Specops Secure Service Desk
Specops Secure Service Desk provides all the tools necessary for your service desk agents to help users calling in with authentication problems. Agents can help users reset their passwords or unlock their computers (if encrypted with BitLocker™ or Symantec Endpoint Encryption™) in a secure and easy to use environment. The Secure Service Desk also holds user information and statistics.
Central Concepts
Authentication
Authentication is the process of verifying the identity of a user. Typically, this requires the user to make a claim about their identity by entering their username and password.
Enrollment
Users are required to enroll with Specops Authentication. The enrollment process will vary for each type of identity service. To enroll with a personal identity service such as Google, users will need to follow the link from the Specops web application to the Google web page, and log in with the email address and password associated with their Google account.
Pre-enrollment
Specops Secure Service Desk works on a principle of pre-enrollment. This means for the most part that user enrollment occurs by defining attributes in Active Directory. However, if you use Secure Service Desk with other Specops products, such as Specops uReset, the identity services defined in those policies can be used for Secure Service Desk as well.
Multi-factor authentication
Multi-factor authentication requires more than one method of authentication from independent categories of credentials: something you know (i.e. password), something you have (i.e. Mobile device), and something you are (i.e. Fingerprint). Specops uReset goes beyond two-factor authentication by supporting a broad range of identity services that can be used to increase security and flexibility. The solution not only supports common authenticators, such as questions and answers, and mobile verification codes, but also various digital identity services ranging from personal identity services (e.g. LinkedIn) to company identity services (e.g. salesforce.com), in addition to higher trust methods such as Smart Cards. The Specops multi-factor authentication model is dynamic. Users can choose which identity services they want to combine for enrollment and authentication, as long as they meet the requirements of the policy. Users enrolled with more identity services than required for their authentication will have authentication choice. This guarantees that end-users will always have the ability to satisfy the authentication policy, even if an identity service is unavailable (e.g. not having their mobile phone nearby).
Administrators can select, based on role and security policy, which identity services/authenticators they want to extend to end-users to verify their identity when resetting or unlocking their accounts. Such flexibility can ensure that varying security and flexibility needs are met. For example:
- For users that have a low-level security clearance, but a high flexibility need, such as students, IT admins can allow them to authenticate with a few personal identity services such as their Google ID.
- For users that have a higher level security clearance, such as financial aid administrators or senior level executives, IT admins can assign policies that enforce a higher number, or a stronger combination of identity services. This approach provides administrators with the flexibility they need to enforce policies that translate to greater security and efficiency.
Policy
A policy contains the rules required for enrollment and multi-factor authentication. A policy controls what identity services can be used, and how many must be used to verify the identity of end-users. The system administrator is responsible for configuring the rules in the policies.
Note that policies for Secure Service Desk only apply to service desk agents, not to users. End users need to be pre-enrolled with all associated identity services in order to be able to verify their identity.
Identity services
Identity services are authentication methods that allow users to verify their identity in the Specops Cloud.
For more information, see Specops Authentication Identity Services.
Architecture and Design
Specops Secure Service Desk is natively integrated with Active Directory. Configuration of the system is done using Group Policy, without introducing added complexity to your environment. This means that no external database is required to store password related information. User data is stored directly in Group Policy user objects, minimizing security risk while ensuring inherent real-time password provisioning.
Specops Secure Service Desk consists of the following components and does not require any additional resources in your environment. The authentication backend, web, and identity services are hosted in the cloud. You will only need to install the Gatekeeper component.
Authentication Cloud: The global cloud component of uReset, the authentication cloud contains the web (front-end for end users) and the backend services.
Secure Service Desk: Contains the front-end for end-users, and administrators. The Secure Service Desk can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for various resources, including uReset.
Authentication Backend: To read user information from Active Directory, the backend communicates with the Gatekeeper. The web and identity services also communicate with the backend. The authentication backend validates a user’s identity based on the tokens from individual identity services.
Gatekeeper: The Gatekeeper needs to be installed on a server in your domain. The Gatekeeper reads user information from Active Directory, and manages all operations against Active Directory, such as reading/writing enrollment data.
Identity services: An entity that can validate a user’s identity in Secure Service Desk. The tokens from individual identity services are used by the backend to validate a user’s identity.
Some of the identity services that are used during authentication, such as Google are external. When an external identity service is used, the user is sent to the identity service, and asked to give Specops consent to access their personal information, such as their username. The information from the consent allows the creation of the token that is used for authentication. Note that since Secure Service Desk works on the principle of pre-enrollment, not all identity services are available for user verification.
Token: A token or a security token is a carrier of information about a user and about the issuer of the token. The information about a user is a set of statements. The claims about a user can for example be the name of the user, ID of the customer it belongs to and what roles a user has in its organization.
Features and Capabilities
Reporting
The Secure Service Desk Reporting feature allows you to track your enrollment process and provides several reports on service desk calls, events, and computer unlocks and password resets.
Notifications
When resetting a user’s password, notifications (containing the new password) can be sent via mail or text message. When verifying a user’s identity, both email and text message can be used as well.
Weighted Identity Services
Note that weighted identity services can only be used for Secure Service Desk for multi-factor authentication for service desk agents. In cases where Secure Service Desk is used in conjunction with Specops uReset, the identity services in uReset policies can also be weighted.
Administrators can assign a specific weight for each identity service, ultimately deciding that one identity service is worth twice as much as another during authentication. In the user interfaces, for both the end users and administrator, the weights are represented by stars.
Multifactor Authentication for Administrators and Helpdesk users
Users that are a part of the Administrators and Helpdesk group can use multifactor authentication to verify their identity when accessing the Administrator / User Management pages on the Secure Service Desk.
Mobile Applications
- Specops:ID
- Specops Authenticator (being phased out, it is recommended to use Specops:ID)
- Specops Fingerprint (being phased out, it is recommended to use Specops:ID)
For more information, see Specops Authentication Identity Services.