Re: Email account management for alumni

[Dave Koontz <dkoontz () MBC EDU>]

Given the limited network access rights most students / alumni and other non
administrative users have in our network, we opted to write our own Web
Based Password Reset form for these users.  It works similar to some
high-dollar commerical software. We see this as farily minimal risk, since
in our environment these user accounts do not have rights to any
adminstrative software or critical services. The other obvious challenge is
how to give these distant users 'shared secrets', without their prior input
and/or us having to notify each user of this data in a secure fashion.

To make it work, we extended our Active Directory schema to populate two
additonal "hidden" fields that contain the users College ID number and last
4 digits of their SSN.

Currently, our password reset form only asks for the students Username,
college ID Number and the last 4 of their SSN. While there may be some
opportunity for abuse, worse case scenerio is a hacker compromises an email
account.  We have attempted to negate that by logging full reset attempt
details (including IP, etc.) of each attempt, giving the failed user attempt
a STERN WARNING, notifying our admins on all failures, notifying the
attempted user of both reset failures and successes, blocking (tarpitting)
any failed attempts username and the originating IP addresses for an hour
after each attempt, only allowing one change per day, etc.

Some may say this is not enough security, but it has worked well for us for
the last year or so, with no history of abuse in our logs.  We have had well
over 50% of our users take advantage of this self-service reset to date,
what a relief to our helpdesk folks! We also built in the ability to add
and/or require a security picture or question(s) should that become
necessary in the future.  Our goal is to phase this extra security
question(s)/picture as a part of future user reset attempts, where the user
will be forced to setup this additonal information as a part of their reset.

Standing by to taking a beating from the group.... <g>  Just try to be EASY
on me.... ;-)

PS:  Please do not ask for our source code as it is currently unavailable.
It was hard coded specificially for our domain and active directory setup.
However, anyone with basic scripting skills, knowledge of ADSI/ADO should be
able to create their own with a little work and google research.



-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU]
Sent: Wednesday, January 25, 2006 5:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Email account management for alumni

How do universities that provide email accounts for alumni handle forgotten
passwords and/or secret question/answers?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security