Re: Passowrd - User Self Service Resets?

["Lucas, Bryan" <b.lucas () TCU EDU>]

I highly recommend looking at www.anixis.com, the PPE and APR products.
Excellent value, simple installation, quick support.  The PPE product
does password complexity/enforcement and APR does web reset. Handles
2003 no problem, we've put it thru the 2000-->2003 upgrade already.

You can implement complexity requirements by AD security groups and all
it takes is a simple .DLL on each DC.  Of course I was nervous about
putting software on my DC, but it is clean, small and has been rock
solid.

There is an *optional* client piece that can be rolled out via GPO if
you wish to provide detailed error messages (e.g. "Your password must
include a number") rather than Windows' default vague response.

The web interface is customizable and simple to setup and we run it on a
separate box to isolate it in a DMZ.

Our setup is here: http://mypw.tcu.edu If you'd like a test account,
email me offline.

The toughest part is getting your users to agree to complexity, which is
its own discussion :)

Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz
Sent: Monday, March 14, 2005 1:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Passowrd - User Self Service Resets?

We have been asked to explore and evaluate programs which provide users
with
a "Self Service" password reset mechanism via a Web Page.  This is
because
of an increasing number of our students who either forget their
passowrds,
or set their browser to "remember" their password and don't have a clue
what
it is when change time comes, causing more and more work for our
helpdesk.

Has anyone written such a Web Program for allowing users to reset their
own
passwords against a Windows 2003 AD Domain that they could share?
Retail
products seem to be extremely over-priced.  If you have found a
reasonably
priced, well designed retail product please share any details.

Also, it has been suggested that the only information we need to collect
from a user via a web form to reset their account is the Network
UserName,
College ID Number and the last 4 digits of their social security
numbers.
This concerns me because all the information necessary to reset a
password
is in a users wallet / purse, which of course could be lost.  Also, this
information is readily available to any of our faculty and staff via our
Administrative software.  Do anyone of you reset passwords with only
this
data?

Would anyone be willing to share what they belive should be the
MININIMUM
Data collection requirements?  And how do you force users to go though a
registration process to populate the Password Reset system?  I would
like to
go to management with some 'from the field' reports of what others are
doing.

Thanks in Advance!

---
Dave Koontz
Associate Director, CIS
Mary Baldwin College
Staunton, VA

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.