These products can help end users help themselves
For large and growing companies, the task of assisting end users can become a tremendous burden on the IT department. By some estimates, the cost of password resets can be as much as $70 per incident (including loss of productivity) and make up around 30 percent of Help desk calls. Even higher costs can be expected in industries that are subject to additional regulation, such as in the financial and healthcare arenas.
All the products that I compared installed on a single Windows Server 2008 system in about 30 minutes or less. My installations each included an administrative console for configuring the software, an end-user website that users could use to reset forgotten passwords, and a Help desk website that Help desk workers could use to assist end users with password resets. Each product also checked passwords as they were entered and enforced a set of password requirements. The password requirements of all five products were similar; the only major exceptions were the dictionary options in Specops Password Policy and Quest Password Manager, which allows you to configure these products to prevent the use of specific words in passwords.
The products' security features also had several similarities. Each product used a password-protected enrollment process, during which the end user completes a series of questions: You can require some questions or configure the products to present end users with a list of questions to choose from. All the reviewed products had rules to force end users to answer these questions in a useful and secure way. These rules included such options as
- requiring unique answers to all questions
- requiring answers to questions to be case sensitive
- setting the number of allowed custom questions
- setting the total number of questions
- requiring end users to set up password reset questions and to complete the enrollment process when it presents itself at logon
- setting a lockout threshold for incorrect answers to password reset questions (similar to lockout thresholds for password input during logon)
- setting a minimum custom-question length
- requiring all answers to be more than five characters
- restricting answers from including words that are in the question
Only ManageEngine's ADSelfService Plus did not use Microsoft IIS. Each product also included a client application that added a logon assistance button to the Windows logon screen. By clicking this button, end users are brought to a self-service password-management portal, without needing to log on to the computer. Without the client application, end users can still access the password reset website for enrollment into the system or to reset passwords. However, users who need resets will probably need to use a coworker's computer or a kiosk computer that allows web access without logging on first.
Another nice feature of the products is that they are licensed per user rather than per server. This feature allows you to set up a second server for fault tolerance.
The big difference among the reviewed products tended to be integration with Active Directory (AD). Two of the evaluated products -- Specops Password Policy and Quest Password Manager -- integrated with AD in such a way that I could assign different password policies to different organizational units (OUs) within a domain, even if the domain's operational mode didn't natively enable this option. In both products, an application needed to be installed on each domain controller (DC) to allow the product to intercept the password-change requests and ensure that they complied with the specified requirements before being passed on to AD. These products enforced my password policies both when using the product interface and when using the standard change-password routine that's built into all Windows versions, from any computer in the domain, with or without a client installation.
The following sections describe each product in more detail. See Table 1 for a comparison of all the products' core features. (I give each product one point per provided feature; for Group Policy integration, I give the product two points.)