PC Review


Reply
Thread Tools Rating: Thread Rating: 8 votes, 4.50 average.

Overhelmed by student password resets. Discussions on best way to let students use '.asp page password recovery'

 
 
Marlon Brown
Guest
Posts: n/a
 
      11th Mar 2005
My organization has 12,000 Windows 2000 student accounts.

Helpdesk and local 'IT assistants" are overwhelmed by student password
requests. I ended up granting password reset permissions to dozens of
people, and that by itself became a security issue right there.

That said, this is what I have in mind:

a) Students have some information on a SQL database (or even more
information on the respective student Unix db) that I could use. For
example, I could make an ASP page available in a couple of machines on every
student lab. From there users would need to type information such as
"Mother's middle name", "year of graduation in elementary school", "name of
elementary school you graduated from". Upon a match, the .asp page would
reset the student passwords in AD and return a random password right there
on the screen.

Concern:Using this method students would have information widely available
in the stuent database. Employees in my organization would know that
information.

OR

b) Build a webform where existing students can type "Secret" questions. Save
that information (encrypted?) in the SQL database. Only students would know
the combination of secret questions (such as "what's your favorite pet's
name ?" , "what's your grandmother name", etc).
Concern: I would need to find a way to force users to go to the webform and
input such information. I think that I could use Group Policies to make the
default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and in
addition pop up a login script-MessageBox every day upon logon that pledges
them to input such secret questions. Not sure if most students would
cooperate and visit the webform to input the new information.

For new students, I could make them go to a "Setup MyAccount" website and
provide a PIN number which could activate the AD account. The problem is
that all my workstations require Windows logon in labs. Therefore if they
didn't have the Windows account first, they couldn't even logon to the
workstations in order to access such "Setup MyAccount" webform.

Please advise and feel free to give suggestions on best way to handle this.



 
Reply With Quote
 
 
 
 
Roger Abell
Guest
Posts: n/a
 
      13th Mar 2005
For privacy compliance we require photo postitive identification
on requests for password reset. Whatever you bake will probably
need to be as legally valid.

Your option a) does not seem easily securable - too distributed

Your option b) has the bootstrapping issue you mention, how to
cover the already existing accounts

Your ending comment about new students is likely your only
choice, and reap the benefits over time - but does not exclude
providing for existing students to use a windows login protected
page to tie such QandA to their existing.

However you do this you will need to be very clear in the
"I acknowlege . . . " section that this is an "opt in" feature
and they are taking responsibility for its use after activation.

Your other option is some metalevel syn'c driven from some
other realm if the students have accounts in such and it is
considered to be more secure - like an account allowing them
access to their student records, etc.. This is non-trivial in
terms of politics and coordination of will with owners of the
other system, but technically is not too difficult.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Marlon Brown" <(E-Mail Removed)> wrote in message
news:O95fa%(E-Mail Removed)...
> My organization has 12,000 Windows 2000 student accounts.
>
> Helpdesk and local 'IT assistants" are overwhelmed by student password
> requests. I ended up granting password reset permissions to dozens of
> people, and that by itself became a security issue right there.
>
> That said, this is what I have in mind:
>
> a) Students have some information on a SQL database (or even more
> information on the respective student Unix db) that I could use. For
> example, I could make an ASP page available in a couple of machines on

every
> student lab. From there users would need to type information such as
> "Mother's middle name", "year of graduation in elementary school", "name

of
> elementary school you graduated from". Upon a match, the .asp page would
> reset the student passwords in AD and return a random password right there
> on the screen.
>
> Concern:Using this method students would have information widely available
> in the stuent database. Employees in my organization would know that
> information.
>
> OR
>
> b) Build a webform where existing students can type "Secret" questions.

Save
> that information (encrypted?) in the SQL database. Only students would

know
> the combination of secret questions (such as "what's your favorite pet's
> name ?" , "what's your grandmother name", etc).
> Concern: I would need to find a way to force users to go to the webform

and
> input such information. I think that I could use Group Policies to make

the
> default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and in
> addition pop up a login script-MessageBox every day upon logon that

pledges
> them to input such secret questions. Not sure if most students would
> cooperate and visit the webform to input the new information.
>
> For new students, I could make them go to a "Setup MyAccount" website and
> provide a PIN number which could activate the AD account. The problem is
> that all my workstations require Windows logon in labs. Therefore if they
> didn't have the Windows account first, they couldn't even logon to the
> workstations in order to access such "Setup MyAccount" webform.
>
> Please advise and feel free to give suggestions on best way to handle

this.
>
>
>



 
Reply With Quote
 
 
 
 
Marlon Brown
Guest
Posts: n/a
 
      14th Mar 2005
Thanks. I think the option would b) would be the way to go. This is what I
have in mind:

1) New students would receive the windows AD account and temporary password
(as is now) that would force them to change it at first logon.

2) Student accounts would initially be placed in
\StudentOU\NoPersonalRegistry.
Under such OU, access to resources would be very limited, restricted by
Group Policies; no way to access applications, printers. They would be
directed to an IE page that displays an URL "Register Your Account/Answer
Secure Questions here".

3) A script running every 5 minutes from MyServer would check whether there
is information entered accordingly in SQL db for such student account. If
there is information entered accordingly, then the ADSI script would move
the respective student account from \StudentOU\NoPersonalRegistry to
\StudentOU\YesPersonalRegistry.

\StudentOU\YesPersonalRegistry should be the OU that contains adequate
settings such as ability to access printers, IE, applications ,etc.

4) I would make a couple of kiosks using low-end machines available in the
respective student lab.Students who forget password would go those kiosks
and request password reset right there. IIS would run with credentials
sufficient to reset accounts under that OU only. An e-mail notification
would be sent to the lab manager upon each request for password recovery.
That way, if someone is trying to reset somebody else password, the lab
manager would be able to monitor that.

If someone thinks that the above doesn't work please let me know.
Suggestions are greatly welcome.




"Roger Abell" <(E-Mail Removed)> wrote in message
news:O94VpV%(E-Mail Removed)...
> For privacy compliance we require photo postitive identification
> on requests for password reset. Whatever you bake will probably
> need to be as legally valid.
>
> Your option a) does not seem easily securable - too distributed
>
> Your option b) has the bootstrapping issue you mention, how to
> cover the already existing accounts
>
> Your ending comment about new students is likely your only
> choice, and reap the benefits over time - but does not exclude
> providing for existing students to use a windows login protected
> page to tie such QandA to their existing.
>
> However you do this you will need to be very clear in the
> "I acknowlege . . . " section that this is an "opt in" feature
> and they are taking responsibility for its use after activation.
>
> Your other option is some metalevel syn'c driven from some
> other realm if the students have accounts in such and it is
> considered to be more secure - like an account allowing them
> access to their student records, etc.. This is non-trivial in
> terms of politics and coordination of will with owners of the
> other system, but technically is not too difficult.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Marlon Brown" <(E-Mail Removed)> wrote in message
> news:O95fa%(E-Mail Removed)...
>> My organization has 12,000 Windows 2000 student accounts.
>>
>> Helpdesk and local 'IT assistants" are overwhelmed by student password
>> requests. I ended up granting password reset permissions to dozens of
>> people, and that by itself became a security issue right there.
>>
>> That said, this is what I have in mind:
>>
>> a) Students have some information on a SQL database (or even more
>> information on the respective student Unix db) that I could use. For
>> example, I could make an ASP page available in a couple of machines on

> every
>> student lab. From there users would need to type information such as
>> "Mother's middle name", "year of graduation in elementary school", "name

> of
>> elementary school you graduated from". Upon a match, the .asp page would
>> reset the student passwords in AD and return a random password right
>> there
>> on the screen.
>>
>> Concern:Using this method students would have information widely
>> available
>> in the stuent database. Employees in my organization would know that
>> information.
>>
>> OR
>>
>> b) Build a webform where existing students can type "Secret" questions.

> Save
>> that information (encrypted?) in the SQL database. Only students would

> know
>> the combination of secret questions (such as "what's your favorite pet's
>> name ?" , "what's your grandmother name", etc).
>> Concern: I would need to find a way to force users to go to the webform

> and
>> input such information. I think that I could use Group Policies to make

> the
>> default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and
>> in
>> addition pop up a login script-MessageBox every day upon logon that

> pledges
>> them to input such secret questions. Not sure if most students would
>> cooperate and visit the webform to input the new information.
>>
>> For new students, I could make them go to a "Setup MyAccount" website and
>> provide a PIN number which could activate the AD account. The problem is
>> that all my workstations require Windows logon in labs. Therefore if they
>> didn't have the Windows account first, they couldn't even logon to the
>> workstations in order to access such "Setup MyAccount" webform.
>>
>> Please advise and feel free to give suggestions on best way to handle

> this.
>>
>>
>>

>
>



 
Reply With Quote
 
Roger Abell
Guest
Posts: n/a
 
      14th Mar 2005
I am assuming all the IE and IIS you mention is within SSL encryption.
I do not quite understand why the kiosks in the labs instead of just
an https connection from any acceptible (infrastructure local) IP to
the tightly guarded IIS site (https, access from IP list, etc).

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Marlon Brown" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks. I think the option would b) would be the way to go. This is what I
> have in mind:
>
> 1) New students would receive the windows AD account and temporary

password
> (as is now) that would force them to change it at first logon.
>
> 2) Student accounts would initially be placed in
> \StudentOU\NoPersonalRegistry.
> Under such OU, access to resources would be very limited, restricted by
> Group Policies; no way to access applications, printers. They would be
> directed to an IE page that displays an URL "Register Your Account/Answer
> Secure Questions here".
>
> 3) A script running every 5 minutes from MyServer would check whether

there
> is information entered accordingly in SQL db for such student account. If
> there is information entered accordingly, then the ADSI script would move
> the respective student account from \StudentOU\NoPersonalRegistry to
> \StudentOU\YesPersonalRegistry.
>
> \StudentOU\YesPersonalRegistry should be the OU that contains adequate
> settings such as ability to access printers, IE, applications ,etc.
>
> 4) I would make a couple of kiosks using low-end machines available in the
> respective student lab.Students who forget password would go those kiosks
> and request password reset right there. IIS would run with credentials
> sufficient to reset accounts under that OU only. An e-mail notification
> would be sent to the lab manager upon each request for password recovery.
> That way, if someone is trying to reset somebody else password, the lab
> manager would be able to monitor that.
>
> If someone thinks that the above doesn't work please let me know.
> Suggestions are greatly welcome.
>
>
>
>
> "Roger Abell" <(E-Mail Removed)> wrote in message
> news:O94VpV%(E-Mail Removed)...
> > For privacy compliance we require photo postitive identification
> > on requests for password reset. Whatever you bake will probably
> > need to be as legally valid.
> >
> > Your option a) does not seem easily securable - too distributed
> >
> > Your option b) has the bootstrapping issue you mention, how to
> > cover the already existing accounts
> >
> > Your ending comment about new students is likely your only
> > choice, and reap the benefits over time - but does not exclude
> > providing for existing students to use a windows login protected
> > page to tie such QandA to their existing.
> >
> > However you do this you will need to be very clear in the
> > "I acknowlege . . . " section that this is an "opt in" feature
> > and they are taking responsibility for its use after activation.
> >
> > Your other option is some metalevel syn'c driven from some
> > other realm if the students have accounts in such and it is
> > considered to be more secure - like an account allowing them
> > access to their student records, etc.. This is non-trivial in
> > terms of politics and coordination of will with owners of the
> > other system, but technically is not too difficult.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Marlon Brown" <(E-Mail Removed)> wrote in message
> > news:O95fa%(E-Mail Removed)...
> >> My organization has 12,000 Windows 2000 student accounts.
> >>
> >> Helpdesk and local 'IT assistants" are overwhelmed by student password
> >> requests. I ended up granting password reset permissions to dozens of
> >> people, and that by itself became a security issue right there.
> >>
> >> That said, this is what I have in mind:
> >>
> >> a) Students have some information on a SQL database (or even more
> >> information on the respective student Unix db) that I could use. For
> >> example, I could make an ASP page available in a couple of machines on

> > every
> >> student lab. From there users would need to type information such as
> >> "Mother's middle name", "year of graduation in elementary school",

"name
> > of
> >> elementary school you graduated from". Upon a match, the .asp page

would
> >> reset the student passwords in AD and return a random password right
> >> there
> >> on the screen.
> >>
> >> Concern:Using this method students would have information widely
> >> available
> >> in the stuent database. Employees in my organization would know that
> >> information.
> >>
> >> OR
> >>
> >> b) Build a webform where existing students can type "Secret" questions.

> > Save
> >> that information (encrypted?) in the SQL database. Only students would

> > know
> >> the combination of secret questions (such as "what's your favorite

pet's
> >> name ?" , "what's your grandmother name", etc).
> >> Concern: I would need to find a way to force users to go to the webform

> > and
> >> input such information. I think that I could use Group Policies to make

> > the
> >> default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and
> >> in
> >> addition pop up a login script-MessageBox every day upon logon that

> > pledges
> >> them to input such secret questions. Not sure if most students would
> >> cooperate and visit the webform to input the new information.
> >>
> >> For new students, I could make them go to a "Setup MyAccount" website

and
> >> provide a PIN number which could activate the AD account. The problem

is
> >> that all my workstations require Windows logon in labs. Therefore if

they
> >> didn't have the Windows account first, they couldn't even logon to the
> >> workstations in order to access such "Setup MyAccount" webform.
> >>
> >> Please advise and feel free to give suggestions on best way to handle

> > this.
> >>
> >>
> >>

> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: [News] Unusual Way for Learning GNU/Linux: Discussions Moshe Goldfarb. Windows Vista General Discussion 1 15th Aug 2008 08:54 AM
Where best discussions of System Monitor? Billy Smith Windows XP General 6 19th Sep 2007 04:26 PM
Student database and student Register =?Utf-8?B?SmFy?= Microsoft Access Database Table Design 3 9th May 2006 05:57 PM
how i get the student results if i enter the roll no of student? =?Utf-8?B?cml6d2FuLWFsaQ==?= Microsoft Access Forms 1 8th Sep 2005 03:22 PM
Legalities of using a student edition of VC++ for ex-student Hamish Fawns Microsoft VC .NET 0 7th Aug 2003 02:10 AM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 10:26 AM.