Overhelmed by student password resets. Discussions on best way to let students use '.asp page passwo

  • Thread starter Thread starter Marlon Brown
  • Start date Start date
M

Marlon Brown

My organization has 12,000 Windows 2000 student accounts.

Helpdesk and local 'IT assistants" are overwhelmed by student password
requests. I ended up granting password reset permissions to dozens of
people, and that by itself became a security issue right there.

That said, this is what I have in mind:

a) Students have some information on a SQL database (or even more
information on the respective student Unix db) that I could use. For
example, I could make an ASP page available in a couple of machines on every
student lab. From there users would need to type information such as
"Mother's middle name", "year of graduation in elementary school", "name of
elementary school you graduated from". Upon a match, the .asp page would
reset the student passwords in AD and return a random password right there
on the screen.

Concern:Using this method students would have information widely available
in the stuent database. Employees in my organization would know that
information.

OR

b) Build a webform where existing students can type "Secret" questions. Save
that information (encrypted?) in the SQL database. Only students would know
the combination of secret questions (such as "what's your favorite pet's
name ?" , "what's your grandmother name", etc).
Concern: I would need to find a way to force users to go to the webform and
input such information. I think that I could use Group Policies to make the
default IE page as this "InputPasswordRecoverySecretQuestions.aspx" and in
addition pop up a login script-MessageBox every day upon logon that pledges
them to input such secret questions. Not sure if most students would
cooperate and visit the webform to input the new information.

For new students, I could make them go to a "Setup MyAccount" website and
provide a PIN number which could activate the AD account. The problem is
that all my workstations require Windows logon in labs. Therefore if they
didn't have the Windows account first, they couldn't even logon to the
workstations in order to access such "Setup MyAccount" webform.

Please advise and feel free to give suggestions on best way to handle this.
 
For privacy compliance we require photo postitive identification
on requests for password reset. Whatever you bake will probably
need to be as legally valid.

Your option a) does not seem easily securable - too distributed

Your option b) has the bootstrapping issue you mention, how to
cover the already existing accounts

Your ending comment about new students is likely your only
choice, and reap the benefits over time - but does not exclude
providing for existing students to use a windows login protected
page to tie such QandA to their existing.

However you do this you will need to be very clear in the
"I acknowlege . . . " section that this is an "opt in" feature
and they are taking responsibility for its use after activation.

Your other option is some metalevel syn'c driven from some
other realm if the students have accounts in such and it is
considered to be more secure - like an account allowing them
access to their student records, etc.. This is non-trivial in
terms of politics and coordination of will with owners of the
other system, but technically is not too difficult.
 
Thanks. I think the option would b) would be the way to go. This is what I
have in mind:

1) New students would receive the windows AD account and temporary password
(as is now) that would force them to change it at first logon.

2) Student accounts would initially be placed in
\StudentOU\NoPersonalRegistry.
Under such OU, access to resources would be very limited, restricted by
Group Policies; no way to access applications, printers. They would be
directed to an IE page that displays an URL "Register Your Account/Answer
Secure Questions here".

3) A script running every 5 minutes from MyServer would check whether there
is information entered accordingly in SQL db for such student account. If
there is information entered accordingly, then the ADSI script would move
the respective student account from \StudentOU\NoPersonalRegistry to
\StudentOU\YesPersonalRegistry.

\StudentOU\YesPersonalRegistry should be the OU that contains adequate
settings such as ability to access printers, IE, applications ,etc.

4) I would make a couple of kiosks using low-end machines available in the
respective student lab.Students who forget password would go those kiosks
and request password reset right there. IIS would run with credentials
sufficient to reset accounts under that OU only. An e-mail notification
would be sent to the lab manager upon each request for password recovery.
That way, if someone is trying to reset somebody else password, the lab
manager would be able to monitor that.

If someone thinks that the above doesn't work please let me know.
Suggestions are greatly welcome.
 
I am assuming all the IE and IIS you mention is within SSL encryption.
I do not quite understand why the kiosks in the labs instead of just
an https connection from any acceptible (infrastructure local) IP to
the tightly guarded IIS site (https, access from IP list, etc).
 
Back
Top