Description
- Type: CUSTOMER
- Severity: NOTICE
- Protection against: ERROR
- CIS: M365 1.1.4 - (L1) Ensure self-service password reset is enabled
- FIX Available: YES
This Customer Check verifies via Secure Score if self-service password resets are enabled. Employees who have forgotten their account password can create a new password themselves with this feature. Therefore, they do not need to interact with the helpdesk.
Why this check?
When a password reset must be performed via a helpdesk, several risks arise. First, a helpdesk employee needs elevated rights to set someone else's password. Those rights also make the helpdesk employee a more attractive target for attackers. Second, the helpdesk employee will need to set and share a temporary password with the employee, which may lead to predictable passwords or insecure sharing. Finally, an attacker may attempt to impersonate an employee and deceive a helpdesk employee into resetting a password.
All these risks can be eliminated when an employee can set a new password themselves without intervention.
CIS Benchmarks
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 1.1.4 - (L1) Ensure self-service password reset is enabled
What are the possible outcomes of the check?
This check has two possible outcomes. In Attic, this is reflected as follows:
- Okay: The SelfServicePasswordReset setting is activated
- Notice: The SelfServicePasswordReset setting is not active
How should this be followed up?
If the output is Notice , we advise enabling the SelfServicePasswordReset.
A Fix is available for this check, which we will offer through Attic.
Comments
0 comments
Please sign in to leave a comment.