Best Way to Change Password via the Web?

• Previous message: Max Efimov: "Re: event 1003 w3cctrs & even 1003 iiscntrs"
• Next in thread: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
• Reply: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 24 Dec 2003 14:51:58 -0600

We are a Microsoft shop here and we currently have two domains. Our user
base is spread across our old NT 4.0 domain and some account are being
migrated to our new Windows 2003 AD domain. I am needing to allow our
remote users who use OWA and other web services here that require a NT login
the ability to change their passwords when they expire.

My plan is to setup an HTTPS site and allow users to change their NT
password across the secured site. I plan on using the IISAdmPwd .htr files
to actually perform the password changes. I will restrict access to this
site with a set of front page(s) that force users to perform an initial
login using their NT username and Employee ID that I have recorded in an
Access database. Users cannot bypass the initial login because I set a
session variable that is tracked on all pages within this site. If users
try to go directly to the .htr files they are redirected back out to a
warning that they are not logged in and their access is monitored and logged
for future prosecution. Once they successfully login using the check
against my Access database they are forwarded on to the IISAdmPwd login
pages. I have it working in my test lab but have yet to implement it for
production. I am wondering if there are any security issues with this
approach? I am also open to suggestions for better ways to do this using my
setup or another way. I chose to use .htr files because I have used them in
the past internally. I am also aware of the danger of being exploited by
buffer overflows and other known exploits of the .htr files.

Thanks,
Fred Yarbrough

• Previous message: Max Efimov: "Re: event 1003 w3cctrs & even 1003 iiscntrs"
• Next in thread: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
• Reply: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Best Way to Change Password via the Web? ... remote users who use OWA and other web services here that require a NT login ... I plan on using the IISAdmPwd .htr files ... against my Access database they are forwarded on to the IISAdmPwd login ... (microsoft.public.windows.server.security) Best Way to Change Password via the Web? ... remote users who use OWA and other web services here that require a NT login ... I plan on using the IISAdmPwd .htr files ... against my Access database they are forwarded on to the IISAdmPwd login ... (microsoft.public.win2000.security) Re: Best Way to Change Password via the Web? ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ... (microsoft.public.inetserver.iis.security) Re: Best Way to Change Password via the Web? ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ... (microsoft.public.win2000.security) Re: Best Way to Change Password via the Web? ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ... (microsoft.public.windows.server.security)