Supplier: Specops Software
Price: Based on volume
Value for Money 4/5
Ease of Use 4.5/5
Tight integration with Windows AD and support for a wide choice of identity services allows Secure Service Desk to verify that password reset requests are from bona fide users.
Active Directory (AD) password reset requests are one of the most common issues service desks have to deal with but can be a major vulnerability as they are open to bad actors attempting to impersonate real users using tactics like social engineering. Good password hygiene is easy enough to implement in AD but service desks must also be able to securely verify that users making the requests are who they say they are, not relying on an insecure method like an employee ID number, but enforcing a secure verification process with no exceptions, not even the executive team.
Specops specializes in password management and authentication solutions and its Secure Service Desk offering provides the tools for helpdesk agents to securely verify users’ identities before performing password resets, changes or account unlocks. Snapping in seamlessly with AD, it can enforce user authentication and doesn’t require users to enroll as it leverages personal information present in their account attributes such as email addresses, mobile numbers or an existing identity service the user is already enrolled with.
Along with sending one-time passwords (OTPs) via mobile SMS and email, it supports many other identity services including Okta Verify, Symantec VIP and Duo Security. More importantly, it employs multi-factor authentication (MFA) and a smart weighting feature to verify the identity of administrators and service desk agents when they access the Secure Service Desk portal.
Image 1. – The only onsite component required is the Specops Gatekeeper which links up transparently with AD and the cloud authentication services
Easy deployment, tight security
Installation is a swift process as Secure Service Desk only requires a Gatekeeper component installed on a Windows server in your domain which securely links up with AD. All other services are hosted in the cloud and you start by creating an account which will be appended with a unique UPN suffix.
Once you’ve created your first authentication account, the portal provides a secure link to install the Gatekeeper. This creates three new Specops AD security groups and then asks you to choose which AD users are to be added to the Specops Administration and User Administration groups.
With the power to change passwords and unlock user accounts, access to the Secure Service Desk web portal needs to be strictly controlled and this can be locked down tight by assigning multiple identity services to the enrolment and authentication processes. Weighting is a standout feature as you assign from one to twelve stars to both processes to ensure multi-factor authentication is enforced.
Each identity service is then assigned a number of stars so you can apply higher weightings to strong authentication methods such as the Specops Authenticator or Fingerprint mobile apps and give lower weightings to weaker methods such as email and SMS.
The end result is if administrators and service desk agents choose weaker methods, they’ll have to use more of them to authenticate than if they chose a stronger identity service. Furthermore, you can apply geo-location blocking and trusted network locations to limit where they can authenticate from.
Image 2. – You can apply custom weightings to the various identity services for strong user authentication
Who goes there?
When a user calls in requesting a password reset, the agent accesses the portal’s Service Desk tab and uses its search facility to find their AD account. From the user details page, you can send them an OTP to the mobile number or email address defined in the AD user account attributes for verification.
One very important factor here is the service desk agent is not shown any codes so they can’t prompt or assist the user who must repeat the code back to them. If the agent believes further verification is required, they can then choose further authentication methods to confirm the user’s identity.
Other valuable administrative settings are facilities to set a session time limit in minutes and force identity verification to stop it being bypassed. New password generation can be fully automated so service desk staff won’t know what they are and you can force users to change them after a reset at next logon, a setting that admins can configure so a service desk agent cannot remove.
Password resets are a swift process as when auto-generation is enabled, all the agent has to do is request a new one to be sent via email or text message. If disabled, they manually enter a password that must adhere to the AD domain password policy which is also sent to the user via the chosen method.
If an AD account lockout policy is configured and the user has managed to trigger this, the agent can unlock it from the service desk portal. This extra tab only appears if the account in question is locked and enablement is nothing more than a single click.
Image 3. – Once users have been verified, passwords can be quickly reset and accounts unlocked from the cloud portal
As you’d expect, the web portal provides plenty of valuable reporting services which can be easily filtered to show various activities for specific date periods. The historical view reveals everything you need to know about enrolment and authentication, the identity services used, text messages sent per day and service desk events.
The auditing tab provides a rundown on all system events such as password resets and identity verification along with the date, time and AD user that instigated them and this can all be exported as CSV files. All reports that provide output in graphical format can be exported to PNG, JPG, PDF, XLSX and JSON formats.
The portal can also be fully customized to suit your business requirements. You can add personalized icons and images, change the colour of backgrounds, menus or buttons, modify any text element and choose from fourteen different languages.
Image 4. – The Secure Service Desk portal provides a wealth of reporting and auditing tools
In these turbulent times, organisations must implement strong AD password management and a critical part of the process is user authentication. Helpdesk staff in large businesses certainly won’t personally know every user so they must be able to verify a caller’s identity before performing password resets or account unlocks.
Specops Secure Service Desk is an ideal solution as it’s simple to deploy, integrates neatly with AD and is easily managed from a well-designed cloud portal. Support for a wide range of identity services makes it highly versatile and the smart weighting system allows businesses to enforce strong authentication processes for portal access.
And if you want to ease the support burden even further, the Specops uReset product integrates with the on-site Gatekeeper and Secure Service Desk cloud portal to provide self-service password reset facilities protected by the same authentication functions.