Solved

Offline password reminder utility

Posted on 2014-01-17
6
703 Views
Last Modified: 2014-01-23
Not sure if there is a solution for this.
I am responsible for a Windows domain network with roughly 225 client machines.  Many of these are mobile and are located offsite; they connect to head office using Sonicwall GVC software (VPN).

We currently don't enforce password changes, in fact they are issued their password when I setup their account and can't change it.  We need to change this for PCI compliance reasons, and of course, to follow best practices.

My problem is this:
Password reset tools that synchronize with Active Directory that I've found require that the machine be connected to the domain (obviously).

However, given the following scenario:
A user is forced to change their password on a Friday (while connected to the domain, synced with AD, and then is off work for the next two weeks.  They come back and can't recall what they set the password to.  They work offsite and are nowhere near one of our fixed locations with VPN connectivity.  They can only connect to VPN once they've already logged into their computer, which is dependent on knowing their password.  Although they can call us to have their password reset, it won't help them getting into their own profile as the cached password is still different.  We need to assume that they have no access to any other computer.

We need a toolset that can manage their password with phone access (security questions, etc.) and that syncs this password to AD, while enforcing password changes and password stregths according to our preferences.  Most importantly, it needs to be able to recall their current password.

The only way out of this that I can see is that we leave a generic back-door non-administrative local account with VPN software configured that they can log into (with no access to their own account).  They could log into this with our instruction, then the new temporary 'reset' password would be synced to their account.

Any software or easier solution to this?

Thanks,
Matt
0
Comment
Question by:mattd_br
6 Comments
 
LVL 16

Expert Comment

by:l33tf0b
ID: 39789248
I've seen this before and the solution you described is the only one that I knows would work.  For example, Cisco vpn client has the option to have vpn client start before windows login.  You would login through vpn, and now change the password.  This will then now sync with his cached credentials.

It'd be interesting to see if other experts have seen this solution before.  Another way is to maintain passwords using Lastpass - when passwords have expired, the admin will reset it to the same password for the same user.  Lastpass is quite secure if used by admins only.  I know it doesn't sound like the best, but should meet what you want for now.
0
 
LVL 92

Expert Comment

by:nobus
ID: 39790364
you can require them to save the passwords in a utility like keepass : http://keepass.info/
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 300 total points
ID: 39791263
Even if you manage to work with phone security access, starting VPN client earlier during startup etc, the problem is as below.
Since user don't know (Forgot) old cached password, hen cannot login in his workstation.
And logging to corporate network with VPN and reset his password would not help as unless he connect his machine to corp network physically, cached password will not change and hence he cannot login to his workstation offline

The workaround I can see:
Allow him local login on his workstation as local administrator so that he can access at least his data stored in his own profile and then can login with VPN to continue to work
once he reach office any other day, he can sync his cached password with new password
if you are using Outlook client, he will not be able to use it, but in that case you can grant him webmail access.

Another option is allow \ configure finger tip authentication if Laptop supports it.

Mahesh
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:mattd_br
ID: 39793926
Of the options listed here so far, I believe the best one is fingerprint authentication.  I wasn't thinking about that, but I believe all our laptops have readers.  We can just enforce that they must be used (or at least configured).

Keeping a password list on the computer doesn't do much good if they can't access it.  If it was cloud-based and AD integrated it could be a possibility, but opens up security issues.

We don't allow our users local administrative privileges.  They are locked down.  In this fashion, we deal with much less issues related to viruses, etc.  Any changes made can only affect their own profile.

We'll still need a web-based tool that they can use to change their AD password, but there are a lot of options for this.  (VPN password uses LDAP to AD, so same password).  These are Lenovo laptops and we'll need a solution for hard drive encryption that also integrates with the fingerprint reader in this case (we currently use TrueCrypt, but there's no integration at all there).
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39793954
You can enable local standard user login on laptops.
This will not contains admin rights, but same time they can't access data stored in their actual profiles on the desktop

If user stored data on network shares in office, then above option will work
May be helpdesk will reset their domain login password and Once logged in as local user on their workstation, they can get in with VPN in corporate network with new password and from there they can access data.

Otherwise finger tip authentication is the better option.

Mahesh
0
 
LVL 1

Author Closing Comment

by:mattd_br
ID: 39802699
We have agreed that fingerprint (biometric) authentication is the best route to take in our scenario, as it addresses the issue with forgetting the password and there doesn't seem to be any password reminder tools for this sort of requirement that would manageable.

We will need to find a hard drive encryption toolset that integrates with the fingerprint sensor as well.
Thanks for the direction.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question