Product Homepage: click here
Free Trial: click here
Specops Software is a Swedish company founded in 2001 with headquarters in Stockholm and offices in the U.S., Canada, and the UK. They develop unique password and authentication management products based on Microsoft technology. In May 2020, they launched Specops Secure Service Desk, a solution designed to address end-user verification gaps in the corporate IT service desk.
Numerous organizations do not have a process in place for securely verifying the identity of a user who calls the service desk. As such, how do they know the person they are talking to is who they say they are? A lot of these calls are related to expired passwords or locked accounts, and granting those users access to their alleged accounts without securely verifying their identity can easily leave the organization vulnerable to account takeovers.
In some cases, the service desk might just take the user’s word for it, while in other cases, they might use static data pulled from an HR system to try to verify their identity. For example, they might ask users for their employee ID, line manager, or other personal information, and use those details as security “questions.” However, social engineering often allows cybercriminals to target users, gather personally identifiable data, and then impersonate them.
With Specops Secure Service Desk, an organization can enforce secure user verification through stronger authentication methods before, for example, proceeding with resetting a user’s password, thus reducing the methods prone to social engineering. A variety of identity providers are available during the verification process, including corporate email address, one-time codes, Duo Security, Okta Verify, and many more.
How does it work?
Secure Service Desk natively integrates with Active Directory (AD) and works on the principle of pre-enrollment. Administrators configure one or more identity services and users targeted by Secure Service Desk are pre-enrolled in the service based on information stored in AD. For example, if a user’s mobile number exists in AD, this attribute can be used to pre-enroll the user in identity services that rely on this, such as mobile one-time passwords (OTP). Once users have been pre-enrolled, and they call the service desk, agents can use one of the identity services the user is enrolled with to verify the user’s identity.
As with other Specops products, Secure Service Desk relies on one or more Gatekeeper server component, which needs to be installed on-premises, and a web, identity, and backend services that are all hosted in the cloud by Specops:
- The Gatekeeper is installed on a domain-joined server on-premises, so it can read user information from AD, and manage all operations against AD, such as reading/writing enrollment data and reset passwords.
- Authentication web contains the front-end for users and administrators. It enables admins to view system information and manage various aspects of the product, including system-wide configurations and policies.
- Identity services is an entity that can validate a user’s identity in Secure Service Desk. The tokens from these identity services are then used by the backend to validate a user’s identity.
- Authentication backend communicates with the Gatekeeper to read user information from AD and to validate a user’s identity based on the tokens from individual identity services. The web and identity services also communicate with the backend.
Although at first it might seem that an inbound connection needs to be open through the firewall to the Gatekeeper, this is not the case! All Specops connections are outbound only, which is great from a security perspective.
Setup and initial configuration
We start by installing the Gatekeeper, which is extremely easy, so I will skip some steps for the purposes of this review.
The first option is to decide where we want to store Specops settings in AD. By default, the domain’s System container is used:
Three security groups are created automatically:
- Admin Group: Users in this group have admin access to the Gateway and Secure Service Desk, and can configure any aspect of the product.
- User Admin Group: This group is where we add our service desk staff to, as it gives its members permissions to use Secure Service Desk and reset users’ passwords.
- Gatekeepers Group: This group contains the service accounts used by Secure Service Desk to read users’ information from AD and reset passwords.
Once installed, we are taken to the Gatekeeper admin console, where we can validate the status of the Gatekeeper and check or update other settings we configured during the installation:
The Specops Authentication web portal is used to view system information and manage all aspects of Secure Service Desk. When administrators login for the first time, they are required to enroll in the system.
The first page lists all the Gatekeepers configured in the environment, including their status. As the text suggests, we can install and configure additional ones for redundancy, always a must for any production environment. If a Gatekeeper fails, service will not be disrupted as long as there is another one up and running.
Within this interface, administrators can enable or disable different identity services supported by Specops Authentication, and there are a lot. Remember that these can be used by several Specops products such as Secure Service Desk, Specops uReset, and Specops Authentication for Microsoft 365, for example. This means that if you already configured one of these products, there might not be much left to configure.
The ones with a cog next to their name support additional configuration. For example, under Secret Questions, we can specify how many questions users need to answer, delete existing questions, add new ones, or even add questions in different languages, among other options.
The web interface also provides access to several useful reports and logs. For example, we can track when users enroll, when the service desk resets a password, and so on:
The Secure Service Desk Reporting feature allows organizations to track their enrollment process and provides several reports on service desk calls, events such as if user verification was performed, what identity service was used during verification, and account unlocks and password resets. This is a very useful report, and it can be exported to CSV, Excel, JSON, and other formats.
Under Products is where we configure Service Desk itself:
First, we configure a policy that states which identity services users can use.
Next, we specify if admins need to successfully validate a user’s identity before being able to reset their password, and if we want to prevent service desk agents from generating a password for the user or if this should be automatically generated:
Specops Secure Service Desk end-users have to be pre-enrolled with the identity services admins configured before service desk staff can validate their identity. In most cases, this means that certain attributes in Active Directory need to have been defined before a user can identify with the identity service in question, such as mobile number or manager, although this is not a hard requirement as users can make use of other identity services such as existing commercial MFA solutions like Duo Security or Okta Verify that may already be in use.
Resetting users’ passwords
From a service desk staff point of view, using Secure Service Desk is extremely easy to use. From the dashboard, they start by searching for the user they want to reset the password for:
Once a user is selected, a page with his or her details comes up:
Notice the red icon on the top right corner and that Reset Password option has a red strike-through as we have not yet verified the user’s identity. This is because of the Force identity verification option we configured earlier.
Next, the admin selects an identity method to validate the user’s identity. For example, if Mobile is selected, an SMS gets sent to the user’s mobile number defined in AD with a one-time code:
The user then gives the code to the service desk agent, who types it in the text box provided:
Once he or she clicks Verify — and if the code is correct — the user’s identity is verified (notice the green icon on the top right corner now), and the Reset Password option becomes available:
Secure Service Desk was designed to be secure from both internal and external threats. As such, visibility of personally identifiable information or verification data is kept to a minimum. This is why service desk agents do not see the verification codes generated in the above example, but rather the code has to be entered manually, relying on the user to read back the correct code.
Options such as Microsoft Authenticator or Secret Questions rely on sending an email to the user’s corporate email address with a link. For example, if we select Secret Questions, Specops Secure Service Desk generates a unique URL that is sent to the user through a customizable email message:
The user then receives the email from Specops with the link:
When the user clicks the link, they are taken to a website to answer the question selected during registration:
Once the user successfully answers the question, the identity gets automatically (and almost instantly!) validated in Secure Service Desk:
There is even the option to have the user’s manager validate their identity (assuming the corresponding AD field is populated).
As you can see, it is extremely easy to securely verify who is on the other side of the phone line using Specops Secure Service Desk. Once an identity has been verified, the admin can proceed to reset the user’s password. There are also options to inform the user by email or SMS of the new password, and force the user to change the password after the next logon:
Admins have access to a variety of additional user information, such as the identity services the user enrolled in, with the option to remove specific ones if necessary:
Under User Details, admins can see certain details about the user account, like email address, manager, or phone number:
As well as information about the user’s password and enrollment:
Lastly, for auditing and troubleshooting purposes, there is a log of all the actions performed by the user or service desk such as enrollment, password resets, and identity verifications:
Specops Secure Service Desk delivers on its promise. It helps organizations enforce secure user verification through stronger authentication methods. Furthermore, it does not need to be used solely for password resets. Organizations can use it to securely validate a user’s identity before proceeding with other tasks, such as providing keys to unlock encrypted computers, updating user data, helping the user with a new or an existing case, or before providing any confidential information, for example. For all these reasons, Specops Secure Service Desk receives a score of 4.7 out of 5, which is a gold star review.