Active Directory Password Reset Tool

More productivity for Users and Service Desk

Read on for easy 4 steps to reach 90%+ adoption rate for on-premise or cloud solution [close to 2 million users] and the configuration and security features of the leading solution - FastPass Self Service Password Reset.

Self service password reset is one of the most efficient solutions any support organization can initiate. About 20-30% of all calls to a service desk are related to passwords. Improved end-user service level and reduced workload are attractive for any service desk manager and IT-operations manager. The prerequisite for success is dependent on users' acceptance rate of using self service password reset tool.

FastPass offers functionality and a best practice guide that secures our customers ' more than 90% adoption rate.

4 STEPS TO SUCCESS

1. ENROLLMENT

Force whenever applicable
Automatic emails for the rest

2. ACCESS EVERYWHERE

From Domain PC: Pre Windows credential provider
From external domain PC’s: With PC password cache reset
WEB-portal for guest PCs
Responsive design for all smart devices

3. SERVICE DESK ASSISTANCE

When users call anyway the service desk agent must have assistance for authenticating users
Users should have a PIN to re-enroll in self-service and not a password

4. CONVENIENT AND SECURE AUTHENTICATION

Question / answer method made for user experience

Private and semi-private answers for security questions
Standard questions
Individual personal questions
Bulk update of corporate data is possible, but not recommended

PIN-code push

For mobile phones
For e-mails (private)

Smart cards

Commercial methods like DUO, RSA

TOTP generally available

Microsoft authenticator
Google Authenticator

Country or industry-specific

Combine above to make multifactor authentication MFA

Active Directory Self Service Portal

6 pillars of an ideal configuration

Windows infrastructure

Active Directory
Multi-AD
Multi-forest AD
Azure AD
Hybrid Azure AD

The infrastructure

Architecture for hardening
Architecture for high availability
Architecture for high performance

Different processes and workflows for users

Communication to users are different across countries
Communication is different across internal functions
Different processes for internal and external users
Different authentications for different user groups

Languages must reflect the users’ language

not everybody understands English
FastPass has close to 40 languages

Self service even for other types of passwords like SAP, IBM, Oracle and many other

Easy and efficient administration and configuration from a central administrator portal

FastPass for Enterprise

offers all of the above for as well the customer who needs an on-premise solution and for customers wanting to go Cloud. The solution is even available for managed service providers as a multi-tenant solution for customers and cloud users!

The FastPass best practice SSPR passwords guide is a clear checklist on how to implement FastPass and reach +90% adoption and success rate.

This is however not enough to guarantee success. All installations are unique and the solution must adapt to the real requirements for user convenience and company IT-security requirements.

A reasonable term for this is CONFIGURABILITY!

Configurability considerations for active directory password reset tool software. Below is just a short overview of some of the decisions to be considered.

6 STEPS TO SUCCESS: Password Self Service

FastPass V4 - Secure Enterprise Passwords

FastPass V4 brings comprehensive password protection to secure organizations. Making passwords complex, avoiding the use of dictionary passwords and popular phrases as part of the password, changing the password regularly, and protecting the password processes will make your organization unattractive to hackers.

Learn more about our new feature

The nature of passwords is to make IT-systems SECURE!

The security of a software application does not only depend on the software; but also on the complete security of the IT-infrastructure. When it comes to IT-infrastructure FastPassCorp cannot dictate to customers how to configure. We will however promise that we in documentation and consulting recommendations will inform how you can configure your IT-system to protect your FastPass data and processes in your infrastructure.

Protecting the integrity of data

Using SSL to connect to AD makes the communication secure. Requires Security Certificate where encryption is RSA with key 2048 or 4096 bits.

Internal system encryption is based on AES256 which is the strongest with .net

Sensitive data are stored in the database using encryption is based on AES256 which is the strongest with .net

User data can be hashed in addition to encryption to completely protect user data

All sensitive data such as the users’ answers and questions are all AES 256 Bit encrypted.

The FastPass TrackEngine makes sure no one can intercept and repost data.

Internal communication from Front-end to Back-end to Gateway is only possible using trusted SSL certificates and only from selected IP addresses

Password can be stored encrypted (AES 256Bit Encrypted) in the FastPass Database. This enables a set of features to tighten security regarding password history. For example the minimum number of differences to any previously used password.

Protecting the Windows PC Client

Windows Client has three security levels to prevent any intruders:

URL restrictions. The client will only communicate with the FastPass server

Keyboard restrictions

Process restrictions (Level 1 imposed by Windows, Level 2 imposed by the Windows Client C and .Net level code)

Preventing access to user’s FastPass account

Notification to the user of authentication attempts using Question/Answers

A user cannot answer the same challenge question twice or have the same answers

FastPass always checks if a user is still enabled and active in AD before the user can use FastPass (FastPass does not enable users)

After 3 failed attempts users are locked in FastPass (not in AD), Service Desk assistance is needed to unlock the account again.

CAPTCHA protection against robotic attempts is included.

The Best Practices for security and protection of FastPass access will include the following actions:

The fundamental component is the installation of FastPass WEB-services in DMZ.

Hardening of the DMZ-server according to the FastPass Hardening documentation

Demand 2-factor authentication for users coming from WAN

User notification of password reset

Notify users via SMS and e-mail that their FastPass account has been used – eg. when authentication fails.

Use only SSL/TLS versions that are PCI-Compliant

For extra secure environments, the following aspects can be evaluated

Only allow access to through the Windows Client on remote PCs (Blocks the browser interface)

Demand remote devices to present a trusted device/user certificate

Allow Enrollment only from the LAN

Limit the IP address scope allowed on the WAN-side

Made best for users

In today’s environment, users expect fast self-service for any issues they might have with IT. As the most frequent issue is active directory password reset calls, then IT self service must include an Active Directory password self-service functionality. This will resolve users’ issues faster than calling a service desk. It can even turn critically if the problem appears outside the working hours of the service desk.

FastPass Self Service Password Reset Active Directory portal lets you start for an advanced and automatic platform for Windows Active Directory passwords. You can later add functionality as your requirements increase. You might also consider FastPass Cloud.

FastPass basic functions are based on a self-service WEB-portal where users are able to unlock their Active Directory account or reset their forgotten active directory password. Different ways of authentication are available: challenge questions, SMS-Pin codes, Google and Microsoft authenticators or other. Even 2-factor authentication can be dynamic! Access to the portal is from any device with a standard browser – smartphones included. Users get assistance to make the new password according to password policy. The user can select the end-user language from more than 40 different languages. For more details on functionality see FastPass password Manager facts.

Optional features and facilities

Many organizations can improve the self service Active Directory password reset business case and user satisfaction by adding more advanced functionality to FastPass.

With FastPass PC-client users get access to the portal from a locked Domain PC with a credential provider. This is the most usual situation for end-users experiencing problems with passwords. No need to go to another device to access the WEB-portal!

Enrollment is key to user adoption rates. With FastPass PC-client users are forced to enroll!

Non-domain users can be invited to enroll by FastPass automatic e-mail enrollment service.

HelpDesk client is available for the service desk support for those users who call for support anyway. It speeds up the service and increases security.

For users with corporate PC’s who access the system from the external network (from home or travel), the Remote PC-client enables FastPass to reset the PC-cache password. This can’t be done by the service desk with traditional tools and is an extraordinary value.

Organizations with multiple Active Directories can handle this complexity in the extended version

How does a Self-service password reset solution SSPR work?

When the authentication is accepted the user must make his new password. For user convenience, the password policy must be visible to help the user make a compliant password. As the user compiles the different policy elements can turn green to show the user that the password is OK.

FastPass is of course also available from external PC’s via WEB-access and for smartphones and tablets.

Microsoft password reset

Microsoft password reset (in other words, when user forgot windows passwords) is traditionally done by the service desk using their privileged passwords for active directory.

Better productivity and service is achieved with AD password reset tool. Customers with FastPass are successful with password self service because of the following qualities in the service:

Users need to enroll to be able to authenticate in FastPass when the windows password is forgotten or locked! It can be done with forced enrolment or with the FastPass automatic e-mail enrolment service.
Access is needed from all type of devices from internal and external networks. The devices can be corporate PCs, smartphones, tablets, and general browser access
Authentication must be both easy and secure at the same time. You can configure if you want single or multi-factor authentication MFU. FastPass supports:
Standard question and answers
Users’ own questions and answers
SMS to users’ mobile phone number
Microsoft Authenticator and Google Authenticator
Smart cards
Other options
Assistance from the service desk if the user is unable to do self service

FastPass supports Active Directory and Azure Active Directory users.

FastPass password synchronization is based on an AD interceptor catching all changes to passwords in AD. This creates a transaction to FastPass password synchronization module. FastPass then has a user-map where the user’s user-ids are linked together for the synchronization transaction. FastPass password synchronization reacts very fast, so in general users’ passwords are changed in the target systems even before the user logs in to the alternate systems.

What our customers are saying about us

The biggest businesses in different industries trust FastPassCorp

Protect your Passwords today with FastPass

Get in touch with us today by filling up the form and our team will get back to you as soon as possible.