Solved

Offline password reminder utility

Posted on 2014-01-17
6
696 Views
Last Modified: 2014-01-23
Not sure if there is a solution for this.
I am responsible for a Windows domain network with roughly 225 client machines.  Many of these are mobile and are located offsite; they connect to head office using Sonicwall GVC software (VPN).

We currently don't enforce password changes, in fact they are issued their password when I setup their account and can't change it.  We need to change this for PCI compliance reasons, and of course, to follow best practices.

My problem is this:
Password reset tools that synchronize with Active Directory that I've found require that the machine be connected to the domain (obviously).

However, given the following scenario:
A user is forced to change their password on a Friday (while connected to the domain, synced with AD, and then is off work for the next two weeks.  They come back and can't recall what they set the password to.  They work offsite and are nowhere near one of our fixed locations with VPN connectivity.  They can only connect to VPN once they've already logged into their computer, which is dependent on knowing their password.  Although they can call us to have their password reset, it won't help them getting into their own profile as the cached password is still different.  We need to assume that they have no access to any other computer.

We need a toolset that can manage their password with phone access (security questions, etc.) and that syncs this password to AD, while enforcing password changes and password stregths according to our preferences.  Most importantly, it needs to be able to recall their current password.

The only way out of this that I can see is that we leave a generic back-door non-administrative local account with VPN software configured that they can log into (with no access to their own account).  They could log into this with our instruction, then the new temporary 'reset' password would be synced to their account.

Any software or easier solution to this?

Thanks,
Matt
0
Comment
Question by:mattd_br
6 Comments
 
LVL 16

Expert Comment

by:l33tf0b
ID: 39789248
I've seen this before and the solution you described is the only one that I knows would work.  For example, Cisco vpn client has the option to have vpn client start before windows login.  You would login through vpn, and now change the password.  This will then now sync with his cached credentials.

It'd be interesting to see if other experts have seen this solution before.  Another way is to maintain passwords using Lastpass - when passwords have expired, the admin will reset it to the same password for the same user.  Lastpass is quite secure if used by admins only.  I know it doesn't sound like the best, but should meet what you want for now.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39790364
you can require them to save the passwords in a utility like keepass : http://keepass.info/
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 300 total points
ID: 39791263
Even if you manage to work with phone security access, starting VPN client earlier during startup etc, the problem is as below.
Since user don't know (Forgot) old cached password, hen cannot login in his workstation.
And logging to corporate network with VPN and reset his password would not help as unless he connect his machine to corp network physically, cached password will not change and hence he cannot login to his workstation offline

The workaround I can see:
Allow him local login on his workstation as local administrator so that he can access at least his data stored in his own profile and then can login with VPN to continue to work
once he reach office any other day, he can sync his cached password with new password
if you are using Outlook client, he will not be able to use it, but in that case you can grant him webmail access.

Another option is allow \ configure finger tip authentication if Laptop supports it.

Mahesh
0
 
LVL 1

Author Comment

by:mattd_br
ID: 39793926
Of the options listed here so far, I believe the best one is fingerprint authentication.  I wasn't thinking about that, but I believe all our laptops have readers.  We can just enforce that they must be used (or at least configured).

Keeping a password list on the computer doesn't do much good if they can't access it.  If it was cloud-based and AD integrated it could be a possibility, but opens up security issues.

We don't allow our users local administrative privileges.  They are locked down.  In this fashion, we deal with much less issues related to viruses, etc.  Any changes made can only affect their own profile.

We'll still need a web-based tool that they can use to change their AD password, but there are a lot of options for this.  (VPN password uses LDAP to AD, so same password).  These are Lenovo laptops and we'll need a solution for hard drive encryption that also integrates with the fingerprint reader in this case (we currently use TrueCrypt, but there's no integration at all there).
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39793954
You can enable local standard user login on laptops.
This will not contains admin rights, but same time they can't access data stored in their actual profiles on the desktop

If user stored data on network shares in office, then above option will work
May be helpdesk will reset their domain login password and Once logged in as local user on their workstation, they can get in with VPN in corporate network with new password and from there they can access data.

Otherwise finger tip authentication is the better option.

Mahesh
0
 
LVL 1

Author Closing Comment

by:mattd_br
ID: 39802699
We have agreed that fingerprint (biometric) authentication is the best route to take in our scenario, as it addresses the issue with forgetting the password and there doesn't seem to be any password reminder tools for this sort of requirement that would manageable.

We will need to find a hard drive encryption toolset that integrates with the fingerprint sensor as well.
Thanks for the direction.
0

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now