How do we prevent Reset authorities from extracting an ID file once they have reset the password. We don’t want people resetting passwords and then extracting the ID file and impersonating that person (i.e., the CEO).
Thanks
Subject: Quick thoughts
You have many options in deciding how you want to control the password reset operation in your organization. Using the tools built into the admin client, your help desk administrators can either reset the password to a value they verbally give to the user, or can be a randomly generated value sent to the user’s manager (help desk personnel need to determine the right person). In the first case, the help desk person knows the password, in the second case, they do not. Having said that, you have the option to enforce password change upon reset via ID vault security policy settings, which I’d recommend if using help desk to perform the password change. (i.e. it’s a one time use password)
In addition to the admin client tools, we have provided ResetUserPassword functions via LotusScript/Java/C API. You can use this to create a self-service and/or help desk application to control this process according to your organization’s policies and needs.
Subject: Thank you, but…
Because of our security model, we can not mail passwords to managers. So we have a method in place to verify to whom we are talking. Our help desk personnel should never need to extract an ID from the vault, but they will need to reset passwords (which must be changed upon successful login). Is there any way to prevent the help desk personnel from extracting ID’s from the vault?
Thank you again.