Allowing users to change their password via the web

From: Bryan Allerdice (bryan_allerdice@yahoo.com)
Date: 02/06/02 

From: "Bryan Allerdice" <bryan_allerdice@yahoo.com>
To: <focus-ms@securityfocus.com>
Date: Wed, 6 Feb 2002 12:57:36 -0400

I have recently set up an Intranet site for my company. It's W2K server
running IIS 5.0, accessed via a VPN connection from any one of our worldwide
offices. I assigned all the users a randomly generated password, with the
intention of providing them a means by which to change their password to
something more meaningful.

The server is not a domain controller, or running Active Directory, so
people can't change their passwords the easy way - I need them to connect to
a webpage and change their password that way (yuck, I know, but it is a
temporary solution while the new network is being built).

I have a page that runs a slightly modified version of this script...

   <%
           if request("GETUSER") = "" Then

                With Response
                        .write "<FORM ACTION=USER.ASP METHOD=POST>"
                        .Write "<INPUT TYPE=TEXT NAME=oDomain>ENTER DOMAIN<BR>"
                        .write "<INPUT TYPE=TEXT NAME=oUSer>ENTER USER NAME TO CHECK<BR>"
                        .write "<INPUT TYPE=PASSWORD NAME=oPassword>ENTER USER PASSWORD<BR>"
                        .Write "<INPUT TYPE =SUBMIT NAME=GETUSER VALUE=CHECK>"
                        .write "</FORM>"
                 end with

        else
                  oDomain= Request("oDomain")
                  oUser = Request("oUser")
                  oPassword = Request("oPassword")

on error resume next
Set objUser = GetObject("WinNT://" & oDomain & "/" & oUser )

        if err.number <> 0 then
                Response.write "Login Error---"
                Response.end
        end if

        If len(objUser.FullName) < 1 then
                        response.write "User Not Found!!!!"
                        response.end
        else

on error resume next

  objUser.ChangePassword oPassword, oPassword
        if err.number <> 0 then

                Response.write" BAD PASSWORD!"
                Response.end
        else

 Response.write "USER AUHTENTICATED!<BR>"

end if

end if

end if

   %>

...now, this runs on a website, with anonymous access turned off, so that
the page runs under the context of the user accessing the page.

If I am connected to the site as a member of the USERS group, and try and
change my own password, I get this error in the Security Event Log...

Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 2/6/2002
Time: 11:37:44 AM
User: INTRANET\userinquestion
Computer: INTRANET
Description:
Change Password Attempt:
        Target Account Name: userinquestion
        Target Domain: INTRANET
        Target Account ID: INTRANET\userinquestion
        Caller User Name: userinquestion
        Caller Domain: INTRANET
        Caller Logon ID: (0x0,0x45CC3D2)
        Privileges: -

...if I change that user to a member of ADMINISTRATORS, I get the same
thing.

I thought my problem was a permissions one, but changing the user to an
admin didn't fix anything, so maybe I am on the wrong track.

Now my question(s). Code I wrote in which I use the SetPassword function
works fine if run under the context of an administrator, but ChangePassword
doesn't. Does anyone else have experience with this kind of problem? I can't
think of a safe and secure way of using a script based around the
SetPassword function running as admin, but supplied with user details (that
I can validate) from a normal user.

How can I allow people to change their password via a webpage???

BRYAN


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Relevant Pages

  • RE: VPN Connection Problem
    ... router between my modem and SBS box shouldn't come into play. ... configuration for the VPN connection I get the 721 error. ... > 825763 How to configure Internet access in Windows Small Business Server ... > but the GRE Protocol 47 does not pass the PPTP testing. ...
    (microsoft.public.windows.server.sbs)
  • RE: Remote Access and ISA Server in SBS 2003?
    ... I understand that after you upgraded the SBS Server ... Error Message: VPN Connection Error 800: Unable to Establish Connection ... Then we need to run the "Remote Access Wizard" to enable the VPN Server ...
    (microsoft.public.windows.server.sbs)
  • RE: Can not access network resources via VPN connection
    ... share folder via the VPN connection. ... the ipconfig /all outcome on VPN client is wrong (same as server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: How to connect to a remote server from a local studio manager
    ... My Linksys RVS4000 (the router that's used to connect my network to the ADSL network modem) is designed to host VPN connections. ... This can also be done with a dedicated ISA server, but that's not really necessary now that the routers have gotten so smart. ... Once you have this router in place, you can easily use any Windows client to establish a VPN connection to the network. ... I'd like to see my remote server as part of my Local Network ...
    (microsoft.public.sqlserver.connect)
  • Re: ISA2000 blocks the VPN?
    ... > the resource in the destination network (where the VPN server resides), ... > recommended configuration to establish a VPN connection. ... Help to gather the ISA Logs: ...
    (microsoft.public.windows.server.sbs)