Re: Remote password change/account unlock
From: Matt DuBois [MS] (mdubois@online.microsoft.com)
Date: 03/31/03
- Next message: Dave Ballard: "Printer Settings via GPO"
- Previous message: Frank: "login"
- Next in thread: Eugene Gershnik: "Re: Remote password change/account unlock"
- Reply: Eugene Gershnik: "Re: Remote password change/account unlock"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Matt DuBois [MS]" <mdubois@online.microsoft.com> Date: Mon, 31 Mar 2003 11:09:02 -0800
Allowing users to change or reset their passwords or unlock their accounts
from a web page is not a good idea for several reasons:
1) There are no guarantees the person using the web page actually owns the
user account. There are a variety of social engineering tactics that can be
used to get any additional information the page asks for to validate the
user. Doing this would make a lot of malicious hackers happy, especially if
the web page somehow became accessible to the internet.
2) Nothing stops someone from accessing the service directly, bypassing any
checks enforced by the web page.
3) Allowing unlocks is bad as well. What stops a malicious hacker from
unlocking an account they are trying to crack when it gets locked out?
4) Allowing a password reset will block all access to EFS encrypted files by
the user. Sure a domain recovery agent can get them back, but that causes
additional admin overhead. You don't want your admins having to spend the
entire day recovering files and not having time for important things like
server maintenance and security continuing education. :)
5) There are security implications to having a service running as
Administrator, accepting network connections and executing commands. If you
want to do that, you should make absolutely sure that there are no buffer
overruns or other exploits, and definitely don't use anything the remote
client gives the service directly in an API call.
There are, no doubt, others. While convenient for users and administrators,
it is a classic case of trading security for convenience. You have to
evaluate the risks with your goals and decide if it is worthwhile in your
case, but keep in mind that the attacker could be an employee just as easily
as someone external. Don't assume that it would be safe just because it
isn't accessible from the internet.
There is no real "secure" way to allow users to reset their own passwords or
unlock their accounts, since you are doing something that is insecure by
definition. Other risks come with the implementation details, but any way
you implement this will be a possible target for abuse.
-- This posting is provided "AS IS" with no warranties, and confers no rights. "Ivan Karpov" <nbdnwhr@mail.no.spam.ru> wrote in message news:ukmKw$59CHA.2820@TK2MSFTNGP11.phx.gbl... > I need to design a system that would allow users to change/reset their > passwords in NT domain and unlock the accounts if they're locked as a result > of failed login attempts. Here's what I want to do: > > User -> ASP and COM component -> DC with NT Service running > > COM component here would simply make DCOM call to NT service running on DC > which will run under Administrator's account so it can make calls like: > > Set objUser = GetObject("WinNT://MYDC/jsmith,user") > objUser.SetPassword "foo" > > What are security implications of this solution? Is there a better way? > > IVAN KARPOV > >
- Next message: Dave Ballard: "Printer Settings via GPO"
- Previous message: Frank: "login"
- Next in thread: Eugene Gershnik: "Re: Remote password change/account unlock"
- Reply: Eugene Gershnik: "Re: Remote password change/account unlock"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
