Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
552 Views 4 Replies Latest reply: Jun 3, 2013 4:52 PM by frankm RSS
frankm Apprentice 62 posts since
Jan 10, 2013
Currently Being Moderated

May 27, 2013 7:20 AM

Partner/VAR roles password restrictions

Is there a reason that McAfee limits password management to Partner/VAR admins and only a Customer Admin can manage passwords? When a reseller has to help a customer reset a password, they can not because they either have Partner/VAR roles. This makes no sense, to a certain point. This is beginning to cause issues with our clients.

  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    1. May 27, 2013 8:52 AM (in response to frankm)
    Re: Partner/VAR roles password restrictions

    Greetings Frank,

     

    The Customer Admin role is the only user account level with the access to change other users passwords. This was done to maintain account security and to limit access to this function to within a single customer shell. Global Administrators also do not have passwords.

     

    Partner Administrators are encouraged to assist users in utilizing the password reset function on the Control Console, leveraging a previous Spam Report for having a user reset their password if policy allows, and only in emergency situations creating a Customer Admin account to just reset a password.

     

    We know for some of our partners this may not be seen as optimal, but it does help limit account access to within an organization.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    3. May 28, 2013 10:44 AM (in response to frankm)
    Re: Partner/VAR roles password restrictions

    Frank,

     

    I understand your feelings. The partner administrator roles are designed to mirror, in large part, the same permissions as the Global Administrators with some acceptions and isolated to a specific partner shell. Global administrators do not even have the ability to manually set passwords or see passwords, which is why when Partner Admins contact support for password issues, we always have to walk them through the password reset function. Many partners incorrectly assume we would have the ability to just set a password, or provide a password over the phone. However, this would be counter to our mission as a security company. Even then, the end user would still have to be walked through setting a secure password and setting their challenge question for the account to be secure. When any administrator, partner or customer contacts McAfee support they must use the password reset process.

     

    Yes, being able to just reset a password is easier, but we tend to think about this in the same way someone would think about needing to cross a freeway. The pedestrian bridge is there but is a longer distance and takes more time, however the chances of getting injured are significantly slim. Darting across the lanes of traffic is faster and a more direct approach, but the liability is huge. Having the ability to change passwords on the fly creates significant liability. Without the ability to change passwords, the grounds for accusations of unauthorized account access (or actual cases of unauthorized access, which is not unheard of) is greatly limited. Considering the number of clients we work with that must abide by strict HIPPA, SEC, FERPA, and other privacy regulations, limiting access to accounts as much to the intended end user as possible is important. Then there are other security concerns to be cognisant of, such as the fact that identity is difficult to establish over the phone. Using the password reset function, this risk is reduced by sending the password reset either to the end user directly or to a domain administrator. Whomever clicks on the password reset URL must then answer a challenge question to provide some level of proof that they are the owner of the account.

     

    There are multiple ways of handing user passwords that allow 'as easy as possible' access or password reset without compromising account security, or opening up individuals to privacy concerns and compromising account security. Organizations can choose LDAP Authentication to put the password management in the hands of their Active Directory or LDAP Server. Users can utilize their most recent spam report, if the administrator has kept the default settings to allow end users to login directly via the spam report without a password. Users can reset their passwords directly from the control console.

     

    If all else fails, a customer administrator may choose to manually reset the password but they must then take on the responsibility of authenticating the user, then of walking the user through resetting their password once logged in and having them set a challenge question so they may use the password reset function in the future. The individual logging in as a customer administrator is then accepting these responsibilities, the liability of ensuring account security, privacy, adherence to any applicable laws and regulations.

     

    I understand that this is not the most direct route and is not easy, but our primary mission is security and at times the safest path is not the direct line. WIth the many ways of resetting a user's password, an administrator at any level should never have to manually do so, and even then should do so with the utmost reluctance.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points