Comparative Review: Self-Service Password Reset Managers

For large and growing companies, the task of assisting end users can become a tremendous burden on the IT department. By some estimates, the cost of password resets can be as much as $70 per incident (including loss of productivity) and make up around 30 percent of Help desk calls. Even higher costs can be expected in industries that are subject to additional regulation, such as in the financial and healthcare arenas.

Product Similarities

All the products that I compared installed on a single Windows Server 2008 system in about 30 minutes or less. My installations each included an administrative console for configuring the software, an end-user website that users could use to reset forgotten passwords, and a Help desk website that Help desk workers could use to assist end users with password resets. Each product also checked passwords as they were entered and enforced a set of password requirements. The password requirements of all five products were similar; the only major exceptions were the dictionary options in Specops Password Policy and Quest Password Manager, which allows you to configure these products to prevent the use of specific words in passwords.

The products' security features also had several similarities. Each product used a password-protected enrollment process, during which the end user completes a series of questions: You can require some questions or configure the products to present end users with a list of questions to choose from. All the reviewed products had rules to force end users to answer these questions in a useful and secure way. These rules included such options as

Only ManageEngine's ADSelfService Plus did not use Microsoft IIS. Each product also included a client application that added a logon assistance button to the Windows logon screen. By clicking this button, end users are brought to a self-service password-management portal, without needing to log on to the computer. Without the client application, end users can still access the password reset website for enrollment into the system or to reset passwords. However, users who need resets will probably need to use a coworker's computer or a kiosk computer that allows web access without logging on first.

Another nice feature of the products is that they are licensed per user rather than per server. This feature allows you to set up a second server for fault tolerance.

Product Differences

The big difference among the reviewed products tended to be integration with Active Directory (AD). Two of the evaluated products -- Specops Password Policy and Quest Password Manager -- integrated with AD in such a way that I could assign different password policies to different organizational units (OUs) within a domain, even if the domain's operational mode didn't natively enable this option. In both products, an application needed to be installed on each domain controller (DC) to allow the product to intercept the password-change requests and ensure that they complied with the specified requirements before being passed on to AD. These products enforced my password policies both when using the product interface and when using the standard change-password routine that's built into all Windows versions, from any computer in the domain, with or without a client installation.

The following sections describe each product in more detail. See Table 1 for a comparison of all the products' core features. (I give each product one point per provided feature; for Group Policy integration, I give the product two points.)

Specops Password Policy and Specops Password Reset

Specops Software's Specops Password Policy (which Figure 1 shows) and Specops Password Reset, two products that I tested together, install on Windows Server 2008, using the straightforward, checklist-like installation wizards that I've seen in other Specops products.

Figure 1: Specops Password Policy

As you move through each point of the installation, the wizards either take care of the requirement for you or tell you what needs to be done before proceeding. Within about 15 minutes each, installation was completed. These products are the only ones that install a self-signed certificate during installation to help secure all your web traffic. (The vendor recommends replacing the self-signed certificate with one from a public source after you move past the trial phase of your implementation. Otherwise, internal and external users will receive warning messages as they use the web-based self-service portal.)

You will need to install the included Specops Password Policy Sentinel on all DCs to which your users can connect, to ensure that Specops Password Policy is enforced during password changes throughout your organization.

When you set up the password-reset and password policies in AD, you need to set your domain password-policy requirements fairly low and apply more rigorous password requirements to individual OUs. The password policies that you create with the Specops products need to be more restrictive to be compatible with the Default Domain Policy that is applied across the domain.

ManageEngine's ADSelfService Plus

ManageEngine's ADSelfService Plus (which Figure 2 shows) has a full set of features for the price, plus an employee directory that users can use to search for other users' contact information or to update their own.

Figure 2: ManageEngine ADSelfService Plus

The product installs with just a few clicks and uses its own web server and MySQL database, which it installs as part of the installation process. You will need to install a certificate to secure the web server; ADSelfService Plus comes with a tool to assist you with this process.

Like Specops SPPPR, ADSelfService Plus comes with the capability to send a verification code to a user's cell phone, in addition to requiring the user to correctly answer the verification questions. And like Quest Password Manager, ADSelfService Plus includes CAPTCHA in its suite of security options. However, it doesn't integrate with AD, unlike the Quest and Specops products.

ADSelfService Plus takes some time to become familiar with, partly because many of its features are three or four levels deep and partly because the language that the interface uses is easy to misinterpret. For example, you might think that the Force user to Enroll option sets the client application to intercept the logon process and force the user to enroll. But this option actually means that the user must go through the enrollment process before they are allowed to use the employee directory system that is built into ADSelfService Plus. So this product is a little confusing for the administrator when first using it.

Quest Password Manager

The installation process for Quest Password Manager (which Figure 3 shows) consists of a wizard that walks you through the processes of creating a new password reset and password policy, which you then assign to a container in your AD domain as well as your AD security groups.

Figure 3: Quest Password Manager

After the wizard walks you through the password policy, password reset policy, security options, and container assignment, you'll have a good understanding of the product. In this way, the setup wizard functions as a guided tour for the administrator. Be aware that to ensure that Quest Password Manager integrates fully with your domain, you will need to install the Quest Password Manager .msi file on all DCs.

Of all the products I compared, this one had the most integration options. Quest Password Manager is designed to work with Microsoft Identity Integration Server or Quest ActiveRoles Quick Connect. With the latter, user information can be synchronized across AD, AD Lightweight Directory Services (ADAM), delimited text files, Microsoft SQL Server, LDAP directory services, OLE DB, Sun ONE Directory Server, an Oracle database, Novell Directory Services (NDS), IBM Resource Access Control Facility (RACF), IBM Lotus Domino Server, and the Google Apps service.

Quest Password Manager includes a Graphical Identification and Authentication (GINA) Group Policy template, which allows you to add the configuration settings for this application to your domain Group Policy. You can customize not only the template's look and position on the screen, but also the behavior of the client application. For example, you can force the use of HTTP Secure (HTTPS), statically assign the recovery center URL, or configure proxy settings.

Quest Password Manager requires a full SQL Server installation (not just SQL Server Express Edition), with SQL Server Reporting Services (SRSS) installed as well. If you don't have a SQL Server installation available, you'll need to add the price of SQL Server to your cost analysis. On the up side, you'll have SRSS to review all the information that is available in Quest Password Manager.

Another Quest Password Manager feature is the ability to assign a temporary passcode to users who haven't gone through the enrollment process. These passcodes can be configured to expire within a set amount of time. Just be careful with this feature; anyone with access to the Help desk portal can assign a passcode, then enroll and reset any account that the Quest Password Manager service account has permission to change. If you decide to use this feature, be sure to delegate the service account correctly. Otherwise, your Help desk staff might have much more access than you intended. The passcode feature is turned off by default.

NetWrix Password Manager

NetWrix Password Manager (which Figure 4 shows) installs on Windows XP Service Pack 3 (SP3) or later. After the installation, I only needed to adjust the authentication in IIS to enable Windows authentication.

Figure 4: NetWrix Password Manager

After the installation, NetWrix Password Manager is very simple and intuitive. You can choose from a list of verification questions, make up your own, or allow end users to make up their own questions. Custom questions and answers can be required to be a minimum length, and all answers can be required to be unique. During the installation, the product creates an AD group called NetWrix Account Help Desk. Adding users to this group gives them the ability to use the Help desk web portal to assist other users with resetting passwords or unlocking accounts.

Unique to NetWrix Password Manager is a disconnected-mode password reset. The disconnected-mode reset enables the GINA extension on the Windows logon screen to reset a user's cached password, even when the user isn't connected to the domain. This could be a key feature for companies with large numbers of mobile users but does require the GINA extension to be installed locally.

NetWrix Password Manager also comes with a user-data import process that can be used to prepopulate the information that is needed during user enrollment, making the enrollment process easier for end users.

NetWrix also offers a freeware version for as many as 50 enrolled users.

Web Active Directory's PeoplePassword

Web Active Directory's PeoplePassword (which Figure 5 shows) is another product that works with IIS and SQL Server. However, in this case you can use SQL Server 2005 or later, including SQL Server Express Edition if you don't already have and don't want to pay for SQL Server.

Figure 5: Web Active Directory PeoplePassword

Web Active Directory has done a nice job with the enrollment process in PeoplePassword. This product comes with the ability to import all necessary user information so that you can enroll users into the system without any involvement on their part.

In addition to the core functionality that all the products provide, PeoplePassword has the unique ability to collect an alternate email address during the enrollment process. This address can then be used to send a password-reset code during the password-reset process. The ability to collect an alternate email address and send the password-reset code can be turned on or off, simply by checking a box in the password-reset profile settings. However, you can't require the verification questions to be answered before sending the password-reset email -- an improvement that some companies might want before using this feature.