Educause Security Discussion mailing list archives
Re: Email account management for alumni
From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 25 Jan 2006 19:39:58 -0500
Given the limited network access rights most students / alumni and other non administrative users have in our network, we opted to write our own Web Based Password Reset form for these users. It works similar to some high-dollar commerical software. We see this as farily minimal risk, since in our environment these user accounts do not have rights to any adminstrative software or critical services. The other obvious challenge is how to give these distant users 'shared secrets', without their prior input and/or us having to notify each user of this data in a secure fashion. To make it work, we extended our Active Directory schema to populate two additonal "hidden" fields that contain the users College ID number and last 4 digits of their SSN. Currently, our password reset form only asks for the students Username, college ID Number and the last 4 of their SSN. While there may be some opportunity for abuse, worse case scenerio is a hacker compromises an email account. We have attempted to negate that by logging full reset attempt details (including IP, etc.) of each attempt, giving the failed user attempt a STERN WARNING, notifying our admins on all failures, notifying the attempted user of both reset failures and successes, blocking (tarpitting) any failed attempts username and the originating IP addresses for an hour after each attempt, only allowing one change per day, etc. Some may say this is not enough security, but it has worked well for us for the last year or so, with no history of abuse in our logs. We have had well over 50% of our users take advantage of this self-service reset to date, what a relief to our helpdesk folks! We also built in the ability to add and/or require a security picture or question(s) should that become necessary in the future. Our goal is to phase this extra security question(s)/picture as a part of future user reset attempts, where the user will be forced to setup this additonal information as a part of their reset. Standing by to taking a beating from the group.... <g> Just try to be EASY on me.... ;-) PS: Please do not ask for our source code as it is currently unavailable. It was hard coded specificially for our domain and active directory setup. However, anyone with basic scripting skills, knowledge of ADSI/ADO should be able to create their own with a little work and google research. -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, January 25, 2006 5:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Email account management for alumni How do universities that provide email accounts for alumni handle forgotten passwords and/or secret question/answers? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Email account management for alumni Gary Flynn (Jan 25)
- <Possible follow-ups>
- Re: Email account management for alumni Dave Koontz (Jan 25)
- Re: Email account management for alumni Gary Flynn (Jan 25)
- Re: Email account management for alumni Geoff Nathan (Jan 26)
- Re: Email account management for alumni Dave Koontz (Jan 26)
- Re: Email account management for alumni Kevin Shalla (Jan 27)