Product Documentation

Secure configuration

Feb 26, 2018

This article contains the procedures required to ensure that Self-Service Password Reset components are securely deployed and configured.

  • Create a Domain user account to reset user password and unlock user account permission
  • Configure the firewall settings

Create a Self-Service Account

If you are using the Password Reset or Account Unlock features of Self-Service Password Reset, specify a Self-Service account during Service Configuration that is used by the self-service module to execute Password Reset and Account Unlock. Ensure the account has sufficient privilege, but we do not recommend using an account in the Domain Admins group for production deployments. The recommended account privileges are:

  • Member of the domain
  • Password reset and account unlock permission for the relevant domain users

In Active Directory Users and Computers, create the group or user account to have the rights to reset the user password and unlock user accounts.

  1. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control from the menu.
  2. The Delegation of Control wizard displays. On the Welcome dialog box, click Next.
  3. On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts, and then click OK. On the Users and Groups dialog box, click Next.
  4. On the Tasks to Delegate dialog box, click Create a custom task to delegate, and then click Next.
  5. On the Active Directory Object Type dialog box, click Only the following objects in the folder > User objects, and then click Next.
  6. On the Permissions dialog box, select the General and Property-specific check boxes. In the Permissions list, select the Read lockoutTime , Write lockoutTime, Reset Password, Change Password, Read userAccountControl, Write userAccountControl, Read pwdLastSet, and Write pwdLastSet check boxes, and then click Next.
  7. On the Completing the Delegation of Control wizard dialog box, click Finish.
     

Configure the firewall settings

Because the Self-Service Password Reset server and the central storage server components manage user passwords, we strongly recommend that you deploy these components on a trusted network and that they are reachable only by specific trusted components. This section describes the steps needed to ensure you correctly configure the Windows firewall for these servers. We also recommend that you configure existing network infrastructure to ensure that these servers are isolated from untrusted network traffic.

After you complete those configurations in the deployment, the Self-Service Password Reset central store servers can be accessed only from Self-Service Password Reset servers using Server Message Block (SMB), and the Self-Service Password Reset servers are accessed only from the StoreFront servers with HTTPS connections.

Remote file share deployment for Windows 2012 R2

localized image

Environment

  • Deploy the Self-Service Password Reset components on dedicated servers. Do not deploy them on the same servers as the existing StoreFront or Delivery Controller components; otherwise, the firewall configuration shown below might block the Storefront or controller traffic.
  • There is no non-transparent HTTP/HTTPS proxy between StoreFront and Self-Service Password Reset server.

If any non-transparent proxy exists between StoreFront and the Self-Service Password Reset server, configure the Self-Service Password Reset server to be accessed only from the proxy server in the firewall rules.

  • The configurations in these procedures are based on the windows default firewall rules.

Configure the firewall for Self-Service Password Reset central store

After completing the configuration, the SMB service provided by the Self-Service Password Reset central store can be accessed only from the Self-Service Password Reset servers on the inbound, and the Self-Service Password Reset central store server can access service located on the corporate network only on the outbound.

1. Open the Server Manager, and from the Tools menu on the top navigation bar, select Windows Firewall with Advanced Security.

2. On Windows Firewall with Advanced Security, select Windows Firewall Properties in the middle pane. There are three firewall profiles - Domain, Private, and Public. Select the Domain Profile tab. Ensure the Firewall state is set to On, the Inbound connections are set to Block, and the Outbound connections are set to Allow.

localized image

3. Select the Private Profile and Public Profile tabs and ensure the Firewall state is set to On, and both the Inbound connections and Outbound connections are set to Block. Apply and save the changes.

4. From the Inbound Rules, choose File and Printer Sharing (SMB-In) and ensure this rule is Enabled and the Action is set to Allow the connection.

localized image

5. On File and Printer Sharing (SMB-In) Properties, change to the Scope tab, choose These IP addresses, and add all Self-Service Password Reset server IP addresses into the list. For example, Self-Service Password Reset server A (192.168.1.10) and Self-Service Password Reset server B (192.168.1.11).

6. On File and Printer Sharing (SMB-In) Properties, change to the Advanced tab, select the profiles Domain, Private, and Public, and save the changes of this rule.

7. Repeat this procedure on the Inbound rules for File Server Remote Management (SMB-In) and File and Printer Sharing (NB-Session-In).

Configure the firewall for the Self-Service Password Reset server

After completing the configuration, the web service provided by the Self-Service Password Reset servers can be accessed only by the StoreFront servers using HTTPS, and the Self-Service Password Reset servers can access service located on the corporate network.

1. Open the Server Manager, and from the Tools menu on the top navigation bar, select Windows Firewall with Advanced Security.

2. On Windows Firewall with Advanced Security, select Windows Firewall Properties in the middle pane. There are three firewall profiles - Domain, Private, and Public. Select the Domain Profile tab. Ensure the Firewall state is set to On, the Inbound connections are set to Block, and the Outbound connections are set to Allow.  

localized image

3. Select the Private Profile and Public Profile tabs and ensure the Firewall state is set to On, and both the Inbound connections and Outbound connections are set to Block. Apply and save the changes.

4. From the Inbound Rules, choose World Wide Web Services (HTTP Traffic-In), and ensure this rule is Enabled and the Action is set to Block the connection.

5. On World Wide Web Services (HTTP Traffic-In) Properties, change to the Advanced tab, select the profiles Domain, Private, and Public, and save the changes of this rule.

6. From the Inbound Rules, choose World Wide Web Services (HTTPS Traffic-In), and ensure this rule is Enabled and the Action is set to Allow the connection.

localized image

7. On World Wide Web Services (HTTPS Traffic-In) Properties, change to the Scope tab, choose These IP addresses, and add all StoreFront server IP addresses into the list. For example, StoreFront A (192.168.1.50) and StoreFront B (192.158.1.51).

8. On World Wide Web Services (HTTPS Traffic-In) Properties, change to the Advanced tab, select the profiles Domain, Private, and Public, and save the changes of this rule.

Local file share deployment for Windows 2008 R2

After completing the configuration, any SMB access from a remote client is blocked. The SMB file share can be accessed only from local, and the Self-Service Password Reset service is accessed only from the Storefront servers us an HTTPS connection.

1. Open the Server Manager, and from the Tools menu on the top navigation bar, select Windows Firewall with Advanced Security.

2. On Windows Firewall with Advanced Security, select Windows Firewall Properties in the middle pane. There are three firewall profiles - Domain, Private, and Public. Select the Domain Profile tab. Ensure the Firewall state is set to On, the Inbound connections are set to Block, and the Outbound connections are set to Allow.

localized image

3. Select the Private Profile and Public Profile tabs and ensure the Firewall state is set to On, and both the Inbound connections and Outbound connections are set to Block. Apply and save the changes.

4. From the Inbound Rules, choose New Rules to create a new inbound rule. In the New Inbound Rules Wizard, select Rule Type, and choose Port as the type of the new rule, and then click Next.

localized image

5. In the New Inbound Rules Wizard, select Protocol and Ports, and choose TCP, choose Specific local ports, type 445 in the text box, and then click Next

6. In the New Inbound Rules Wizard, select Action, choose Block the connection, and then click Next.

7. In the New Inbound Rules Wizard, select Profile, choose Domain, Private, and Public, and then click Next.

8. In the New Inbound Rules Wizard, select Name, enter a name and description, and then click Next.

9. From the Inbound Rules, choose World Wide Web Services (HTTP Traffic-In), and ensure this rule is Enabled and the Action is set to Block the connection.

localized image

10. On World Wide Web Services (HTTP Traffic-In) Properties, change to the Advanced tab, select the profiles DomainPrivate, and Public, and save the changes of this rule.

11. From the Inbound Rules, choose World Wide Web Services (HTTPS Traffic-In), and ensure this rule is Enabled and the Action is set to Allow the connection.

12. On World Wide Web Services (HTTPS Traffic-In) Properties, change to the Scope tab. From the Remote IP addresse section, choose These IP addresses, and add all StoreFront server IP addresses into the list. For example, StoreFront A (192.168.1.13) and StoreFront B (192.158.1.14).

13. On World Wide Web Services (HTTP Traffic-In) Properties, change to the Advanced tab, select the profiles DomainPrivate, and Public, and save the changes of this rule.