I am assuming all the IE and IIS you mention is within SSL encryption.
I do not quite understand why the kiosks in the labs instead of just
an https connection from any acceptible (infrastructure local) IP to
the tightly guarded IIS site (https, access from IP list, etc).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Marlon Brown" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks. I think the option would b) would be the way to go. This is what I
> have in mind:
>
> 1) New students would receive the windows AD account and temporary
password
> (as is now) that would force them to change it at first logon.
>
> 2) Student accounts would initially be placed in
> \StudentOU\NoPersonalRegistry.
> Under such OU, access to resources would be very limited, restricted by
> Group Policies; no way to access applications, printers. They would be
> directed to an IE page that displays an URL "Register Your Account/Answer
> Secure Questions here".
>
> 3) A script running every 5 minutes from MyServer would check whether
there
> is information entered accordingly in SQL db for such student account. If
> there is information entered accordingly, then the ADSI script would move
> the respective student account from \StudentOU\NoPersonalRegistry to
> \StudentOU\YesPersonalRegistry.
>
> \StudentOU\YesPersonalRegistry should be the OU that contains adequate
> settings such as ability to access printers, IE, applications ,etc.
>
> 4) I would make a couple of kiosks using low-end machines available in the
> respective student lab.Students who forget password would go those kiosks
> and request password reset right there. IIS would run with credentials
> sufficient to reset accounts under that OU only. An e-mail notification
> would be sent to the lab manager upon each request for password recovery.
> That way, if someone is trying to reset somebody else password, the lab
> manager would be able to monitor that.
>
> If someone thinks that the above doesn't work please let me know.
> Suggestions are greatly welcome.
>
>
>
>
> "Roger Abell" <(E-Mail Removed)> wrote in message
> news:O94VpV%(E-Mail Removed)...
> > For privacy compliance we require photo postitive identification
> > on requests for password reset. Whatever you bake will probably
> > need to be as legally valid.
> >
> > Your option a) does not seem easily securable - too distributed
> >
> > Your option b) has the bootstrapping issue you mention, how to
> > cover the already existing accounts
> >
> > Your ending comment about new students is likely your only
> > choice, and reap the benefits over time - but does not exclude
> > providing for existing students to use a windows login protected
> > page to tie such QandA to their existing.
> >
> > However you do this you will need to be very clear in the
> > "I acknowlege . . . " section that this is an "opt in" feature
> > and they are taking responsibility for its use after activation.
> >
> > Your other option is some metalevel syn'c driven from some
> > other realm if the students have accounts in such and it is
> > considered to be more secure - like an account allowing them
> > access to their student records, etc.. This is non-trivial in
> > terms of politics and coordination of will with owners of the
> > other system, but technically is not too difficult.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Marlon Brown" <(E-Mail Removed)> wrote in message
> > news:O95fa%(E-Mail Removed)...
> >> My organization has 12,000 Windows 2000 student accounts.
> >>
> >> Helpdesk and local 'IT assistants" are overwhelmed by student password
> >> requests. I ended up granting password reset permissions to dozens of
> >> people, and that by itself became a security issue right there.
> >>
> >> That said, this is what I have in mind:
> >>
> >> a) Students have some information on a SQL database (or even more
> >> information on the respective student Unix db) that I could use. For
> >> example, I could make an ASP page available in a couple of machines on
> > every
> >> student lab. From there users would need to type information such as
> >> "Mother's middle name", "year of graduation in elementary school",
"name
> > of
> >> elementary school you graduated from". Upon a match, the .asp page
would
> >> reset the student passwords in AD and return a random password right
> >> there
> >> on the screen.
> >>
> >> Concern:Using this method students would have information widely
> >> available
> >> in the stuent database. Employees in my organization would know that
> >> information.
> >>
> >> OR
> >>
> >> b) Build a webform where existing students can type "Secret" questions.
> > Save
> >> that information (encrypted?) in the SQL database. Only students would
> > know
> >> the combination of secret questions (such as "what's your favorite
pet's
> >> name ?" , "what's your grandmother name", etc).
> >> Concern: I would need to find a way to force users to go to the webform
> > and
> >> input such information. I think that I could use Group Policies to make
> > the
> >> default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and
> >> in
> >> addition pop up a login script-MessageBox every day upon logon that
> > pledges
> >> them to input such secret questions. Not sure if most students would
> >> cooperate and visit the webform to input the new information.
> >>
> >> For new students, I could make them go to a "Setup MyAccount" website
and
> >> provide a PIN number which could activate the AD account. The problem
is
> >> that all my workstations require Windows logon in labs. Therefore if
they
> >> didn't have the Windows account first, they couldn't even logon to the
> >> workstations in order to access such "Setup MyAccount" webform.
> >>
> >> Please advise and feel free to give suggestions on best way to handle
> > this.
> >>
> >>
> >>
> >
> >
>
>
|
Similar Threads
