Help your helpdesk: Empower employees to self-reset their AD account password

The COVID-19 pandemic has triggered a momentous shift for many organizations: remote work has become the new normal. Businesses that were skeptical before are now being forced to make it work, and many are discovering that the work can be done as well as before, but with significant cost savings.

In fact, according to a recent Gartner survey, 74 percent of polled CFOs are planning to shift some previously on-site employees to permanently remote positions post-COVID-19.

The shift will require new models for managing remote employees and for mitigating the psychological downsides of the work-from-home arrangement. Companies must also implement some technological and procedural changes to ensure that the company’s cybersecurity posture isn’t compromised and that its IT security teams and IT helpdesk staff don’t get overloaded.

Helping the helpdesk

Anything you can do to minimize the number of support calls your helpdesk must field every day should be welcome.

For example: what if you could eliminate support calls related to forgotten passwords and locked out Active Directory accounts altogether? Not only would you lower the call load but you would also mitigate the danger of attackers taking advantage of overworked staff and insecure password reset/ user verification processes.

For that particular problem, the team at Specops Software created a helpdesk- and user-friendly solution: Specops uReset, a tool that automates the password reset procedure and makes it safe through multi-factor authentication (MFA).

About Specops uReset

Specops uReset is a cloud solution with a Windows-based tool (Gatekeeper) that plugs into the Active Directory authentication process.

Enterprise IT administrators have to:

• Set it up
• Configure it (configure the password reset providers, the password reset methods, and decide on the trust value each identity service/method will be assigned)
• Enroll users/employees to the self-service password reset service (with any identity provider that has identifier information in Active Directory) or direct users to self-enroll.

Once the employees are enrolled, they can self-reset the password whenever they need to, via a web browser, the Windows logon screen on their workstations, or the uReset mobile application.

“Specops uReset was built to support a remote and mobile workforce,” Darren James, Product Specialist at Specops Softwares told Help Net Security.

“It’s a web-based solution that is accessible from anywhere, and addresses common usability and security issues related to working remotely such as lockouts resulting from expired passwords and password resets while outside the VPN connection. This can result in lengthy calls to the service desk and security issues as user verification at the service desk is often insecure.”

New and improved features

The solution supports various forms of authentication including: mobile and email verification codes, and commercial MFA methods that may already be in use such as Duo Security and Okta Verify.

This year, they’ve made advancements to Specops uReset’s multi-factor authentication platform, with features that focus on security and usability.

“We added Geo- Blocking to allow IT departments to blacklist high-risk IP addresses and geographical locations from accessing the system,” said James.

“We also added Okta Verify to our growing list of out of the box authentication services, in addition to Trusted Network Location that enables administrators to designate IP ranges as trusted networks.”

By enabling Trusted Network Location, users would have to authenticate with additional identity services when outside a trusted network location. This authentication method can also be used to enforce captcha from network locations you do not trust or restrict product use to trusted IPs only as highlighted in the screenshot below.

Specops uReset is also able to remotely update locally cached credentials which can be a costly and insecure process without a self-service solution in place. This prevents account lockouts when a Domain Controller can’t be reached, a capability that is missing in other solutions, for example, Azure AD self-service password reset.

Conclusion

Password management can be a big problem for an organization, but solutions exist. You should think about implementing one to meet the needs of a newly remote workforce and to continue meeting the needs of a permanently remote workforce.

For the sake of your company’s overall security, choose a solution that can offload some of your IT helpdesk’s work and is simple to set up and use.