Re: Self Service Password Reset

["Gallese, Brady T." <gallese () SUSQU EDU>]

We use People Password.  Users are basically on or off in the People Password system based on Active Directory OU's.  
If other products work in a similar way, I suppose you could just put these particular users in their own OU to exclude 
them from your password reset system, right?

Best,
Brady Gallese
Susquehanna University


On Jul 5, 2012, at 6:47 PM, Shawn Kohrman wrote:

Excellent point Adam.  The particular case we were considering with this question was our high level people (provost, 
president, etc).  Namely, what would happen if someone were able to answer the challenge questions and take over their 
account.  How much damage could be caused in such an instance.  Granted, the likelihood of that happening is very low, 
but still...

I wanted to ask the question to determine if we were being overzealous on this particular point.  Thanks!

Shawn

-----
Shawn A. Kohrman, Security Architect

Azusa Pacific University
Information & Media Technology
901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
-----



On Thu, Jul 5, 2012 at 3:37 PM, Schumacher, Adam J. <adamschumacher () creighton edu<mailto:adamschumacher () creighton 
edu>> wrote:
Maybe I am missing something obvious, but why would you want to exclude users from being able to reset their own 
password?  Our self-service requires "multi-factor" authentication (answer security questions & access to external 
email account or cell phone), and unless the user has not provided the required information (or doesn't remember what 
it was), she should be able to reset the password.  We encourage this as much as possible, as it reduces the load on 
the HD.  Even if the customer calls the help desk and needs some kind of manual intervention (forgot answers, never set 
it up, etc), they will walk her through setting up and using the self-service tools so that next time maybe she will 
not need to call.

::Adam

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Shawn Kohrman
> Sent: Tuesday, July 03, 2012 15:32
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] Self Service Password Reset
>
> For those of you who have self service password reset tools, do you maintain
> a list of users who are excluded from using the tool?  If so, how did you go
> about establishing your criteria?
>
> Shawn
>
> -----
> Shawn A. Kohrman, Security Architect
>
>
> Azusa Pacific University
> Information & Media Technology
> 901 E. Alosta Ave., PO Box 7000
> Azusa, CA 91702-7000
>
> P:  626.815.2054<tel:626.815.2054> | F:  626.815.2061<tel:626.815.2061> | http://www.apu.edu/
> -----