The most important requirement for password resets is to authenticate the users unambiguously before granting them access to accounts with new passwords. If the procedures used for this are too weak—for example, only question-answer pairs—unauthorized persons can obtain access to an account by spying on the user's environment.
The Swedish company Specops Software provides a cloud-based authentication service that supports a whole range of identity services and also allows combining them randomly. In addition to uReset, Specops Authentication also serves other applications, including one for retrieving a BitLocker key from Active Directory (AD).
Setting up the cloud tenant ^
Installing uReset starts by following a URL provided by the manufacturer for registering with the authentication service. The cloud account used for this purpose offers only limited options, such as creating additional accounts of this type.
In the context of uReset, the most important task is to download the installation file for the so-called Gatekeeper. You set up this gateway on premises, and through it, the cloud service gains access to AD. Specops creates a custom setup file for each gateway by embedding a certificate in it.
In addition, you will receive an activation code on the download page, which you must enter later during the install. In larger organizations, several Gatekeepers can operate in parallel.
You'll need the code generated during the download later when installing the Gatekeeper
Installing Gatekeeper ^
If you run the setup for Gatekeeper, it will first install the Admin Tools, and from there it will set up the gateway. A wizard will guide you through the installation, and in the first step, it asks where in AD the Gatekeeper should save its settings.
You then choose whether users of the entire domain or only those in certain organizational units (OUs) can reset their passwords via uReset. Subsequently you define the service account under which the software should run.
AD groups for uReset administrators ^
In the next step, the tool displays the security groups and their path in AD which you need to manage uReset. These are predefined, and it will create them if they do not already exist:
- The future members of the Admin Group are portal administrators. It will automatically add to it the account under which you installed the Gatekeeper.
- The User Admin Group has authorization to access the user-management functions of the cloud-based authentication service.
- The members of the Gatekeepers Group have the right to read the user information. The Gatekeeper service account is one of them.
A subsequent dialog serves to determine whether administrators can also reset their passwords with uReset. This option is disabled by default, and most customers will probably leave it as it is.
Finally, enter the activation code you received when you downloaded the installation file. The Gatekeeper should then start, and it will show the status Connected in the admin tool.
Finally you must enable uReset by clicking the Change link in the yellow notification bar.
Authentication Client ^
With the cloud-based authentication service and the AD gateway in your own network, the infrastructure for uReset is not yet complete. Another component needed is the Authentication Client on the computers on which users should reset their passwords. Alternatively, Specops offers a password-reset app for iOS and Android.
The client displays the Reset password link on the Windows logon page, which opens a secure browser in the context of the SYSTEM account. There the user has to authenticate as the administrator specifies. Only when the user has successfully completed this process does the Gatekeeper receive the request to reset the password.
Because users must identify themselves to a cloud service, they can do so even when they are on the road and have no access to the company network and thus to AD. In this case, the client is also able to change the AD credentials cached on the computer.
Installing the client also sets up two icons in the Start menu that open the web pages for changing the password (the user must know the current one) and registering the user with the Specops authentication service.
Enrolling the user ^
Since all components are now in place, users can essentially start the secure browser at the Windows logon to reset their passwords. At this point, however, they still lack some prerequisites. Most authentication procedures require users to store information in the system in advance.
This applies, for example, to secret answers to given questions but also to generating a token via an authenticator app. For this reason, administrators can pre-enroll users into the system using identity services that leverage existing Active Directory data or must force users to enroll with the Specops service.
The administrator can use the reporting function in the web console to get an overview of which users have not yet registered. The Audit tab also allows tracking of all enrollments and changes to the configuration.
To persuade users to register, Specops provides various options. These range from displaying a notification to automatically opening the enrollment page or starting the browser in full-screen mode without the possibility of closing it. In addition, you can set intervals at which the system prompts users to enroll.
You assign these enrollment policies to the users via group policies. For this purpose, you create empty GPOs in group policy management and link them to the desired OUs. Then you select these GPOs in the Specops admin tool and configure their settings there.
Configuring authentication requirements ^
When users register for the service, they authenticate themselves with their Windows passwords and must then configure the authentication methods the admin specified. This includes, for example, storing answers to security questions or a mobile phone number to receive a token via SMS.
Normally, users do not have to select all the identity services displayed, but only as many as are necessary to receive the required number of stars.
The password-reset authentication works according to the same pattern. Administrators rate each method by assigning it a certain number of stars. They also determine how many stars users must collect to prove their identities.
Admins set the identity sources available during enrollment and authentication, their weight, and the number of stars users have to collect for each action. Users then select the registered procedures that best suit them in the given situation. It is best practice to require more stars to be collected during enrollment than required to authenticate as users are then provided with alternatives to access the system. . Specops calls this concept dynamic multifactor authentication (MFA).
If admins want to define the same requirements for all accounts, they choose the Cloud option. Alternatively, they can choose the Group Policy option, create empty GPOs again, assign them to the designated OUs, select them in the admin tool, and then configure their settings in the web console.
The trivial task of a password reset requires some effort if you want to delegate it to users. In this case, you must ensure nobody can use this opportunity to gain access to other people's accounts.
This also applies to users who contact the help desk to reset their passwords. In larger companies, the IT department does not personally know users. Therefore, reliable authentication is also required here. Specops uReset currently provides reset functions for the help desk, allowing agents to verify users with the same MFA enrollments they registered with. However, they will soon extend and outsource them into a separate product.
The infrastructure Specops provides for resetting passwords is nothing an admin can quickly install by clicking setup.exe. If you are serious about improving security in you network, you need to invest some time for such a project.
Given that setup and rollout can involve some effort, companies should consider securing additional use cases with users MFA enrollments by extending these to secure other Specops Authentication supported use cases beyond self-service password reset.
You can download a test version of Specops uReset here.