The most important requirement for password resets is to authenticate the users unambiguously before granting them access to accounts with new passwords. If the procedures used for this are too weak—for example, only question-answer pairs—unauthorized persons can obtain access to an account by spying on the user's environment.
The Swedish company Specops Software provides a cloud-based authentication service that supports a whole range of identity services and also allows combining them randomly. In addition to uReset, Specops Authentication also serves other applications, including one for retrieving a BitLocker key from Active Directory (AD).
Specops uses a hybrid model consisting of a cloud service and on prem software for uReset
Setting up the cloud tenant ^
Installing uReset starts by following a URL provided by the manufacturer for registering with the authentication service. The cloud account used for this purpose offers only limited options, such as creating additional accounts of this type.
In the context of uReset, the most important task is to download the installation file for the so-called Gatekeeper. You set up this gateway on premises, and through it, the cloud service gains access to AD. Specops creates a custom setup file for each gateway by embedding a certificate in it.
Specops creates a separate installation file for each Gatekeeper
In addition, you will receive an activation code on the download page, which you must enter later during the install. In larger organizations, several Gatekeepers can operate in parallel.
You'll need the code generated during the download later when installing the Gatekeeper
Installing Gatekeeper ^
If you run the setup for Gatekeeper, it will first install the Admin Tools, and from there it will set up the gateway. A wizard will guide you through the installation, and in the first step, it asks where in AD the Gatekeeper should save its settings.
The wizard first needs to know where Specops Authentication should store its settings in AD
You then choose whether users of the entire domain or only those in certain organizational units (OUs) can reset their passwords via uReset. Subsequently you define the service account under which the software should run.
Selection of the OUs or the domain whose users can use the authentication service
AD groups for uReset administrators ^
In the next step, the tool displays the security groups and their path in AD which you need to manage uReset. These are predefined, and it will create them if they do not already exist:
- The future members of the Admin Group are portal administrators. It will automatically add to it the account under which you installed the Gatekeeper.
- The User Admin Group has authorization to access the user-management functions of the cloud-based authentication service.
- The members of the Gatekeepers Group have the right to read the user information. The Gatekeeper service account is one of them.
AD security groups for uReset management
A subsequent dialog serves to determine whether administrators can also reset their passwords with uReset. This option is disabled by default, and most customers will probably leave it as it is.
By default, privileged accounts cannot reset their passwords using uReset
Finally, enter the activation code you received when you downloaded the installation file. The Gatekeeper should then start, and it will show the status Connected in the admin tool.
After successful installation, the Gatekeeper should be connected to the cloud service
Finally you must enable uReset by clicking the Change link in the yellow notification bar.
Authentication Client ^
With the cloud-based authentication service and the AD gateway in your own network, the infrastructure for uReset is not yet complete. Another component needed is the Authentication Client on the computers on which users should reset their passwords. Alternatively, Specops offers a password-reset app for iOS and Android.
The client displays the Reset password link on the Windows logon page, which opens a secure browser in the context of the SYSTEM account. There the user has to authenticate as the administrator specifies. Only when the user has successfully completed this process does the Gatekeeper receive the request to reset the password.
Password reset link on the Windows login screen
Because users must identify themselves to a cloud service, they can do so even when they are on the road and have no access to the company network and thus to AD. In this case, the client is also able to change the AD credentials cached on the computer.
Installing the client also sets up two icons in the Start menu that open the web pages for changing the password (the user must know the current one) and registering the user with the Specops authentication service.
Enrolling the user ^
Since all components are now in place, users can essentially start the secure browser at the Windows logon to reset their passwords. At this point, however, they still lack some prerequisites. Most authentication procedures require users to store information in the system in advance.
This applies, for example, to secret answers to given questions but also to generating a token via an authenticator app. For this reason, administrators can pre-enroll users into the system using identity services that leverage existing Active Directory data or must force users to enroll with the Specops service.
The administrator can use the reporting function in the web console to get an overview of which users have not yet registered. The Audit tab also allows tracking of all enrollments and changes to the configuration.
Overview of users who have not yet enrolled to the authentication service
To persuade users to register, Specops provides various options. These range from displaying a notification to automatically opening the enrollment page or starting the browser in full-screen mode without the possibility of closing it. In addition, you can set intervals at which the system prompts users to enroll.
Automatic enrollment reminder at the start of the web browser
You assign these enrollment policies to the users via group policies. For this purpose, you create empty GPOs in group policy management and link them to the desired OUs. Then you select these GPOs in the Specops admin tool and configure their settings there.
Settings with which admins can force users to register with Specops Authentication
Configuring authentication requirements ^
When users register for the service, they authenticate themselves with their Windows passwords and must then configure the authentication methods the admin specified. This includes, for example, storing answers to security questions or a mobile phone number to receive a token via SMS.
Normally, users do not have to select all the identity services displayed, but only as many as are necessary to receive the required number of stars.
The user has to configure several authentication methods the admin specified
The password-reset authentication works according to the same pattern. Administrators rate each method by assigning it a certain number of stars. They also determine how many stars users must collect to prove their identities.
Admins set the identity sources available during enrollment and authentication, their weight, and the number of stars users have to collect for each action. Users then select the registered procedures that best suit them in the given situation. It is best practice to require more stars to be collected during enrollment than required to authenticate as users are then provided with alternatives to access the system. . Specops calls this concept dynamic multifactor authentication (MFA).
Admins select the permitted methods for authentication and rate them according to their strength
If admins want to define the same requirements for all accounts, they choose the Cloud option. Alternatively, they can choose the Group Policy option, create empty GPOs again, assign them to the designated OUs, select them in the admin tool, and then configure their settings in the web console.
Assigning the configuration for authentication via GPO
Conclusion ^
The trivial task of a password reset requires some effort if you want to delegate it to users. In this case, you must ensure nobody can use this opportunity to gain access to other people's accounts.
This also applies to users who contact the help desk to reset their passwords. In larger companies, the IT department does not personally know users. Therefore, reliable authentication is also required here. Specops uReset currently provides reset functions for the help desk, allowing agents to verify users with the same MFA enrollments they registered with. However, they will soon extend and outsource them into a separate product.
The infrastructure Specops provides for resetting passwords is nothing an admin can quickly install by clicking setup.exe. If you are serious about improving security in you network, you need to invest some time for such a project.
Given that setup and rollout can involve some effort, companies should consider securing additional use cases with users MFA enrollments by extending these to secure other Specops Authentication supported use cases beyond self-service password reset.
You can download a test version of Specops uReset here.
Want to write for 4sysops? We are looking for new authors.
Read 4sysops without ads by becoming a member!
