A common truism in information security is that administrators are always faced with three counterbalancing forces:
For example, forcing our users to rotate their passwords more often increases security and saves us money (if we're using Active Directory), but ease-of-use decreases and end users typically complain.
You may be forced by service level agreement or regulatory compliance to strengthen your domain's password policy. This inevitably results in more help desk tickets for account lockouts and password resets when users forget their passwords and exceed the logon retry policy. What to do?
Specops uReset is a neat software-as-a-service (SaaS) application that enables user self-service for password reset in a clever way. Let's learn more.
Set up the uReset environment ^
When you register for a free evaluation, you'll be given a download link to what Specops calls the Gatekeeper (GK). This is a lightweight service that performs the reset/unlock and enrolment functions and also provides access to a desktop application from which you perform uReset administration. This is achieved through the creation of a sub object under the user account in AD, where enrollment such as identity services unique IDs and answers to security questions (which are salted and hashed) are stored in addition to the authentication policy related to the user.
No database is required. Installation on my Windows Server 2012 R2 domain controller was quick and painless. Here is what's required:
- Cloud administrator credentials. Because uReset is a cloud SaaS application, your Specops user account needs to link with your on-premises installation. This account is required for signup purposes and verifies that the person installing the gatekeeper is the same person who originally signed up. According to Specops Software, uReset only stores non-sensitive information in the cloud such as the name of the computer that is running the GK and the IP address for the computer that registered the GK.
- Gatekeeper service account credentials. Specops suggests using a managed service account (MSA), but you can use an "ordinary" domain user account instead. Managed service accounts are recommended as they do not require the admin to set a password.
- Active Directory scope. The level at which you want to enable uReset is up to you. As you can see in the next screen capture, you can enable uReset for the entire domain or just one or more AD containers or organizational units (OUs).
- uReset AD groups. The default group names are uReset Admins (full control over uReset), uReset Helpdesk Users (access to the helpdesk portal), and uReset Gatekeepers (a group that is currently not in use but in future will allow multiple Gatekeepers in a single domain).
Deploy your first password reset policy ^
The idea here is simple: imagine an on-campus or remote end user who forgot his or her Active Directory password. How can this user perform a self-service password reset? Specifically, how can the user authenticate himself to your environment in order to perform said password reset? The goal of a solution like uReset is that we don't want to involve a help desk.
This is where Specops is clever—they use claims-based authentication and federation with a number of third-party identity providers to allow the user to identify himself or herself to Active Directory!
In Gatekeeper, navigate to Policies and Groups, find the Default Policy, and click Edit. The Default Policy screen is shown in the following screenshot:
Under Available Identity Services, you can view all of the different identity providers that Specops supports. All of the major players are available, including but not limited to the following:
- Microsoft Authenticator
- Google Authenticator
- Microsoft Account
- Apple ID / Fingerprint authentication
As you can see in the previous screenshot, the strength of your enrollment/authentication policies is denoted by a certain number of stars. Each authentication provider has a default star count, which you can customize.
The idea is to provide more flexibility because users can enroll with more identity services than required to meet the policy so users will have alternatives if a given factor is unavailable when a password reset or account unlock need arises.
The built-in default policy may be all you need if you want the same password reset rules to apply to the AD scope you selected during product installation. However, you can also click New in Gatekeeper to deploy a new policy to a separate GPO in your domain. This is useful when different divisions of your company must have different security requirements.
The user enrollment process ^
You have some flexibility in how you "onboard" your users to uReset. One way is simply to share the enrollment URL with them. You can find this in Gatekeeper in the application's start page.
The enrollment URL takes the new user to the Specops cloud, where they need to log in with their Active Directory credentials. As you can see below, the enrollment process requires that the user link to however many enabled identity providers they need to meet the policy's defined "star count."
The solution also supports pre-enrollment and admin enrollment options that remove the need for the user to have to enroll. Pre-enrollment leverages existing user profile data that lends itself to the identity service such as the mobile number for the mobile verification code. If the data does already exist in the user profile, admins can use the admin enrollment option using PowerShell cmdlets.
Another way to force enrollment is to deploy the optional uReset client application. In Gatekeeper, head over to Deploy uReset Client and click Download setup files to obtain the small .msi installation package. The client is not optional though if you want to make use of the "Reset Password…" link on the login/lock screen of your Windows workstations.
Of course, you can use Group Policy Software Installation, System Center Configuration Manager, or any other standard method to install the agent on users' computers.
The uReset client adds three new programs (hyperlinks) to the user's computer:
- Enroll for Password Reset
- Change Password
- Reset Password
The client can be set to prompt the user to enroll by means of a balloon tip every x mins after login.
As mentioned above, the password change/reset processes involve an Internet connection (via SSL) and interaction with the uReset cloud.
The password change/reset workflow ^
Let's use the client application to change a user's password. Double-click the Change Password shortcut on the computer. The user's default web browser connects to the Specops cloud, and the user is prompted for their AD credentials.
Of course, the password change process is easier, because the user probably knows his or her password. The crucial test of Specops uReset is judging how easy it is for a user to reset his or her password if (1) the domain password policy's maximum password age limit has been reached; or (2) the user forgot their password; (3) the user has been locked out from AD.
From the user's workstation, the process is simple because the uReset client adds a "Reset password" option to the Windows logon screen as shown below:
The client application then walks the user through the self-service password reset process:
- Verify their AD domain username
- Authenticate with as many configured identity services as necessary to fill the "star bar"
- Reset the password or unlock their account.
Because (1) Specops trusts its identity providers; and (2) you trust Specops, the user is able to authenticate to the AD domain without knowing his or her AD password. Cool, right?
As you'd expect, your users can change or reset their Active Directory domain passwords from their mobile devices as well. Specops has a Password Reset client for iOS, Android, and Windows Phone.
Licensing details and wrap-up ^
Unfortunately, Specops is not forthcoming on their public website (at least as far as I could tell), with regard to uReset licensing and pricing details. Licensing is subscription-based and is determined by the number of enabled AD users. I think they want you to evaluate the product and then reach out to them to open that particular conversation.
As I've said, my chief concerns with uReset are (1) reliance on an Internet connection; and (2) the fact that some company data has to be stored in the cloud. If you're willing to overcome those hurdles, then I believe you'll find uReset works exactly as advertised and is user-friendly enough to be comfortable for the most stubborn employee you support.