that you need to configure the integration with Secure Service Desk. Paste these values into the Secure Service Desk Duo Identity Service configuration.
The Partner Auth API application enables multifactor verification from Secure Service Desk for the end user. On the Secure Service Desk configuration screen, make sure the policy is not set to allow users access without 2FA. It will allow users to pass through Duo without authenticating. Also, the user must be enrolled in Duo. If this step is not performed, the identity service will still appear, but the user will not be allowed to authenticate.
Once you get the Duo-protected application screen's configuration information, enter the integration key, secret key, and API hostname. Also select Yes to auto enroll users to Specops Auhentication. This will auto enroll users currently utilizing Duo Security within your organization.
Click the Test connection button at the bottom of the screen. You should see the Connection test successful message. Click Enable to enable the Duo identity service in Secure Service Desk.
Verifying a user's identity using Duo in Secure Service Desk ^
Now, when a user calls into the IT service desk, the technician can pull up the user in Secure Service Desk to verify their identity before resetting their password or unlocking their account, they have the option to use Duo as an identity mechanism.
Below, the IT technician has chosen to use the push verification to the Duo-enabled end user. Notice how the options to reset password and unlock computer are grayed out since identity has not yet been validated.
The end user receives the push notification and accepts the request in their Duo mobile app. This process confirms the identity and unlocks the IT technician's ability to perform account operations for the end user.
As mentioned earlier, there are also a couple of other new features that help to increase the security of the Secure Service Desk process, including:
- Identity verification session in minutes
- Force users to change password after reset
Final Impressions ^
I think Specops' Secure Service Desk helps bolster identity validation and overall cybersecurity for organizations today. Undoubtedly, working from home and a hybrid workforce will be the new normal, post-pandemic. IT helpdesks may be carrying out many of their service desk activities, including helping with account-related issues, over the phone. The new identity verification services offered by Secure Service Desk help businesses align their current two-factor authentication solutions with the capabilities of Secure Service Desk. As shown, configuring Duo with Secure Service Desk is reasonably straightforward and allows easy identification validation of end users who call into the service desk.
Subscribe to 4sysops newsletter!
Learn more about Specops Secure Service Desk here.