Contact us at 408.675.5020 or

Three wise gifts for MSPs and their help desk for the holidays

Three wise gifts for MSPs and their help desk for the holidays

Help desks and the holiday season
How to help MSPs and their help desk
LAPS Password Management
Delegated Rights
About the author

2017 is coming to an end, and as we head into the holiday season, most of us will have a chance to take some well-deserved time off to enjoy quality time with family and friends. Whether we are living in the North where nights get colder and longer or enjoying hotter and shorter nights in the Southern hemisphere, the holiday season often means working extended hours to conclude 2017 projects. This ultimately creates more last-minute demands on our IT  and help desk staff.

As the holidays approach, we don’t usually give any second thought to calling support off-hours when we need outside access to company resources or help with a new update. Having had to make these types of calls a few times, I often speculated what level of service I would get on the other end of the phone. You can always assume the help desk is snowed under with work at this time of year. Happily, I’ve always received the help I needed, and I am thankful for the people who make it happen, especially if it allows me to save time and start my holidays earlier.

From my experience, very few organizations have time to implement solutions to improve the help desk team’s day-to-day operations. Many help desk staff must carry a phone with them over the holidays to manage extended hours, and they often have to go to their offices to carry out the work. Picture a help desk professional alone in their cubicle, surrounded by all the “festive” holiday decorations put up by the marketing department. Pretty sad, don’t you think?

For Managed Service Providers’ (MSPs) staff the reality is often grimmer. With multiple clients support across multiple technologies and security restrictions, MSPs must handle procedural complexity to support new compliance regulations and service level obligations. In addition, as MSPs are the extension of their clients’ IT help desks, they can potentially get calls from dozens of companies over the holidays, some of which might include mission critical retail or other services that are required to be fully operational during this period. What help can they get?

The tradition of gift giving stems from the story of the Wise Men or Magi who provided three gifts: gold, frankincense, and myrrh. In this holiday season, MSPs, especially their dedicated help staff members, could use a few gifts to thank them for providing support for our networks, directory services and applications.

How can MSPs affordably provide their help desk team with the ability to improve client response times, reduce their risks and complexity for privileged accounts, and safely manage elevated access to systems over the holidays and into 2018?

This year, MSPs can be like the three Wise men and provide three gifts to their help desk staff:

  • Self-Service (Gold)
  • LAPS Password Management (Frankincense)
  • Delegated Rights (Myrrh)

How to help MSPs and their help desk


With over 40% of calls to help desks involving password resets, self-service is a gift as valuable as gold for your MSP practice. Many firms struggle with the added costs required to meet extended hours of support obligations. Few support managers would hesitate to reduce the number of calls to their help desk while maintaining or even improving the level of service they provide their clientele.

With Identity Maestro, your customers can serve-themselves efficiently and directly through a simple and easily accessible portal on your support page or through a link in an automated responder from your ITSM solution, while remaining confident your team is monitoring their activity. Identity Maestro makes password resets simple. This software comes with a secure web form that allows users to look up their accounts by entering their username or first and last names. Once they are found in the system, users are challenged to answer a series of questions unique to their account. Following successful answers, they can reset their own desktop login password. This is truly a golden gift! You are not only saving time and money in your operations, but you have also created a valuable tool for your clients, increasing the worth of your MSP offering.

Additionally, if you combine this service with Microsoft’s Authenticator on handheld devices, you can better ensure people are using their real identity. However, best practices advise to lock this service outside the IP range of your country(ies) of operation and log all activities.

LAPS Password Management

Local Administrator Password Solution (LAPS) is commonly used to gain Admin access to a desktop for help desk staff to perform essential updates or upgrades. A best practice for most MSPs is to revoke Admin access to the desktops they control, so the environment can’t become corrupted by installing non-supported software. Computing environment control is highly critical for most MSPs as it can affect service level agreements. Still, clients often need to install or re-install a software application and require help desk authority and control. LAPS helps solve this issue as it enables temporary Admin access to a desktop. By using LAPS, an MSP can gain admin access to any workstation with a unique, one-time password used to perform the upgrade. Once logged out, the MSP is confident the admin access is no longer available. LAPS is free from Microsoft too. Isn’t that awesome!?

On the one hand, LAPS is an efficient system that doesn’t require the installation of another privileged account management (PAM) or remote management system, which may be expensive and un-secure. LAPS also leverages Active Directory (AD) and its corresponding group policy and access control list. However, it creates challenges by requiring access to AD when retrieving passwords and controlling who gets access to them, adding complexity and risk to the computing environment. Imagine for example a help desk user being able to log into AD from the user’s machine to retrieve a password to patch the system against keylogging spyware. Can you see a problem here? Access to AD needs to be carefully restricted and the handling of this information in plain text from the users desktop should be avoided at all costs.

Identity Maestro solves these issues by providing a simple method for retrieving the LAPS password and avoiding any user error in password handling. It also supplies a secured, browser-based process to obtain the required information from any desktop. Identity Maestro offers a standard Manage LAPS custom task with SSL protected secure access and recording of all activities in an audit log database. More details are available here in this Knowledgebase article. The gift of a LAPS Manage Password system for your help desk is like Frankincense – it reduces stress, boosts health, and smells sweet!

Delegated Rights

Let’s be honest: no one wants to work over the holidays. That’s why the least senior staff often ends up working the holiday shift, as he or she hasn’t logged enough time or experience to bypass this obligation. Although this person is undoubtedly fully qualified and trustworthy, positioning them temporarily with full responsibility, and handing them admin passwords and elevated access isn’t best practice. This problem comes up every year and yet doesn’t get addressed enough in my opinion.

Insider threat is one of the most significant and growing security risks in our industry. Most security breaches do not originate because of someone’s malicious intent. Most breaches occur because of inexperience and negligence that were accidental and unintentional. The latest Verizon’s Data Breach Investigations report ranks the types of incidents uncovered from the past year by frequency: Privilege Misuse and Miscellaneous Errors are always in the top four. Alexander Pope wrote To err is human, and as the holiday season is often understaffed and overworked, our help desk employee, who is only human, is more vulnerable to phishing and social engineering tactics during this time.

Rights management shouldn’t change over the holidays, nor should account provisioning and management approval processes, even when the persons usually in charge are off work for some time. It seems better to design an approval process that can work without disrupting people’s holidays, while allowing business to continue as usual and remain accountable, doesn’t it?

Identity Maestro simplifies how to keep senior help desk  and application owner staff  in the approval process by offering a “click to approve” portal, easily accessible through a smartphone browser. If the manager or application owner is entirely unreachable during the holidays, authority can be delegated to another manager temporarily. These permissions are centrally managed, logged, and automatically expire after the holiday period. The help desk staff can continue to involve the line of business application owners in the granting of access to their systems while reducing human error and thwarting social engineering or phishing attacks. We’ve heard many stories of fake emails from the CEO asking for money wires and access to financial data. How likely would the new help desk person recognize a request for a new user or temporary elevated privileges as fraudulent? By carefully managing delegated rights and implementing the four-eyes principle before access is granted, we can avoid harmful financial consequences.

Via delegated rights, Identity Maestro provides a simple way to create or manage accounts without the need for individuals to receive Admin or elevated privilege access. Myrrh was the third gift from the Wise Men. It is said to protect from parasites and bacteria and have calming effects as an essential oil. By implementing an effective delegated rights system for their help desk team and by continuing to include management in the process, an MSP can defend their clients’ assets and their own integrity.

This holiday season, MSPs can be wise themselves, and offer the gifts of the Magi to their IT and help desk staff. Implementing best security practices, providing a secure tool to manage elevated LAPS, improving client service, reducing help desk costs through Self-service, and finally including their clients in the approval authority over their systems are all reasons for MSPs to be able to maintain the holiday spirit this season.

Contact us to schedule a session to review how Identity Maestro can help you give back to your or your clients’ help desk.

Davin Cooke
Hello, I'm Davin Cooke the Director of Business Development and Sales for Identity Maestro. I am a 25-year veteran of IT focused on helping hardware manufacturers, software manufacturers and MSPs streamline business processes, forge business partnerships, and build for the future. My passion is security and information governance and I have helped many companies meet regulatory compliance and security standards through technology transformation. I live and work in Austin, TX with my busy family. I'm an avid runner and burgeoning sailor and hope to meet you on your favorite trail or lake.