Logging in to my Password Reset Server (PRS) yesterday I noticed there was an update available, from v2.3 to v3.0. First thought, this must be good, major version change etc. etc…
So, what do I find?
Well, when I had first been talking to the kind guys and gals at Thycotic I had brought up a few ideas that may be advantageous to customers both new and existing.
“So what is PRS?” I hear you ask
Quite simply, it’s an easy to deploy, agentless, self-service AD password reset server, enabling your end users to unlock their own accounts, reset or change passwords using just a secure browser connection to your PRS server. This means there’s no more phone calls to the help desks, less interruption to your user’s working day, and far less “another bloomin’ account lockout” mutterings from your helpdesk team!
How does PRS work?
Well, PRS is an ASP.NET application delivered through IIS. Your end users can access the server from any browser, so it’s ideal for teams working on MAC or Linux endpoints. PRS will even send password change reminders with a link to the server, so users aren’t left to remember they need to change their password at the moment they can no longer connect to Exchange!
But if I can’t log in, how can I access the PRS webpage?
For windows users there’s a small MSI that can be deployed. This is a GINA hook that enables a PRS button to be displayed on the login screen. This works from Windows XP upwards, for both 32 and 64 bit OS’s
Clicking the Forgot Password? Button launches a reduced-function browser that will only point at your PRS server, so an already enrolled user can reset their password or unlock their account…
“So are you going to tell me what’s new IN PRS 3.0 then?!”
Ok, ok – I’m so easily distracted…
As I mentioned at the beginning, I had raised a few feature requests that I thought would add real value to IT teams and their flocks of users, and I’m really pleased to say that only a few months later not only did some of these get listed on the development roadmap, they’ve been included in this release!
Oh yes, the features new to v3.0….
- SIEM/Syslog integration: logging attempted, successful and failed reset attempts and the source IP address in CEF format.
I’ve actually pointed PRS at QRadar, IBM’s much lauded SIEM. What QRadar does compared to a simple log-manager is intelligently correlate data from multiple log sources to provide packaged “offences” that can be triaged and dealt with accordingly. QRadar can be thought of as a constantly vigil security guard. Correlation of events that could occur hours or days apart from seemingly unrelated sources can uncover intrusion attempts that would otherwise go completely unnoticed until the damage had been done.For more information on QRadar click here.
- Generic SMS gateway integration: for a long while PRS has been able to make the use of 3rd party voice and SMS verification services provided by ProxStop and Telesign. A random PIN is delivered by SMS or voice to the end users pre-defined phone number. Many enterprises already have internal devices for such, and now PRS can utilise these. This keeps costs down, and everything under your control. We have been using ProxStop with our PRS installation and it has worked very well, but we should slash our call costs by about a 75% when we move over to our SMS gateway.
- Additional options for Security Policy Questions: within each security policy you can now control how many questions are asked during a reset session, and the questions asked can be randomised.
- Automatic Enrolment through Active Directory attributes: the traditional method of end-user enrolment to PRS has been to visit your PRS portal and answer a number of pre-defined questions, and if required, a phone number for SMS/voice verification. You have also been able to pre-populate enrolment data from an external source, like a csv or spreadsheet. Well now you can quickly enrol users by using Active Directory information in challenge questions – such as phone numbers – very handy!
- AD Attribute Management: This feature allows updating Active Directory attributes, such as Last Name, and Mobile Phone number. This can then be delegated to the end user. Handy for when a user changes their mobile number…
- HTML emails: all notification emails are now sent in HTML
I’m not afraid to say it: I love Password Reset Server – it’s easy to install, maintain and use, and it’ll prove a real blessing to your organisations already overstretched help-desk. It’s also extremely cost effective – give us a call on 01582 434320 to find out just how cost effective it can be for you.
For more information on Thycotic’s Password Reset Server and their flagship product Secret Server, click through towww.satisnet.co.uk/thycotic