• subscribe
Search
Browse By: Author | Issue
December 13, 2011 12:43 PM

Comparative Review: Self-Service Password Reset Managers

These products can help end users help themselves
Nate McAlmond
Windows IT Pro
InstantDoc ID #141113

For large and growing companies, the task of assisting end users can become a tremendous burden on the IT department. By some estimates, the cost of password resets can be as much as $70 per incident (including loss of productivity) and make up around 30 percent of Help desk calls. Even higher costs can be expected in industries that are subject to additional regulation, such as in the financial and healthcare arenas.

Product Similarities

All the products that I compared installed on a single Windows Server 2008 system in about 30 minutes or less. My installations each included an administrative console for configuring the software, an end-user website that users could use to reset forgotten passwords, and a Help desk website that Help desk workers could use to assist end users with password resets. Each product also checked passwords as they were entered and enforced a set of password requirements. The password requirements of all five products were similar; the only major exceptions were the dictionary options in Specops Password Policy and Quest Password Manager, which allows you to configure these products to prevent the use of specific words in passwords.

The products' security features also had several similarities. Each product used a password-protected enrollment process, during which the end user completes a series of questions: You can require some questions or configure the products to present end users with a list of questions to choose from. All the reviewed products had rules to force end users to answer these questions in a useful and secure way. These rules included such options as

  • requiring unique answers to all questions
  • requiring answers to questions to be case sensitive
  • setting the number of allowed custom questions
  • setting the total number of questions
  • requiring end users to set up password reset questions and to complete the enrollment process when it presents itself at logon
  • setting a lockout threshold for incorrect answers to password reset questions (similar to lockout thresholds for password input during logon)
  • setting a minimum custom-question length
  • requiring all answers to be more than five characters
  •  restricting answers from including words that are in the question

Only ManageEngine's ADSelfService Plus did not use Microsoft IIS. Each product also included a client application that added a logon assistance button to the Windows logon screen. By clicking this button, end users are brought to a self-service password-management portal, without needing to log on to the computer. Without the client application, end users can still access the password reset website for enrollment into the system or to reset passwords. However, users who need resets will probably need to use a coworker's computer or a kiosk computer that allows web access without logging on first.

Another nice feature of the products is that they are licensed per user rather than per server. This feature allows you to set up a second server for fault tolerance.

Product Differences

The big difference among the reviewed products tended to be integration with Active Directory (AD). Two of the evaluated products -- Specops Password Policy and Quest Password Manager -- integrated with AD in such a way that I could assign different password policies to different organizational units (OUs) within a domain, even if the domain's operational mode didn't natively enable this option. In both products, an application needed to be installed on each domain controller (DC) to allow the product to intercept the password-change requests and ensure that they complied with the specified requirements before being passed on to AD. These products enforced my password policies both when using the product interface and when using the standard change-password routine that's built into all Windows versions, from any computer in the domain, with or without a client installation.

The following sections describe each product in more detail. See Table 1 for a comparison of all the products' core features. (I give each product one point per provided feature; for Group Policy integration, I give the product two points.)

 



ARTICLE TOOLS

Comments
Add A Comment
  • Lorenzo0o0
    1 month ago
    Apr 03, 2012

    Just evaluated several of the tools on here, including NetWrix Password Manager, Quest Password Manager, and ADSelfServicePlus. All had their strong suits, but for our purpose, the freeware version of NetWrix Password Manager works just fine. We didnt realize that the NetWrix tool is free for up to 50 users, and offers the same functionality that the enterprise version doeswe love how easy it is to use, and the newest version includes password reset capabilities for Google apps. Dont assume that the freeware version wont suit your needs, and if you have over 50 users, its still a good product.

  • Markus Lassfolk
    4 months ago
    Jan 17, 2012

    Hi, I would just like to comment on Mike00X's arguments.
    I'm working for Specops Software so this is relative to the Specops products.

    1. It does NOT have to run as Domain Admin, but preferably an account with Delegated Rights in the AD. Just permission to reset passwords on the managed user accounts.

    2. Incorrect, works fine to run on a stand alone server.

    3. That's possible to control, we use different pages for Helpdesk Interface vs Enrollment and Reset. By default, the admin/helpdesk pages are NOT installed on the webserver. Plus, most customers will publish just those pages that are required through the firewall.

    4. Incorrect. We store all information in Active Directory. So no need to install any SQL or other database.

    5. Incorrect again. According to Microsoft best practices, it's supported to Extend the Windows Logon screen with alternate credential providers etc. And it will not be effect by Security Patches, will not weaken security and will not affect your support agreement.

    6. Once again wrong. It's the same as writing your own password filter according to Microsoft best practices. Need to be installed on your Domain Controllers and you will need to reduce the built in Password Policy or you will get conflicts between your own filter and the built in.

    7. Works fine with both scalability and failover. Use Netowrk LoadBalancing to have multiple servers or Clustering. NLB is prefered since it gives both Scalability and redundancy at the same time.

    Also, using Active Directory as a Database will give you fault tolerance and not a singel point of failure, the users will not need to re-enroll etc as you state.
    So from your own list, I would say the Specops Password solution also qualify as an Enterprise solution and the other solutions you mention, for example Microsoft FIM would not give you any additional security or Enterprise services.

    Also, we missed one point. It's possible to pre-enroll/pre-stage user accounts with information.

  • Mike00X
    5 months ago
    Dec 22, 2011

    I'd also like to address your comment on fault tolerance- just because you can set up a second server does not make it "fault tolerant". If you lose the first server, with all of your setup data and enrollments, guess what- all users will need to re-enroll AGAIN, and you'll need to re-input your settings. We learned this the hard way,which exemplifies one reason why it is imperative that differentiation is made on these "LAN" products vs. proper, enterprise-class products.

  • Mike00X
    5 months ago
    Dec 22, 2011

    Well written and a decent read- However, you should have titled this "Comparative Review for LAN/SMB Only". There is a VAST difference between "enterprise class" self service products and "LAN/SMB class" products. Your review is on products designed for INTERNAL-ONLY use in small, loosely controlled environments. These products will FAIL for external public deployment in secured environments. Let me break these failures down:

    1. They require running the web application process with elevated domain credentials, e.g. domain admin. Yikes!

    2. They require running the web-facing portion of product on a domain member server. No!

    3. They have some sort of "central admin page" built directly in to the web pages, the same web pages that are available to the rest of the world. Yikes!

    4. They require installation of a separate, non-redundant database that stores sensitive user data outside of AD. None of these products are "AD Integrated" at all, the reason a separate database exists for these products is because the vendor does not know how to design for Active Directory. Use of a database is not a requirement, it is a hack. It is also a single point of failure.

    5. software that modifies PC logon screens is NOT a good idea, it will behave differently on different OS and will be wiped with major SP updates. It can weaken security of the windows logon, and may affect your support agreement with Microsoft

    6. Installing agents on DCs, overriding the domain's password policy? Oh My!! This is a huge no-no for any secured or highly change controlled environment.

    7. they cannot be set up for scaleability or failover

    For environments under PCI, SOX, HIPAA, these producs will fail in one way or another, especially an external pen-test.

    You need to review "enterprise class" products which provide secure self service capabilities through proper design:

    Password Reset PRO - www.sysoptools.com (our top pick)
    Microsoft FIM
    Hitachi-ID - www.hitachi-id.com

You must log on before posting a comment.

Are you a new visitor? Register Here

© 2012 Penton Media, Inc.

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.