Security and Usability Considerations for enterprise use
Hi,
I'm a new evaluator AD Self Service Plus as I'm judging whether it is suitable for our company to deploy enterprise wide. I'm using the latest download (v 4006 I believe)
I have a few concerns/issues rolled into one -hope it's okay to ask here....
Firstly, I see that AD password policy can be enforced via this tool, which is good news, as it means my complexity rules, min character limitations, etc. are cascaded via this tool. If I type in a password that does not meet AD policy, however, instead of being warned and having to retype a new password I get an error warning and then have to go through the whole process of logging back in and answering security questions to get back to the create new password. I can see this happening a lot to users, and it would waste a lot of user time when they need to do resets. Surely it would be possible to warn them and ask them to retype their password again?
The second thing is it seems entirely possible to reset your new password exactly the same as the old one. Am I right with this? If so, it would be a real stumbling block to use as users could easily circumvent password policy. Is this a genuine issue or have I somehow tested wrong? If I am right, can this be fixed easily?
Lastly, has the J2EE application been vulnerability tested? From the product architecture perspective, is it safe to open up to external access for our non-site based users (NB We would put it behind bluecoat proxy protection and allow only port 443 access)?
Regards - John
John
I'm a new evaluator AD Self Service Plus as I'm judging whether it is suitable for our company to deploy enterprise wide. I'm using the latest download (v 4006 I believe)
I have a few concerns/issues rolled into one -hope it's okay to ask here....
Firstly, I see that AD password policy can be enforced via this tool, which is good news, as it means my complexity rules, min character limitations, etc. are cascaded via this tool. If I type in a password that does not meet AD policy, however, instead of being warned and having to retype a new password I get an error warning and then have to go through the whole process of logging back in and answering security questions to get back to the create new password. I can see this happening a lot to users, and it would waste a lot of user time when they need to do resets. Surely it would be possible to warn them and ask them to retype their password again?
The second thing is it seems entirely possible to reset your new password exactly the same as the old one. Am I right with this? If so, it would be a real stumbling block to use as users could easily circumvent password policy. Is this a genuine issue or have I somehow tested wrong? If I am right, can this be fixed easily?
Lastly, has the J2EE application been vulnerability tested? From the product architecture perspective, is it safe to open up to external access for our non-site based users (NB We would put it behind bluecoat proxy protection and allow only port 443 access)?
Regards - John
John