SPM - SMS Password Manager (self-service)
SPM is a web application installed in the customer’s IT environment (self-host whitelabel On-Premise). It is a solution of the Self-service password reset (SSPR) class that enables users to reset Active Directory passwords and unlock Active Directory accounts. With SPM, users can reset their own Active Directory password or unlock an account using their mobile phone - by sending an SMS to a special phone number.
- Reset of Active Directory passwords
- Unlocking Active Directory accounts
The second SPM function is to generate one-time passwords for applications using the Radius protocol for user authentication. The generation of one-time passwords is similar to Active Directory password resetting, i. e. using users' mobile phones.
The SPM application and Radius servers can be used to authenticate users in the Microsoft TMG + OTP Radius scenario, i. e. Microsoft Forefront Threat Management Gateway + One Time Password Radius.
The SPM application is designed for medium and large enterprises using Active Directory. The functions of the SPM application can be accessed from a mobile phone and a web browser (IE8, IE9, IE10 and IE11, as well as Chrome and Firefox). The first and most visible effect of the deployment of SPM is a radical relieving of the burden on IT departments through the introduction of self-service mechanisms, which allow delegating the handling of network folders to the interested parties themselves, i. e. the users using them on a daily basis. The most important and long-term effect of the deployment of SPM is an organized access to information resources and a standardized policy of granting permissions while maintaining full control and keeping records of introduced changes.
Application description
Using the SPM application, the user can use his own mobile phone to reset his Active Directory password, unlock his Active Directory account or generate a one-time password for himself to access resources/applications with a higher security regime (e. g. Microsoft TMG + OTP RADIUS server).
User passwords are managed in a fully automatic mode without the participation of administrators - users can generate a new password for themselves by sending a properly formulated SMS message to a special phone number from their mobile phone.
Alternatively, users can also use the helpdesk team's telephone support, because after the deployment of SPM in the customer's company, its IT department (helpdesk) receives an additional tool in the form of the SPM Administration Application, i. e. a dedicated application with a WWW interface.
Application structure
SPM application structure diagram :
The SPM application is made up of five components:
- SPM WEB - A WWW interface designed for password operators, giving the ability to generate a password for any user. All operations, ordered by password operators in the WWW interface, are performed as follows:
- Inserting a new task into the database (e. g. adding a new network share, updating the list of folders, etc.)
- Assigning the task to an appropriate set of operations in the file system and inserting it into the execution queue on the file server.
- A dedicated service on the file server performs the set of operations on the file server.
- SPM Database – a database located on a Microsoft SQL Server, storing information necessary for the operation of SPM WEB
- SPM Service – an executive module responsible for the execution of one-time and cyclic tasks ordered in the SPM WEB interface
- SPM ADsync - a module to synchronise user data with Active Directory
- SMS Server - a module responsible for sending and receiving SMS messages
All of the above SPM components can be installed on one server, but it is recommended that at least the database - the SPM Database - be installed on a separate server. The SMS server must have access to the Internet and be able to join the GSM operator's SMS-center. Other modules can be installed on any server within the customer's local network.
SPM operates in a self-service model and all activities related to network share management are prepared by users on their own and sent to the administrator for approval as part of the so-called "workflow". Subsequently, operations are accepted (or corrected or rejected) by the administrator, which ensures full control and allows to inventory the changes made.
Basic functions
SPM provides two methods of operation:
- The first method, available to ordinary Active Directory users, consists in resetting the user's own Active Directory password or generating a one-time password (Radius) by sending an SMS message from the phone registered in Active Directory to the appropriate telephone number supported by SPM.
- The second method, reserved exclusively for operators (the helpdesk) and administrators, consists in generating an appropriate password via the SPM Administration Application, i. e. a dedicated web application that enables resetting Active Directory passwords, unblocking Active Directory user accounts and generating Radius one-time passwords
The SPM administration application distinguishes and supports three types of users in the web interface:
- An Active Directory password operator – a user entitled only to unblock the account and reset the Active Directory password of any Active Directory user via the Administration Application
- A one-time password operator– a user entitled only to generate a one-time password (Radius) for any Active Directory user via the Administration Application
- An administrator – a user authorised to perform all operations available in the SPM Administration Application, including unlocking the account, resetting the Active Directory password, generating a one-time password, managing a black list of telephone numbers (the so-called "black list"), and furthermore, the administrator has access to the history of all operations of the SPM application, including operations initiated from users' mobile phones and operations performed in the SPM Administration Application
The following table describes functions available for specific types of users:
Function |
User |
Active Directory password operator |
One-time password operator |
Administrator |
---|---|---|---|---|
Unlocking your own Active Directory account using your mobile phone |
||||
Resetting your own Active Directory password using your mobile phone |
||||
Generating a one-time password for yourself (Radius) using your mobile phone |
||||
Unlocking any Active Directory account using the Administration Application (WWW) |
|
|
||
Resetting the Active Directory password of any user using the Administration Application (WWW) |
|
|
||
Generating a one-time password (Radius) for any user using the Administration Application (WWW) |
|
|
||
Managing a “black list” of excluded mobile phone numbers within the Administration Application (WWW) |
|
|
|
|
Preview of the history of events concerning all operations performed within the Administrative Application (WWW) |
|
|
|
Application security
The SPM application has been made with special care for security and reliability in terms of password processing. The following data security requirements were taken into account during its development:
- particular emphasis is placed on protecting sensitive data and minimising the risk of unauthorised access to passwords
- temporary Active Directory passwords and one-time passwords are processed in an open form only on the side of the user's browser - it is not possible to download/generate the same passwords again
- temporary Active Directory and one-time passwords are not stored anywhere in the application after being sent to the user
- unused Active Directory passwords and one-time passwords are erased from the user's phone after their expiry date (e. g. after 5 minutes)
- one-time passwords are not stored in an explicit form in the Active Directory, in the database or in application logs
- the event logging subsystem records all instances of application use and the sending of passwords - the open password is never recorded in the application log or in any other part of the application
- Radius server integration with the customer’s infrastructure takes into account the possibility of multiple Active Directory controllers and delays in data replication between them
Major benefits
- Increased efficiency of the IT department and an at least 95% reduction in the involvement of the helpdesk in handling requests for managing passwords, user accounts and access to applications and subnetworks.
- Natural support for internal corporate procedures related to password, user account and application and subnet access management.
- A self-service mechanism allowing users to perform basic password, user account and application and subnet access management activities on their own, without or with minimum administrator involvement.
- The possibility to delegate simple administrative functions (i. e. recovering lost passwords and unlocking user accounts) to business managers, as each user can act as a password operator (provided he has been assigned such rights).
- A simple application interface that does not require users' technical knowledge of password, user account, application and subnetwork access management.
- A possibility to adjust and expand the functionality and integration with other systems upon request.
Application screenshots
Below are some examples of SPM screenshots. It is possible to test the application "live" using a demo platform, without having to install the software in the customer's IT infrastructure. If you are interested, please contact us directly at the following e-mail address: info@dcs.pl
Application distribution
Using the SPM application requires the purchase of a license covering all active Active Directory accounts. The number of active Active Directory accounts must not exceed the number of users specified in the purchased license.
The SPM application is offered in two independent functional versions: SPM for Active Directory (SPM-AD) and SPM for Radius Systems (SPM-RS). Each of the SPM versions is distributed as two software packages: the Installation Package and the Additional Package. Each package contains: (1) the Licence and (2) Technical Support. The description and pricing of the packages, the licensing rules, the support rules and optional add-on services are described below.
(1) The Software Licence - a non-exclusive and non-transferable licence of unlimited duration to use the Software, including the right to use the Software (including loading into the computer memory) without the right to modify, copy or make available to third parties, whether for a fee or not. Detailed terms of the Software Licence are available under the "Licence" tab (above).
(2) Technical support - technical support including assistance by correspondence and telephone for the use of the software. Package prices include support for 1 year. The conditions for extending support are set out in the "Prices for extension of support" section. Detailed conditions of Technical Support are available under "Support" (above).
NOTE: The SPM application can use SMS messages to send password information to mobile phones. This price list does not include the costs associated with sending SMS messages.
Prices
When you purchase the SPM application, you must purchase one Installation Package and the required number of Additional Packages separately for each functional version (SPM-AD and SPM-RS). The purchase of each functional version of SPM is independent of each other.The price of each package includes one Software Licence for a specified number of users and Technical Support for 1 year. The terms and conditions for the provision and extension of support are set forth in the "Prices for extention of support".
Software packages |
Net price |
Package description |
---|---|---|
SPM-AD - Installation package for 100 users with technical support for 1 year |
800 EUR |
Software licence for up to 100 users, Technical Support for 1 year. If you have more users, you must purchase the appropriate number of Additional Packages. |
SPM-AD - Additional package for 100 users with technical support for 1 year |
400 EUR |
Software licence for additional 100 users, Technical Support for 1 year. The Additional Package can only be purchased as an extension of the Installation Package.
|
SPM-RS - Installation package for 100 users with technical support for 1 year |
800 EUR |
Software licence for up to 100 users, Technical Support for 1 year. If you have more users, you must purchase the appropriate number of Additional Packages. |
SPM-RS - Additional package for 100 users with technical support for 1 year |
400 EUR |
Software licence for additional 100 users, Technical Support for 1 year. The Additional Package can only be purchased as an extension of the Installation Package. |
VAT must be added to the prices in the table.
Prices for extension of support
The price of SPM packages includes Technical Support provided by the producer's service team for 1 year from the date of purchase. Technical Support may be extended in accordance with the table below at any time, but no later than 30 days after expiry. Renewal of support after 30 days from the expiry date shall be subject to an equalisation fee for the delay period and an additional fee of 25% of the support extension price. If support needs to be resumed after 12 months from the expiry date, additional acceptance of the producer is required.
Extension of support |
Net price |
Support description |
SPM-AD – Extension of Support for the Installation Package for 100 users for 1 year |
200 EUR |
Technical Support in Polish for the Installation Package for 100 users for 1 year. |
SPM-AD - Extension of Support for the Additional Package for 100 users for 1 year |
100 EUR |
Technical Support in Polish for the Additional Package for 100 users for 1 year. If you have more than 100 users, Support should be extended for all Additional Packages. |
SPM-RS - Extension of Support for the Installation Package for 100 users for 1 year |
200 EUR |
Technical Support in Polish for the Installation Package for 100 users for 1 year. |
SPM-RS - Extension of Support for the Additional Package for 100 users for 1 year |
100 EUR |
Technical Support in Polish for the Additional Package for 100 users for 1 year. If you have more than 100 users, Support should be extended for all Additional Packages. |
VAT must be added to the prices in the table.
NOTE: Technical support is provided by the producer's service team remotely with the active participation of the customer's administrator. Prices of support do not include costs related to travel and accommodation of specialists and transport of products and equipment. Where the presence of the producer's specialists at the site of installation is necessary, the terms and the price of such a service require a separate agreement.
Prices of additional options
Additional services can be ordered independently of SPM packages, but their purchase does not have to be correlated with the purchase of SPM packages. However, it is required that the additional services are provided during the period of your Technical Support entitlement. Detailed conditions, scope of services and fees for additional services are determined individually taking into account the rates contained in the table below.
Additional options |
Net price |
Service description |
---|---|---|
SPM – Implementation service |
45 EUR / hour |
Implementation of the software on the customer's server on the basis of the individual agreements. Total cost of the service is calculated on the basis of the duration of work. The rate given applies to one hour of work. |
SPM – Implementation of additional functionalities |
45 EUR / hour |
The fee and terms of service are determined on the basis of the individual agreements. Total cost of the service is calculated on the basis of the duration of work. The rate given applies to one hour of work. |
VAT must be added to the prices in the table.
NOTE: Services under the additional options can be provided both remotely and at the customer's premises, depending on arrangements. Prices of additional options do not include costs related to travel and accommodation of specialists and transport of products and equipment. All such costs require additional arrangements.
Software Licence (A licence agreement)
- The "SMS Password Manager" software program (abbreviated as SPM) together with the media belonging to it, printed materials (if any) as well as electronic and printed documentation - hereinafter referred to as "Software" - is owned by dcs.pl Sp. z o.o. (hereinafter referred to as DCS) and is protected by the Copyright Act and international conventions, legislative acts of the European Union and other legal provisions that protect intellectual property. This software is not subject to sale, but only to licensing.
- The User (being both a natural and legal person) accepts that by downloading, copying, installing or in any other way using the Software he concludes this licence agreement (hereinafter the Agreement) with dcs.pl Sp. z o.o. for the use of the Software and agrees to be bound by its provisions. If the User does not accept the Agreement, he is not entitled to download, store, install and use the Software and at the same time is obliged to remove all original copies and copies of the Software in his possession.
- The User has the right to use a demo version of the Software free of charge no longer than 30 days from the date of the first installation. A demo version of the Software may have functional limitations in relation to the full version of the Software.
- If the Software has not been removed after 30 days from the date of its first installation, the User is obliged to purchase licences for all active Active Directory accounts. Exceeding the licence conditions releases DCS from the obligation to provide technical support for the Software.
- The User has the right to save one copy of the Software on one data storage unit (e.g. a CD, a hard disk) for archiving or data security purposes.
- DCS does not permit reverse engineering, decompilation or disassembly of the Software.
- The Software is licensed as a single entity and you may not substitute, separate or alter any of its individual components for use on more than one server and/or to violate any provisions of this Agreement.
- DCS does not permit the lending, renting or leasing of the Software or the transfer of licences, original copies or otherwise made copies of the Software to third parties.
- The User shall retain all copyright notes received with the Software.
- Electronic and printed materials supplied with the Software may not be copied.
- DCS reserves all rights to publish, reproduce, process and make changes to the Software.
- DCS shall not be liable for errors that occur during the operation of the Software and the data provided with it. DCS shall also not be liable for the lack of compatibility of the Software with other IT systems and for the lack of functionality covering expectations or goals defined by the User.
- DCS shall not be liable for any damages arising from the use of the Software or the lack of the possibility to use the Software (including, without limitation, damages arising from lost profits, system interruptions, lost data and information and other financial losses), even if you have advised DCS of the possibility of such damages. The liability of DCS arising for any reason whatsoever shall be limited to the amount that you have paid for the acquisition of licence rights to the Software.
- The User shall be liable for damages incurred by DCS as a result of the infringement of its Software copyrights.
- DCS reserves the right to claim pecuniary damages or to take legal action in case of violation of its Software copyrights or the use of the Software in breach of the Agreement.
- The provisions of the Civil Code shall apply to matters not covered by the Agreement.
- Third party companies and product names mentioned in the Software may be registered trademarks of their respective owners.
- Any potential disputes arising from the Agreement shall be resolved by a common court having jurisdiction over the registered office of DCS.
Technical Support (A support agreement)
I. DEFINITIONS
- DCS: dcs.pl sp. z o.o., having a registered office in Warsaw, address: 02-785 Warszawa, ul. Puławska 303, entered into the register of entrepreneurs by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under the number 0000144808, Tax Identification Number: 951-206-33-62.
- Software: The ”SMS Password Manager” software program (further referred to as SPM), for which DCS provides Technical Support. The terms of licensing and use of the Software are set forth in the Software Licence.
- Technical support: The maintenance and user support services offered by DCS, consisting in answering questions asked by Users concerning the operation of the Software, as well as assistance in solving problems with the use of the Software, encountered by Users during the use of the Software.
- User: A person authorized to represent an entrepreneur who has the right to use the Software under a Software License he has purchased.
- Service request: A single event or situation recorded by DCS, related to the User's reported question or problem concerning the operation of the Software, documenting the history of Technical Support for the reported question or problem.
- Terms of support: The terms and conditions laid down herein that specify the principles under which DCS provides Technical Support.
Unless otherwise stated in the Terms of Support, all capitalised terms shall be understood in accordance with the above definitions.
II. RULES AND PROCEDURES FOR THE PROVISION OF SERVICES
- The Terms of Support set out the terms and conditions and the manner in which DCS provides Technical Support for the Software, in accordance with the agreements entered into by DCS in this respect.
- The Technical Support Agreement is concluded for a limited period of time and Technical Support is provided only in relation to the latest version of the Software.
- DCS agrees to provide Technical Support only during the term of the Software Licence and the Technical Support Agreement, provided that you pay the required Software Licence and Technical Support fees.
- DCS is exempt from providing Technical Support if you are found to be in breach of the terms of the Software Licence.
- The Technical Support contract is a contract for diligent action within the limits set out in the Terms of Support, and is not a contract to achieve any result. In particular, DCS does not guarantee that Technical Support will meet Users' requirements or expectations.
- In connection with the limited warranty for the Software as commercial software, DCS does not warrant that as a result of providing Technical Support the operation of the Software will be uninterrupted, error-free or malfunction-free, or that Technical Support will correct all errors and malfunctions in the operation of the Software.
- DCS provides two forms of Technical Support:
- the E-mail Support formula consists in the User communicating with DCS via e-mail to the e-mail address indicated by DCS.
- the Live Support formula consists in communicating with DCS by means of a telephone, an Internet messenger or another communication channel provided by DCS.
- Technical Support under the Live Support formula is available daily from 9am to 5pm, except for public holidays.
- DCS does not provide its own means of communication for contacts with users. The contact between DCS and the Users, both by telephone and by means of electronic communication, takes place using services commonly provided by external network operators. Therefore, DCS does not ensure that access to the means of communication offered will be uninterrupted and is not responsible for interruptions in telephone or electronic communication caused by reasons independent of DCS or reasons that cannot be avoided without incurring significant additional costs. This applies in particular to interruptions and disturbances in the proper functioning of external telecommunications links and equipment and to commonly accepted force majeure circumstances.
III. THE MANNER OF PROVIDING TECHNICAL SUPPORT
- DCS decides on its own on the choice of tools and methods of performing Technical Support depending on its assessment of the reported problem. The User is not entitled to request the performance of Technical Support in the manner or form of the Technical Support of his choice.
- Each question or problem reported by the User, referring to a different issue than the one previously reported, results in the registration of a separate Service Request.
- DCS will make its best efforts, but does not guarantee that contact with you as part of the so-called first response to the Service Request will take place no later than on the next business day after the day on which the Service Request was registered. However, this does not mean that the reported question or problem will be definitively resolved within this period.
- The Service Request is closed after the User receives an answer to the submitted question, the problem is solved or the inability to solve the problem is established and the User is informed about it. A Closed Service Request may be reopened in the event that the DCS needs to take further action regarding the Service Request in question.
- DCS shall not apply restrictions on the number of Service Requests opened by the User.