Product: Specops uReset Self Service Password Reset
Product Homepage: click here
Free Evaluation: click here
Specops uReset is a password reset solution designed to ease the pain of Active Directory domain account password changes caused by expired or forgotten passwords or locked out accounts. uReset can improve your organization’s overall security by implementing multifactor authentication for password changes, and reduce help desk costs by enabling users to effectively reset passwords on their own without assistance. uReset leverages many third-party identity providers and includes an intuitive, user-friendly web-based management interface that is cloud-based, allowing users to reset their password any time, from anywhere, on any device.
The Password Dilemma
Passwords are the bane of IT administrators everywhere. Managing passwords is vital to the overall security of an organization, but often password policies that enforce long, complex passwords lead to high maintenance requirements for helpdesk administrators as users tend to have difficulty remembering them. This is especially true when a password is first created or later changed. Traditionally when a user requires a password reset, either because they’ve forgotten it or locked themselves out in an attempt to remember it, a call to the helpdesk must be made to have it reset. During this time a user who is unable to log on to the network is not being productive. In addition, helpdesk administrators are further burdened with additional work. Making matters worse, password resets represent a rich target to clever cybercriminals skilled in the art of social engineering. If controls are not in place to enforce multifactor authentication, an attacker may be able to simply call the helpdesk, ask for a password reset for a domain user, and then use those stolen credentials to steal sensitive data or mount other attacks.
Leveraging Specops uReset automated password solution can address nearly all of these challenges. In addition to offloading the tedious, time consuming, and critical task of resetting passwords from helpdesk administrators, uReset offers ubiquitous ease of access to their cloud-based platform and enforces strong, multifactor authentication to ensure that users are indeed who they claim to be when requesting password resets.
Although uReset is a cloud-based solution, it does require software to be installed on a Windows Server 2012 R2 server on premises. The installation is a breeze, and configuration is not difficult either. After signing up for an evaluation or purchasing the service, registration is required. There you will provide the namespace for which to provide password reset services for. For example, my internal domain namespace is lab.richardhicks.net, so I’ve registered that. Once complete you will download the software. After extracting the downloaded .zip file, copy the files to a domain controller and run the setup utility (Specops uReset Gatekeeper Setup.exe) to install the Gatekeeper software. When the program launches, select Install the Admin Tools from the Specops uReset Setup menu.
Once the tools have been installed successfully, click on Start Admin Tools.
On the Specops uReset Administration screen, click Install Gatekeeper.
The Admin email field is prepopulated with the information obtained from your initial registration. Enter your Admin password and click Next.
Select a service account to be used by the Gatekeeper service. It is recommended that you use a Managed Service Account, which is the default option. However, it is possible to use a regular domain account for this as well.
If your organization provides access to the Internet via a proxy server, you will be prompted for those details. After that you will be prompted to specify where in Active Directory the uReset service will apply. Choose an appropriate location and click Add.
Provide names for uReset Active Directory groups. New groups will be created for uReset administrators, helpdesk users, and for Gatekeeper administrators. Accept the default names or enter new ones if desired. Once complete, click Finish.
Now you will be prompted to configure and enable a uReset Group Policy. This policy defines how users must enroll for the self-service password reset service, and how they will be allowed to authenticate to change their passwords in Active Directory. In the Specops uReset Administration console, on the Policies row, click Edit on the Default Policy. On the left side choose the identity services you wish to leverage for enrollment and password changes. Note that uReset also allows the number required for password changes to be lower than the number required for enrollment. This will allow users to have options.
Here I’ve chosen to use Microsoft Account and LinkedIn. You can assign “star values” to each service for the purposes of establishing the relative value or level of security of each identity provider. For example, the organization may trust a Microsoft Account more than they do a LinkedIn account, so they would be ranked accordingly. It is important to understand that the end users must enroll and authenticate to as many identity providers as is required to fulfill the number of stars required for enrollment and/or authentication, as defined by the administrator. Once you’ve defined your policy, click Ok to continue.
Be sure to enable the policy once you’ve finished selecting and configuring identity providers.
End User Enrollment
Next provide the web enrollment link to end users. The URL for web enrollment is located in the Web URLs section in the uReset Administration console. Users will log on using their existing, current Active Directory password.
The user will then be required to authenticate to the defined identity providers as configured by the administrator. In this example I have defined only two, but conceivably you could define as many as you like. The user will need to authenticate to as many identity providers as is necessary to fill the star bar at the top of the screen.
Clicking on an identity provider will provide the user with a link to authenticate to the service. Here, clicking Continue to Microsoft Account will take you to the log in page for this service.
After successfully authenticating to the identity provider, continue the process until the number of stars has been met.
Once you have authenticated with enough identity providers to meet the star requirement, click I’m done.
Online Password Reset
If an end user needs to reset their password, provide them with the Password Reset URL which is located in the Web URLs section in the uReset Administration console. The user will be immediately prompted for their username.
Clicking Continue will then prompt the user to select an identity provider with which to authenticate to and validate their identity. It will be necessary to authenticate to one or more identity providers with enough star ratings to meet the requirements established by the administrator.
After authenticating to identity providers and satisfying the star requirement, the user is then prompted to enter a new password. Password policy guidelines are clearly outlined on the screen, allowing users to quickly create a password that conforms to current policy. More importantly, if their password does not meet in place policies they will immediately be able to determine why and make any necessary corrections.
Once the user enters a new password that meets the password complexity policy, the change is made in Active Directory.
Specops uReset Client
To further streamline the password reset process, an optional client software component can be installed on Windows machines to facilitate password resets when necessary. You can download the uReset client here. The client install is simple and quick, and can be finished in just a few clicks. Additionally, the software can be distributed using a variety of software installation and management platforms such as Active Directory software installation policies, SCCM, or similar solutions from third-party vendors. Once the software is installed, a Password Reset link will appear on the home screen, allowing users to connect to the online portal to begin the password reset process.
We’ve barely scratched the surface of the Specops uReset Password Reset tool, but you can see from even the basic configuration we’ve done for this review how helpful the tool can be. Unfortunately, space doesn’t permit me from diving in to many of the other features of the product in detail, so I would encourage you to sign up for a free, fully-functional 10 user evaluation today. There you’ll get to experience some of the other important features such as group policy integration, SMS and email notifications, one-time password (OTP) support, mobile app, portal customization, and more.
For such a powerful tool, this product is quick and simple to install and configure. In just a few minutes you’ll have online password reset with multiple third-party identity providers configured in no time. I am amazed at how intuitive the user interface is, and as my experience has been with other Specops solutions, the supporting documentation is excellent. I highly recommend this product, and give the Specops uReset Password Reset solution the WindowSecurity.com Gold Award with a rating of 5 out of 5.