2 Securing Password Reset

Password Reset consists of several client-side and server-side components that communicate with one another via SSL-encrypted HTTP and access a data repository over an SSL-encrypted channel.

2.1 Securing Password Reset on the Client Side

On the client side, Password Reset hooks into the Windows logon mechanism using either a GINA library stub (Windows XP) or a credential provider and a system service running under the LocalSystem account. Either mechanism allows Password Reset to add password reset functionality to the standard Windows logon dialog, either by adding a banner or a hyperlink that launches a locked-down Internet Explorer window that connects (via HTTP with SSL) to the server-side Password Reset Web applications described below. Assuming that the server-side components are configured for SSL connectivity, the client-side configuration is secure by default and does not require additional hardening.

Note:

After configuring the server-side components to use SSL, make sure that the Web application URLs on end-user machines are updated to use the HTTPS protocol.

2.2 Securing Password Reset on the Server Side

On the server side, Password Reset runs IIS-hosted Web applications as well as a Windows system service that together provide the password reset, challenge question quiz, and administration functionality, as well as user interfaces for each. They also provide the challenge question functionality to Universal Authentication Manager.

The Web applications are EnrollmentClient, ResetClient, ManagementClient, and WebServices. The ResetClient and WebServices Web applications require that a limited-privilege domain user account (SSPRWeb) is created and assigned as the sole account able to access the pages within them as well as modify user data within the repository.

The EnrollmentClient and ManagementClient applications, as well as the Administration.aspx page of the WebServices application are configured for access by the domain user account currently logged on to the Password Reset-enabled end-user workstation. Configuration steps are described in the Enterprise Single Sign-On Suite Installation Guide.

Oracle strongly recommends that you configure the Password Reset Web applications within IIS to use SSL. To enable SSL support for Password Reset, you must create and install an X.509 SSL certificate for the IIS Web sites serving the Password Reset Web applications. (The certificate is issued by a Certificate Authority (CA), which can be a commercial entity or a software application on the target local machine.) You must then update your end-user workstations with secure (HTTPS) URLs to the Password Reset Web applications. Instructions are provided in the Enterprise Single Sign-On Suite Administrator's Guide.

Note:

Oracle highly recommends that you do not disable SSL functionality to maintain maximum security.

Password Reset also utilizes a Windows system service, SSPRChangePasswordSvc.exe, which runs in the background and is responsible for the actual changing of each user's password once the user has passed the Password Reset challenge quiz. This service requires a limited-privilege domain account (SSPRReset) that possesses only the permissions required to change user account passwords as well as write the lockoutTime and pwdLastSet values in Active Directory. The configuration steps and exact permissions that must be assigned to this account are described in the Enterprise Single Sign-On Suite Installation Guide.

Password Reset stores user data in a supported repository: Active Directory, AD LDS (ADAM), LDAP directories such as Oracle Internet Directory and Oracle Virtual Directory, as well as Oracle and Microsoft SQL databases. During installation, the installer creates an organizational unit (directory-based repositories) or databases and tables (database-based repositories) and grants the SSPRWeb domain account full access to the newly created container or database and all its contents. No other account is given any kind of access to the Password Reset container or database unless the administrator explicitly grants such access through their own choice.