[unisog] Active Directory Web-Based Password Reset

John Stauffacher stauffacher at chapman.edu
Tue Nov 18 18:52:36 GMT 2003


I personally wrote a good portion of Chapman's web based password reset and
functionally it is a very easy straight forward process, but once you dig
deeper you get into issues with identity. How do you prove Joe Smith is
really Joe Smith when you cannot see Joe Smith, or have anything to verify
his identity? Do you use the question/answer paradigm, what if the user
forgets their questions or their answers? Do you use the carnal knowledge
paradigm? Where do you get the knowledge and who else has access to that
knowledge? When I first started the project I thought it was going to be
cake, until I looked under the hood and realized it was going to take some
time, planning and the sign off from some very high people. Currently
Chapman uses a sort of lockstep process. If the user *knows* their password
and would like to reset it then they go to a page that authenticates them,
and then asks for the new password twice -- checking for common weak
passwords etc. Then the update gets pushed to AD via LDAP and also to our
main LDAP cluster. Currently if the user does *NOT* know their password,
they have to call the helpdesk, the helpdesk tech fills out a web form
asking various points of carnal knowledge (Name While In Attendance, Dates
of Attendance, Last 4 of the social). The perl scripts in the backend verify
the information and return a yay or nay. If nay, the script returns some
wordage instructing the helpdesk personnel to have the user contact our
registrars office. If yay then the password is reset to the users full
social, the ChangePasswordOnNextLogin flag is tripped in AD, an email is
generated and sent, and a 2hr timer is started. The email contains a link
back to our password change site with an encrypted token. The user clicks
the link logins in to the password change site -- the token is verified, the
user can *THEN* change their password to what they want (as long as it is
not weak), and the 2hr timer is broken. If the user chooses to login to a
lab machine, the windows boxes prompt the user to change passwords, the 2hr
timer is broken and the update gets pushed to LDAP via a modified version of
SSOD. The system is also set up in such a way that all of this can be done
by the user, without the human element, but that has not been pushed to
production (just changing a flag in a config file). Right now we have been
testing for the last 3 months and it looks to be pretty solid.



++
John Stauffacher
Network Administrator
Chapman University
stauffacher at chapman.edu
714.628.7249
"I ran out of sick days, so I called in dead" 
 
"The man who does not read good books has no advantage over the man who
cannot read them." -Mark Twain  (1835-1910)

"It is from numberless diverse acts of courage and belief that human history
is shaped. Each time a man stands up for an ideal, or acts to improve the
lot of others, or strikes out against injustice, he sends forth a tiny
ripple of hope, and crossing each other from a million different centers of
energy and daring those ripples build a current which can weep down the
mightiest walls of oppression and injustice." - Robert F Kennedy

============================================
Pursuant to 47 USC, unsolicited e-mail sent to any of my addresses is
subject to an archival fee of not less than $500 U.S. per copy. E-mail
received after any receipt of this notice implies acceptance of these terms.
A copy of the specific law regarding this activity may be found at
http://www.law.cornell.edu/uscode/47/227.shtml

-----Original Message-----
From: Jason Brooks [mailto:jbrooks at longwood.edu] 
Sent: Tuesday, November 18, 2003 7:09 AM
To: unisog at sans.org
Cc: security-basics at securityfocus.com
Subject: [unisog] Active Directory Web-Based Password Reset


We are looking at implementing a web-based password reset system for our 
entire campus.  This would allow us numerous enhancements and security 
benefits without requiring a 24 hour help desk staff.  I know that there 
are disadvantages to such a system.  Our initial plan is to develop one 
in-house.  So doing, we don't want to reinvent the wheel, or follow others 
into known pitfalls.  So, what I am requesting is any advice, war stories, 
suggestions, pitfalls, etc you can muster.

Thanks,
Jason

Jason Brooks
Information Security Technician
IITS
116 - B Coyner
Longwood University
201 High Street
Farmville, VA 23901
(434) 395-2796



More information about the unisog mailing list