Skip to main content

Securing Password Reset

Password Reset has many built-in security features, but you should take additional steps to secure it. The most important of these is to install an SSL certificate for the Web Interface. You can also set up a standard user account with delegated permissions for the Password Reset Server.

Installing and Using an SSL Certificate

The Web Interface and Password Reset Server always communicate over a secure channel. You don't have to configure the encryption for this connection, but you do need to set up SSL (Secure Sockets Layer) encryption for the connection between the web browser (or Password Reset Client) and the web server. See the Password Reset Client topic for configuration steps.

warning

Don't use Password Reset on a production network without SSL encryption.

You can use a self-signed certificate with Password Reset, but most organizations purchase certificates from a certificate authority. You can install the Web Interface on a server that already has an SSL certificate if you would rather not purchase another one.

Your certificate authority will have instructions to guide you through the certificate request and installation process. The following pages cover how to set up SSL certificates with IIS.

note

Ensure that users only access Password Reset over an encrypted connection after the SSL certificate is installed. The Start address and Restricted path in the Password Reset Client configuration should start with https://. Web browsers can be redirected to the secure URL. See Configuring the PRC for steps to configure the start address and restricted path.

Delegating Permissions to the Netwrix Password Reset Server Service

When the Setup wizard creates a service account for the Password Reset Server, it adds the account to the Domain Admins group. This allows Password Reset to start working without additional configuration, but it also gives the service excessive permissions. You can improve security by removing the service account from the Domain Admins group and granting only the required permissions.

You can grant Active Directory permissions from the command-line with dsacls.exe, or with the graphical user interface. The examples below use the command-line, but you can use either method. The commands you need to execute are:

dsacls "[object]" /I:S /G "[account]:CA;Reset Password;user"

dsacls "[object]" /I:S /G "[account]:RPWP;lockoutTime;user"

dsacls "[object]" /I:S /G "[account]:RPWP;pwdLastSet;user"

Where [object] is the distinguished name of the domain or OU containing the user accounts, and [account] is the name of the service account in user@domain or domain\user format.

The dsacls commands for Reset Password and lockoutTime allow Netwrix Password Reset (NPR) to reset passwords and unlock accounts. You need both commands even if the Unlock item doesn't appear in the menu, because Password Reset automatically unlocks an account when it resets the password. The third command allows Password Reset to set User must change password at next logon in Active Directory if the Require users to change their password after a reset option is enabled in the Configuration Console's Security tab.

For example, the following command grants the axs\apr account permission to reset passwords for users in the axs.net domain:

dsacls "dc=axs,dc=net" /I:S /G "axs\apr:CA;Reset Password;user"

If Password Reset is configured to use an SQL Server Compact database, then give the service account read and write permissions to the database files. See Moving to SQL Server for steps to move the database and configure permissions.

Remove the service account from the Domain Admins group and restart the Password Reset service after executing these commands. Check the Windows Application event log if the service doesn't start.

Using Delegated Permissions with Protected Groups

When you delegate permissions for the Password Reset service account, Windows initially applies the delegated permissions to all users in the domain or OU. After some time, Windows restores the original permissions for some important user accounts. The restored permissions don't allow Password Reset to reset passwords or unlock accounts for these users.

The accounts protected by this feature vary by Windows version, and include members of the Domain Admins, Enterprise Admins, and Schema Admins groups. The list of protected groups is configurable, so it may differ from the defaults in the Windows documentation.

If you are using an Password Reset service account with delegated permissions and don't want these privileged accounts to reset their password or unlock their account with Password Reset, then there is no need to make any configuration changes. Windows automatically restores the original permissions for these accounts. Windows does this every hour by default.

If you want to allow these users to reset their password and unlock their account with Password Reset, then you need to change the permissions for the AdminSDHolder container. The commands you need to execute are:

dsacls "[AdminSDHolder]" /G "[account]:CA;Reset Password"

dsacls "[AdminSDHolder]" /G "[account]:RPWP;lockoutTime"

dsacls "[AdminSDHolder]" /G "[account]:RPWP;pwdLastSet"

Where [AdminSDHolder] is the distinguished name of the AdminSDHolder container, and [account] is the name of the service account in user@domain or domain\user format.
The DN of the AdminSDHolder container for the netwrix.com domain is CN=AdminSDHolder,CN=System,DC=netwrix,DC=com

note

Windows doesn't apply changes to the AdminSDHolder container to accounts immediately. You may need to wait up to an hour for Windows to update the DACL for these accounts. You can also start the process manually. Search for runProtectAdminGroupsTask or FixUpInheritance in Microsoft's documentation or more information.