Overhelmed by student password resets. Discussions on best way to let students use '.asp page passwo

Discussion in 'Microsoft Windows 2000 Security' started by Marlon Brown, Mar 11, 2005.

  1. Marlon Brown

    Marlon Brown Guest

    My organization has 12,000 Windows 2000 student accounts.

    Helpdesk and local 'IT assistants" are overwhelmed by student password
    requests. I ended up granting password reset permissions to dozens of
    people, and that by itself became a security issue right there.

    That said, this is what I have in mind:

    a) Students have some information on a SQL database (or even more
    information on the respective student Unix db) that I could use. For
    example, I could make an ASP page available in a couple of machines on every
    student lab. From there users would need to type information such as
    "Mother's middle name", "year of graduation in elementary school", "name of
    elementary school you graduated from". Upon a match, the .asp page would
    reset the student passwords in AD and return a random password right there
    on the screen.

    Concern:Using this method students would have information widely available
    in the stuent database. Employees in my organization would know that
    information.

    OR

    b) Build a webform where existing students can type "Secret" questions. Save
    that information (encrypted?) in the SQL database. Only students would know
    the combination of secret questions (such as "what's your favorite pet's
    name ?" , "what's your grandmother name", etc).
    Concern: I would need to find a way to force users to go to the webform and
    input such information. I think that I could use Group Policies to make the
    default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and in
    addition pop up a login script-MessageBox every day upon logon that pledges
    them to input such secret questions. Not sure if most students would
    cooperate and visit the webform to input the new information.

    For new students, I could make them go to a "Setup MyAccount" website and
    provide a PIN number which could activate the AD account. The problem is
    that all my workstations require Windows logon in labs. Therefore if they
    didn't have the Windows account first, they couldn't even logon to the
    workstations in order to access such "Setup MyAccount" webform.

    Please advise and feel free to give suggestions on best way to handle this.
     
    Marlon Brown, Mar 11, 2005
    #1
    1. Advertisements

  2. Marlon Brown

    Roger Abell Guest

    For privacy compliance we require photo postitive identification
    on requests for password reset. Whatever you bake will probably
    need to be as legally valid.

    Your option a) does not seem easily securable - too distributed

    Your option b) has the bootstrapping issue you mention, how to
    cover the already existing accounts

    Your ending comment about new students is likely your only
    choice, and reap the benefits over time - but does not exclude
    providing for existing students to use a windows login protected
    page to tie such QandA to their existing.

    However you do this you will need to be very clear in the
    "I acknowlege . . . " section that this is an "opt in" feature
    and they are taking responsibility for its use after activation.

    Your other option is some metalevel syn'c driven from some
    other realm if the students have accounts in such and it is
    considered to be more secure - like an account allowing them
    access to their student records, etc.. This is non-trivial in
    terms of politics and coordination of will with owners of the
    other system, but technically is not too difficult.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Marlon Brown" <> wrote in message
    news:O95fa%...
    > My organization has 12,000 Windows 2000 student accounts.
    >
    > Helpdesk and local 'IT assistants" are overwhelmed by student password
    > requests. I ended up granting password reset permissions to dozens of
    > people, and that by itself became a security issue right there.
    >
    > That said, this is what I have in mind:
    >
    > a) Students have some information on a SQL database (or even more
    > information on the respective student Unix db) that I could use. For
    > example, I could make an ASP page available in a couple of machines on

    every
    > student lab. From there users would need to type information such as
    > "Mother's middle name", "year of graduation in elementary school", "name

    of
    > elementary school you graduated from". Upon a match, the .asp page would
    > reset the student passwords in AD and return a random password right there
    > on the screen.
    >
    > Concern:Using this method students would have information widely available
    > in the stuent database. Employees in my organization would know that
    > information.
    >
    > OR
    >
    > b) Build a webform where existing students can type "Secret" questions.

    Save
    > that information (encrypted?) in the SQL database. Only students would

    know
    > the combination of secret questions (such as "what's your favorite pet's
    > name ?" , "what's your grandmother name", etc).
    > Concern: I would need to find a way to force users to go to the webform

    and
    > input such information. I think that I could use Group Policies to make

    the
    > default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and in
    > addition pop up a login script-MessageBox every day upon logon that

    pledges
    > them to input such secret questions. Not sure if most students would
    > cooperate and visit the webform to input the new information.
    >
    > For new students, I could make them go to a "Setup MyAccount" website and
    > provide a PIN number which could activate the AD account. The problem is
    > that all my workstations require Windows logon in labs. Therefore if they
    > didn't have the Windows account first, they couldn't even logon to the
    > workstations in order to access such "Setup MyAccount" webform.
    >
    > Please advise and feel free to give suggestions on best way to handle

    this.
    >
    >
    >
     
    Roger Abell, Mar 13, 2005
    #2
    1. Advertisements

  3. Marlon Brown

    Marlon Brown Guest

    Thanks. I think the option would b) would be the way to go. This is what I
    have in mind:

    1) New students would receive the windows AD account and temporary password
    (as is now) that would force them to change it at first logon.

    2) Student accounts would initially be placed in
    \StudentOU\NoPersonalRegistry.
    Under such OU, access to resources would be very limited, restricted by
    Group Policies; no way to access applications, printers. They would be
    directed to an IE page that displays an URL "Register Your Account/Answer
    Secure Questions here".

    3) A script running every 5 minutes from MyServer would check whether there
    is information entered accordingly in SQL db for such student account. If
    there is information entered accordingly, then the ADSI script would move
    the respective student account from \StudentOU\NoPersonalRegistry to
    \StudentOU\YesPersonalRegistry.

    \StudentOU\YesPersonalRegistry should be the OU that contains adequate
    settings such as ability to access printers, IE, applications ,etc.

    4) I would make a couple of kiosks using low-end machines available in the
    respective student lab.Students who forget password would go those kiosks
    and request password reset right there. IIS would run with credentials
    sufficient to reset accounts under that OU only. An e-mail notification
    would be sent to the lab manager upon each request for password recovery.
    That way, if someone is trying to reset somebody else password, the lab
    manager would be able to monitor that.

    If someone thinks that the above doesn't work please let me know.
    Suggestions are greatly welcome.




    "Roger Abell" <> wrote in message
    news:O94VpV%...
    > For privacy compliance we require photo postitive identification
    > on requests for password reset. Whatever you bake will probably
    > need to be as legally valid.
    >
    > Your option a) does not seem easily securable - too distributed
    >
    > Your option b) has the bootstrapping issue you mention, how to
    > cover the already existing accounts
    >
    > Your ending comment about new students is likely your only
    > choice, and reap the benefits over time - but does not exclude
    > providing for existing students to use a windows login protected
    > page to tie such QandA to their existing.
    >
    > However you do this you will need to be very clear in the
    > "I acknowlege . . . " section that this is an "opt in" feature
    > and they are taking responsibility for its use after activation.
    >
    > Your other option is some metalevel syn'c driven from some
    > other realm if the students have accounts in such and it is
    > considered to be more secure - like an account allowing them
    > access to their student records, etc.. This is non-trivial in
    > terms of politics and coordination of will with owners of the
    > other system, but technically is not too difficult.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Marlon Brown" <> wrote in message
    > news:O95fa%...
    >> My organization has 12,000 Windows 2000 student accounts.
    >>
    >> Helpdesk and local 'IT assistants" are overwhelmed by student password
    >> requests. I ended up granting password reset permissions to dozens of
    >> people, and that by itself became a security issue right there.
    >>
    >> That said, this is what I have in mind:
    >>
    >> a) Students have some information on a SQL database (or even more
    >> information on the respective student Unix db) that I could use. For
    >> example, I could make an ASP page available in a couple of machines on

    > every
    >> student lab. From there users would need to type information such as
    >> "Mother's middle name", "year of graduation in elementary school", "name

    > of
    >> elementary school you graduated from". Upon a match, the .asp page would
    >> reset the student passwords in AD and return a random password right
    >> there
    >> on the screen.
    >>
    >> Concern:Using this method students would have information widely
    >> available
    >> in the stuent database. Employees in my organization would know that
    >> information.
    >>
    >> OR
    >>
    >> b) Build a webform where existing students can type "Secret" questions.

    > Save
    >> that information (encrypted?) in the SQL database. Only students would

    > know
    >> the combination of secret questions (such as "what's your favorite pet's
    >> name ?" , "what's your grandmother name", etc).
    >> Concern: I would need to find a way to force users to go to the webform

    > and
    >> input such information. I think that I could use Group Policies to make

    > the
    >> default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and
    >> in
    >> addition pop up a login script-MessageBox every day upon logon that

    > pledges
    >> them to input such secret questions. Not sure if most students would
    >> cooperate and visit the webform to input the new information.
    >>
    >> For new students, I could make them go to a "Setup MyAccount" website and
    >> provide a PIN number which could activate the AD account. The problem is
    >> that all my workstations require Windows logon in labs. Therefore if they
    >> didn't have the Windows account first, they couldn't even logon to the
    >> workstations in order to access such "Setup MyAccount" webform.
    >>
    >> Please advise and feel free to give suggestions on best way to handle

    > this.
    >>
    >>
    >>

    >
    >
     
    Marlon Brown, Mar 14, 2005
    #3
  4. Marlon Brown

    Roger Abell Guest

    I am assuming all the IE and IIS you mention is within SSL encryption.
    I do not quite understand why the kiosks in the labs instead of just
    an https connection from any acceptible (infrastructure local) IP to
    the tightly guarded IIS site (https, access from IP list, etc).

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Marlon Brown" <> wrote in message
    news:...
    > Thanks. I think the option would b) would be the way to go. This is what I
    > have in mind:
    >
    > 1) New students would receive the windows AD account and temporary

    password
    > (as is now) that would force them to change it at first logon.
    >
    > 2) Student accounts would initially be placed in
    > \StudentOU\NoPersonalRegistry.
    > Under such OU, access to resources would be very limited, restricted by
    > Group Policies; no way to access applications, printers. They would be
    > directed to an IE page that displays an URL "Register Your Account/Answer
    > Secure Questions here".
    >
    > 3) A script running every 5 minutes from MyServer would check whether

    there
    > is information entered accordingly in SQL db for such student account. If
    > there is information entered accordingly, then the ADSI script would move
    > the respective student account from \StudentOU\NoPersonalRegistry to
    > \StudentOU\YesPersonalRegistry.
    >
    > \StudentOU\YesPersonalRegistry should be the OU that contains adequate
    > settings such as ability to access printers, IE, applications ,etc.
    >
    > 4) I would make a couple of kiosks using low-end machines available in the
    > respective student lab.Students who forget password would go those kiosks
    > and request password reset right there. IIS would run with credentials
    > sufficient to reset accounts under that OU only. An e-mail notification
    > would be sent to the lab manager upon each request for password recovery.
    > That way, if someone is trying to reset somebody else password, the lab
    > manager would be able to monitor that.
    >
    > If someone thinks that the above doesn't work please let me know.
    > Suggestions are greatly welcome.
    >
    >
    >
    >
    > "Roger Abell" <> wrote in message
    > news:O94VpV%...
    > > For privacy compliance we require photo postitive identification
    > > on requests for password reset. Whatever you bake will probably
    > > need to be as legally valid.
    > >
    > > Your option a) does not seem easily securable - too distributed
    > >
    > > Your option b) has the bootstrapping issue you mention, how to
    > > cover the already existing accounts
    > >
    > > Your ending comment about new students is likely your only
    > > choice, and reap the benefits over time - but does not exclude
    > > providing for existing students to use a windows login protected
    > > page to tie such QandA to their existing.
    > >
    > > However you do this you will need to be very clear in the
    > > "I acknowlege . . . " section that this is an "opt in" feature
    > > and they are taking responsibility for its use after activation.
    > >
    > > Your other option is some metalevel syn'c driven from some
    > > other realm if the students have accounts in such and it is
    > > considered to be more secure - like an account allowing them
    > > access to their student records, etc.. This is non-trivial in
    > > terms of politics and coordination of will with owners of the
    > > other system, but technically is not too difficult.
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > "Marlon Brown" <> wrote in message
    > > news:O95fa%...
    > >> My organization has 12,000 Windows 2000 student accounts.
    > >>
    > >> Helpdesk and local 'IT assistants" are overwhelmed by student password
    > >> requests. I ended up granting password reset permissions to dozens of
    > >> people, and that by itself became a security issue right there.
    > >>
    > >> That said, this is what I have in mind:
    > >>
    > >> a) Students have some information on a SQL database (or even more
    > >> information on the respective student Unix db) that I could use. For
    > >> example, I could make an ASP page available in a couple of machines on

    > > every
    > >> student lab. From there users would need to type information such as
    > >> "Mother's middle name", "year of graduation in elementary school",

    "name
    > > of
    > >> elementary school you graduated from". Upon a match, the .asp page

    would
    > >> reset the student passwords in AD and return a random password right
    > >> there
    > >> on the screen.
    > >>
    > >> Concern:Using this method students would have information widely
    > >> available
    > >> in the stuent database. Employees in my organization would know that
    > >> information.
    > >>
    > >> OR
    > >>
    > >> b) Build a webform where existing students can type "Secret" questions.

    > > Save
    > >> that information (encrypted?) in the SQL database. Only students would

    > > know
    > >> the combination of secret questions (such as "what's your favorite

    pet's
    > >> name ?" , "what's your grandmother name", etc).
    > >> Concern: I would need to find a way to force users to go to the webform

    > > and
    > >> input such information. I think that I could use Group Policies to make

    > > the
    > >> default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and
    > >> in
    > >> addition pop up a login script-MessageBox every day upon logon that

    > > pledges
    > >> them to input such secret questions. Not sure if most students would
    > >> cooperate and visit the webform to input the new information.
    > >>
    > >> For new students, I could make them go to a "Setup MyAccount" website

    and
    > >> provide a PIN number which could activate the AD account. The problem

    is
    > >> that all my workstations require Windows logon in labs. Therefore if

    they
    > >> didn't have the Windows account first, they couldn't even logon to the
    > >> workstations in order to access such "Setup MyAccount" webform.
    > >>
    > >> Please advise and feel free to give suggestions on best way to handle

    > > this.
    > >>
    > >>
    > >>

    > >
    > >

    >
    >
     
    Roger Abell, Mar 14, 2005
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ned Hart

    Students are using hacking tools to compromise school computers

    Ned Hart, Sep 19, 2003, in forum: Microsoft Windows 2000 Security
    Replies:
    7
    Views:
    425
    Karl Levinson [x y] mvp
    Sep 28, 2003
  2. J. Pearson

    password and ID will not let me into windows

    J. Pearson, Dec 17, 2003, in forum: Microsoft Windows 2000 Security
    Replies:
    0
    Views:
    136
    J. Pearson
    Dec 17, 2003
  3. Fred Yarbrough

    Best Way to Change Password via the Web?

    Fred Yarbrough, Dec 24, 2003, in forum: Microsoft Windows 2000 Security
    Replies:
    7
    Views:
    269
    Fred Yarbrough
    Dec 28, 2003
  4. Will Johnson

    Taskpad for password resets

    Will Johnson, Dec 31, 2003, in forum: Microsoft Windows 2000 Security
    Replies:
    2
    Views:
    700
    Will Johnson
    Jan 2, 2004
  5. Josh Burkey

    what resets a bad password counter?

    Josh Burkey, Feb 17, 2004, in forum: Microsoft Windows 2000 Security
    Replies:
    1
    Views:
    962
    Dusko Savatovic
    Feb 17, 2004
Loading...

Share This Page