Re: Best Way to Change Password via the Web?

From: Rich Raffenetti (raffenetti_at_attbi.com)
Date: 12/26/03

• Next message: khan khalid: "password"
• Previous message: Jim: "Re: Installing DLL's"
• In reply to: Chris Adams \(IIS\): "Re: Best Way to Change Password via the Web?"
• Next in thread: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
• Reply: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Dec 2003 23:42:27 -0600

Please post the numbers and source when you get a chance. Thanks.

Also, is there a document describing this functionality?

"Chris Adams (IIS)" <chrisad-msft@microsoft.com> wrote in message
news:%23m7LG00yDHA.1736@TK2MSFTNGP09.phx.gbl...
> Hey ~
>
> We recently released hotfixes for this functionality. If you have trouble
> locating them, please post back. It is important that you download this
> hotfix and install it.
>
> Sorry, it is Christmas, don't have access to find the KB's for the
hotfix...
>
> HTH,
> ~Chris
> IIS Supportability Lead
>
>
> "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
> news:e$oWxIqyDHA.2064@TK2MSFTNGP10.phx.gbl...
> > Recently MS replaced the original .htr files with new versions.
> >
> > We use the standard MS system (.htr files) to do password changes. The
> .htr
> > files are just asp so we did some modifications on them as needed for
our
> > environment.
> >
> > I also wrote an asp page to allow admins of OU's with reset password
> > permissions to do that from the web as well. The password admins have
to
> > login to that page with their credentials.
> >
> > I would steer away from a private authentication mechanism (your access
> > database) to enable password changing. The MS mechanism works well and
> > catches conditions. It allows a user to change an expired password as
> long
> > as the old password is known.
> >
> > "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> > news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
> > > We are a Microsoft shop here and we currently have two domains. Our
> user
> > > base is spread across our old NT 4.0 domain and some account are being
> > > migrated to our new Windows 2003 AD domain. I am needing to allow our
> > > remote users who use OWA and other web services here that require a NT
> > login
> > > the ability to change their passwords when they expire.
> > >
> > > My plan is to setup an HTTPS site and allow users to change their NT
> > > password across the secured site. I plan on using the IISAdmPwd .htr
> > files
> > > to actually perform the password changes. I will restrict access to
> this
> > > site with a set of front page(s) that force users to perform an
initial
> > > login using their NT username and Employee ID that I have recorded in
an
> > > Access database. Users cannot bypass the initial login because I set
a
> > > session variable that is tracked on all pages within this site. If
> users
> > > try to go directly to the .htr files they are redirected back out to a
> > > warning that they are not logged in and their access is monitored and
> > logged
> > > for future prosecution. Once they successfully login using the check
> > > against my Access database they are forwarded on to the IISAdmPwd
login
> > > pages. I have it working in my test lab but have yet to implement it
> for
> > > production. I am wondering if there are any security issues with this
> > > approach? I am also open to suggestions for better ways to do this
> using
> > my
> > > setup or another way. I chose to use .htr files because I have used
> them
> > in
> > > the past internally. I am also aware of the danger of being exploited
> by
> > > buffer overflows and other known exploits of the .htr files.
> > >
> > >
> > > Thanks,
> > > Fred Yarbrough
> > >
> > >
> >
> >
>
>

• Next message: khan khalid: "password"
• Previous message: Jim: "Re: Installing DLL's"
• In reply to: Chris Adams \(IIS\): "Re: Best Way to Change Password via the Web?"
• Next in thread: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
• Reply: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Best Way to Change Password via the Web? ... is there a document describing this functionality? ... > hotfix and install it. ... The password admins have ... >> login to that page with their credentials. ... (microsoft.public.inetserver.iis.security) Re: Best Way to Change Password via the Web? ... is there a document describing this functionality? ... > hotfix and install it. ... The password admins have ... >> login to that page with their credentials. ... (microsoft.public.windows.server.security) Re: Best Way to Change Password via the Web? ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ... (microsoft.public.windows.server.security) Re: Best Way to Change Password via the Web? ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ... (microsoft.public.inetserver.iis.security) Re: Best Way to Change Password via the Web? ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint