Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 16315 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Challenge Response

ia-hawk-fan07

Hello we are noticing on Sophos Safeguard Easy 6.0 something that we do not think is right. When doing a challenge response the user is only logged in past Sophos. They are then stopped at Windows to log in. Since the user can not remember their password they are not able to log into Windows. Also since they are not being asked to change their password they are not able to go any further. It seems like we are missing a setting either in Windows or Sophos just not sure what it might be. Any help would be appreciated.

:28985


This thread was automatically locked due to age.
  • 0

    Hi ia-hawk-fan07,

    you have two possibilities in this case:

    - you could reset the users password in the Active Directory to enable the user to logon again after he forgot his password or

    - you could enable the SafeGuard Local Self Help feature, which would give the user the possibility to answer a set of questions (that have to be configured before) and that would show him his password, in case he has forgot it. In case you go with Local Self Help, there is also no need to perform a Challenge/Response operation.

    For more details on SafeGuard's Local Self Help, see Administrator Guide (ssg_60_h_eng_admin_help.pdf) chapter 22 "Recovery with Local Self Help"

    Regards,

    Chris

    :29021
  • 0

    Hi Chris,

    We are currently working on getting Local Self Help turned on for our field force. However. There will still be times when Local Self Help is not set up and the user will need a password change. Either because they forgot it or they just are having some other issue. Our field force is disconnected so we can not use AD to reset a password. I think this is where challenge/response really falls short. There should be an option to log in thru both Sophos and Windows to get to a point where a user could change the password. Or even have the option to force the password change to sync back to Windows.  Even more so when we are talking about disconnected users, like the ones that would be using Safeguard Easy.

    What is even more upsetting is that in the Policy Editor--->Recovery--->Help file it states that you should hand out Admin log in account info to get around this. For a security company that seems highly suspecious. When would that ever be a good suggestion?

    Sorry I do not trying to be mean, but this is creating a large security gap for us that I need to get figured out or have a very good work around.

    :29039
  • 0

    Hi ia-hawk-fan07,

    well in case that an offline Windows User has forgotten his password, there is also no other possibility to get him logged on to the Operating System but providing him with another Windows account - maybe that is the reason for the "hint" in the recovery online help ... but could you please tell me exactly where I can find the section with the Admin login account hand out? I can't find it in the help file (SafeGuard Easy 6.0 Policy Editor).

    With SafeGuard Easy you have the possibility to instruct your users to enable Local Self Help and get around the forgotten password issue (as mentioned above they are able to see their forgotten password after answering the questions). They just need to answer the questions.

    With SafeGuard Enterprise, you would have additional recovery procedures, like the possibility to perform a Challenge/Response operation with the option to route the user not only through POA but also through Windows GINA/Credential Provider right to their desktop - for the case that Local Self Help was not enabled by the User.

    :29221
  • 0

    Sorry I have been out of the office last week, after getting married. Where I found that info, it is not listed as a hint is.

    Open Policy Editor, go to help, then Recovery with Challenge response, then Recover a password with challenge response. The quote is on the middle of the page. So we would have more options with Enterprise that is fine. I just think however, that more thought needs to be put into what happens with Safeguard Easy users in this situation.

    :29333
  • 0

    Hi ia-hawk-fan07,

    first of all, congratulations on your wedding!

    If you are referring to this part;

    "We recommend the following methods to reset the password at Windows level.

    - By using a service or administrator account available on the endpoint computer with the required Windows rights.

    - By using a Windows password reset disk on the endpoint computer.

    As a help desk officer, you can inform the user which procedure should be used and either provide the additional Windows credentials or the required disk."

    this must not necessarily mean that the helpdesk must give out local administrative accounts for the users, but use these accounts to reset the password. I know that there are situations where no local administrator in personal is available and the accounts are given out - but this is where Local Self Help comes into play (if configured by the user) or SafeGuard Enterprise helps out.

    I will open a feature request and see if we can change the implementation in a way that a user is forced to answer the questions if Local Self Help was activated. There should be a setting for this.

    Cheers,

    Chris

    :29511
  • 0

    Thank you!

    That sounds good. At one point we had some one from Sophos tell us that in the Enterprise version of the software there is an option to reset their password. It would be nice if that was included in the Easy version as well. We have a pretty unique situation where are users are not connected to us at all and it can be hard to find solutions to their problems, but that seemed to be why Easy was a good fit. However, situations like this make Easy not such a good fit as well too.

    :29525
Unfiltered HTML