Account lockouts and password resets are two things that IT support personnel frequently deal with. In my experience, these two tasks make up a large chunk of help desk tickets.
Self-service account management tools do exist, but many of these tools are expensive, and the cost can put them out of reach for small businesses and non-profits.
That is where Nervepoint Access Manager(abbreviated NAM) comes in. NAM is a Linux-based virtual appliance that provides web-based self-service password reset and account unlock utilities.
Download and Setup
NAM can be downloaded from the Nervepoint website. The download file is a TAR that contains the VMware vmx and vmdk files, so you will need a program like 7-zip to extract it. Once downloaded, you will need to upload these files to a datastore in your VMware environment and add the virtual machine to your inventory.
Once the VM is powered on, it will grab a DHCP address. My test network is small, so I was able to easily find it and log into the administrative web interface to configure my network adapter. This may be an issue in larger environments or in data centers without DHCP, but there is a community forum post that describes how to configure the network adapter from the console.
Configuring access to Active Directory is fairly easy too. Opening your web browser and browsing to the Nervepoint appliance will bring up a first-time setup screen. It will use DNS to detect any Active Directory domains in your environment and connect to them. You will also need to set up a service account that has permissions to change passwords on any OUs that contain users.
In order to successfully connect to an Active Directory domain, it will need to have LDAP over SSL configured. For larger environments, this won’t be a problem as they will likely have an Active-Directory integrated PKI environment set up. For environments that don’t have PKI, it will require at least one Enterprise CA and a Windows Server Enterprise license or a 3rd-party certificate.
Once configured, it is fairly easy for end-users to use. They will need to log in to configure their answers to the questions that will be used to verify their identity. Password changes and account unlocks are simple affairs – a user only needs to answer three of the five questions correctly to perform a password reset.
Despite being a beta, there are several things I like about the Nervepoint appliance. It is a fairly small VM that uses less than a gigabyte of RAM. It is suitable for production use in smaller environments, and it is very easy to use.
Even though I like this appliance a lot and would consider deploying it in my production network, there are a couple of areas for improvement.
For starters, there is very little documentation. There are no install or administrator guides, and the forums don’t have a lot of information yet. There is a FAQ section of the website, but it doesn’t have a lot of information in it either. There is no read-me or license information included with the appliance either.
The VM doesn’t have the VMware tools installed. I believe that this is something that should have been done by the developers before shipping the appliance. It’s not a huge deal, but it would help with managing the VM.
I don’t have the ability to customize the security questions that my employees are asked or set the number of questions they must answer correctly. The ability for administrators to customize these settings may be important in some environments.
And finally, the distribution method for this appliance leaves something to be desired. The VM is downloaded from the Nervepoint website, and it took multiple attempts to correctly import the virtual machine into my test environment. A better option might be to package the appliance as an OVF template and list it on the VMware marketplace.
Despite the cons, the Nervepoint Access Manager is a fairly decent little Self-Service Account Management appliance, and I would strongly consider deploying it in my production network in the future.
Edit: It was brought to my attention by the developers of this product that the license and the default questions can be changed during the initial setup. I did not have these two items in my notes, and I apologize for the error.