[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Offline password reminder utility

Posted on 2014-01-17
6
Medium Priority
?
729 Views
Last Modified: 2014-01-23
Not sure if there is a solution for this.
I am responsible for a Windows domain network with roughly 225 client machines.  Many of these are mobile and are located offsite; they connect to head office using Sonicwall GVC software (VPN).

We currently don't enforce password changes, in fact they are issued their password when I setup their account and can't change it.  We need to change this for PCI compliance reasons, and of course, to follow best practices.

My problem is this:
Password reset tools that synchronize with Active Directory that I've found require that the machine be connected to the domain (obviously).

However, given the following scenario:
A user is forced to change their password on a Friday (while connected to the domain, synced with AD, and then is off work for the next two weeks.  They come back and can't recall what they set the password to.  They work offsite and are nowhere near one of our fixed locations with VPN connectivity.  They can only connect to VPN once they've already logged into their computer, which is dependent on knowing their password.  Although they can call us to have their password reset, it won't help them getting into their own profile as the cached password is still different.  We need to assume that they have no access to any other computer.

We need a toolset that can manage their password with phone access (security questions, etc.) and that syncs this password to AD, while enforcing password changes and password stregths according to our preferences.  Most importantly, it needs to be able to recall their current password.

The only way out of this that I can see is that we leave a generic back-door non-administrative local account with VPN software configured that they can log into (with no access to their own account).  They could log into this with our instruction, then the new temporary 'reset' password would be synced to their account.

Any software or easier solution to this?

Thanks,
Matt
0
Comment
Question by:mattd_br
6 Comments
 
LVL 16

Expert Comment

by:Raymond Peng
ID: 39789248
I've seen this before and the solution you described is the only one that I knows would work.  For example, Cisco vpn client has the option to have vpn client start before windows login.  You would login through vpn, and now change the password.  This will then now sync with his cached credentials.

It'd be interesting to see if other experts have seen this solution before.  Another way is to maintain passwords using Lastpass - when passwords have expired, the admin will reset it to the same password for the same user.  Lastpass is quite secure if used by admins only.  I know it doesn't sound like the best, but should meet what you want for now.
0
 
LVL 93

Expert Comment

by:nobus
ID: 39790364
you can require them to save the passwords in a utility like keepass : http://keepass.info/
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1200 total points
ID: 39791263
Even if you manage to work with phone security access, starting VPN client earlier during startup etc, the problem is as below.
Since user don't know (Forgot) old cached password, hen cannot login in his workstation.
And logging to corporate network with VPN and reset his password would not help as unless he connect his machine to corp network physically, cached password will not change and hence he cannot login to his workstation offline

The workaround I can see:
Allow him local login on his workstation as local administrator so that he can access at least his data stored in his own profile and then can login with VPN to continue to work
once he reach office any other day, he can sync his cached password with new password
if you are using Outlook client, he will not be able to use it, but in that case you can grant him webmail access.

Another option is allow \ configure finger tip authentication if Laptop supports it.

Mahesh
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:mattd_br
ID: 39793926
Of the options listed here so far, I believe the best one is fingerprint authentication.  I wasn't thinking about that, but I believe all our laptops have readers.  We can just enforce that they must be used (or at least configured).

Keeping a password list on the computer doesn't do much good if they can't access it.  If it was cloud-based and AD integrated it could be a possibility, but opens up security issues.

We don't allow our users local administrative privileges.  They are locked down.  In this fashion, we deal with much less issues related to viruses, etc.  Any changes made can only affect their own profile.

We'll still need a web-based tool that they can use to change their AD password, but there are a lot of options for this.  (VPN password uses LDAP to AD, so same password).  These are Lenovo laptops and we'll need a solution for hard drive encryption that also integrates with the fingerprint reader in this case (we currently use TrueCrypt, but there's no integration at all there).
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39793954
You can enable local standard user login on laptops.
This will not contains admin rights, but same time they can't access data stored in their actual profiles on the desktop

If user stored data on network shares in office, then above option will work
May be helpdesk will reset their domain login password and Once logged in as local user on their workstation, they can get in with VPN in corporate network with new password and from there they can access data.

Otherwise finger tip authentication is the better option.

Mahesh
0
 
LVL 1

Author Closing Comment

by:mattd_br
ID: 39802699
We have agreed that fingerprint (biometric) authentication is the best route to take in our scenario, as it addresses the issue with forgetting the password and there doesn't seem to be any password reminder tools for this sort of requirement that would manageable.

We will need to find a hard drive encryption toolset that integrates with the fingerprint sensor as well.
Thanks for the direction.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question