Re: AD self service password reset ?

["Francis, Greg" <francis () ITS GONZAGA EDU>]

I just want to let people know that I believe the person that posted this
message is affiliated with the product that he¹s recommending:

Someone by the name of Kurt Lewis posted using the hawaiiguy () GMAIL COM
address to this list on 1/14/11 (http://seclists.org/educause/2011/q1/21).
The registration of sysoptools.com through GoDaddy was made by a Kurt Lewis
(http://who.godaddy.com/whois.aspx?domain=sysoptools.com&prog_id=GoDaddy)
and Kurt Lewis is the CEO of SysOpTools
(http://www.sysoptools.com/about.aspx) and happened to be born and raised in
Hawaii.

I found the information below very intriguing until I saw that it appears to
be the owner of the company posting the information! How can I possibly
trust a security company when they would resort to such low-handed tactics
to get our business.

Perhaps I am wrong but there are just too many coincidences for me to
believe that I am.

Greg



On 3/16/11 12:09 PM, "Mike C" <hawaiiguy () GMAIL COM> wrote:

> Hello-  I would like to propose Password Reset PRO from www.sysoptools.com
> <http://www.sysoptools.com>  -  Network overview diagrams, docs etc are
> located at http://www.sysoptools.com/password-reset-pro.aspx
>  
> Top 10 Reasons:
>  
> 1. does not require any DB install, does not store sensitive user data outside
> of AD. uses native AD fields for enrollment data, very cool approach as you
> would have to lose your AD to lose user enrollments.
>  
> 2. very easy to set up (literally 5 mins), can run in a two tier architecture
> for increased perimeter security, no changes to domain required and extremely
> small change control footprint.
>  
> 3. it is very secure and will pass PCI/DSS, Sox, HIPAA, SaS70 etc, and is
> actually designed for 100% external use. Event history auditing is stellar and
> log data is accessbile via several methods. Software like SMOP, JiJI, and
> other low-dollar products will not pass most if not all current regulatory
> compliance requirements, are not designed securely for external perimeter use,
> and do not have DDOS or brute force countermeasures built in. Some of these
> products even have a "central admin page" built directly into the public
> facing web portal- scary!
> There are only 3 truly secure external self service solutions I've found
> (Password Reset PRO, Hitachi-ID and MS FIM). I know with certainty that this
> particular Reset PRO product is used by a dept of the Whitehouse and also by
> two depts of the Treasury.
>  
> 4. low cost of about $3/user w/ unlimited user key issued at 7500 or more
> password expiring users in domain. They only require licensing for your
> enabled, password expiring user accounts (UAC=512) - Very efficient since you
> do not have to pay for disabled or static password user accounts.
>  
> 5. standard ASPNET2 web portal (web tier) and separate back end service
> (application tier) , nothing new or proprietary to learn as the web portal
> uses IIS6/7 and all components are supported on 2008R2. The web portal can be
> installed on a non-domain DMZ box separate from the internal application
> master service, and the web portal contains no user data or domain
> credentials.  It is also easy to set up load balancing for the web portal for
> failover / redundancy just like any typical ASP website.
>
> 6. works in very large domains without issue- I know one of the admins for
> KCTCS who deployed this in their 300k-user domain and have been really happy
> with it, as they looked through several products and this one was the best by
> far.
>  
> 7. tech support is incredible, all sr. support staff are experienced AD
> admins, typical 8x5x7 access via phone / email.
>  
> 8. USA-based company and nothing is outsourced (Los Angeles)
>  
> 9. all aspects of the web portal, branding, look / feel are customizable right
> down to the CSS and aspx pages (they do support this)
>  
> 10. Licensing is a one time buy, so you do not have to constantly keep paying
> the same price each year to keep using it.
> If you decide to try it, contact their support about new version 3 which is
> available by request. Version 3 adds three different deployment modes for the
> web portal, so basically you have three different ways to have your users
> access self service. All modes use native AD information as a basis for
> enrollment or secure access without enrollment.
>  
> One key feature of note, which I have not found in any other product:  Users
> can enroll with a temp password (must change on next logon) or even an expired
> password (as long as they type it in correctly). This is huge, because you no
> longer have to give out permanent passwords to new users. Or, if users wait
> until *after* their password expires to finally go and enroll (which is
> typical), they can still do so without IT assistance. Give them a temp
> password, have them enroll, the web portal informs them of the expired
> password and wlks them through creating a new permanent password. Neat.
> Also, since the software uses native AD fields for the enrollment data
> storage, it is easy to build logon scripts that check for enrollment at user
> logon time and ask the user to enroll. Also neat.
>  
> As far as SSO, this product only works with AD authentication. If your
> peripheral systems are using AD auth for user logon then you should be good to
> go. If you have separate authenticated systems outside of AD (not syncronized
> or connected), then this will not work for you, and you should probably look
> at Hitachi-ID as they have a lot of SSO integration modules for various
> directory authentication platforms.
>  
> Hope this helps- I am writing all of this because it is extremely important to
> take a hard look at security and reliability when considering a web based self
> service product. Last thing yoyu want to do is provide end user convenience
> and the expense of security, or find out later that losing a single database
> means you lose all of your user enrollments.  If you take a close hard look at
> many of these commercially available products (especially the budget priced
> offerings), you are going to find some very scary deficiencies in architecture
> and coding. A vendor should be able to tell you with certaintly if 100% public
> use of the web facing portal is supported, what security measures are built
> in, if it will pass a simple PCI/DSS pen test, and how the software will
> react / prevent specific threat situations (bot scripts, ddos, etc).
> Of course, your own DD and testing should validate this as well-
>  
> MC
>  
> On Mon, Mar 7, 2011 at 7:43 AM, Witmer, Robert <r.witmer () snhu edu> wrote:
> > Anyone using a (shrink wrapped) AD self service password reset utility for
> > student, staff, & faculty accounts that would be willing to share
> > experiences, thoughts, etc?  Does it work with single sign on?  If so, home
> > grown or shrink wrapped?  Please contact me off-list if desired.
> > Regards,
> > Bob
> >  
> > r.witmer () snhu edu
> >
> > Please consider the environment before printing this e-mail.

Greg Francis
Director, Central Computing and Network Support Services
502 E. Boone Ave.
Spokane, WA 99258-0092
509.313.6896 direct
http://www.gonzaga.edu/its