Re: Best Way to Change Password via the Web?
From: Rich Raffenetti (raffenetti_at_attbi.com)
Date: 12/27/03
- Next message: Robert: "EFS Private Keys"
- Previous message: nancy: "**KEY CODE***"
- In reply to: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
- Next in thread: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
- Reply: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Dec 2003 22:03:55 -0600
Fred,
I could suggest using a domain name filter but you would probably
counter with the fact that your users need to change passwords from home or
on travel. We have the same need. We force strong passwords with 8 or more
characters and are relying on users knowing their strong, old password to
make the change and the strong password to prevent hacker mischief. We
rename the standard accounts and do all of the other evasive changes. We
also are relying on Microsoft having plugged the vulnerabilities in the .htr
files. Chris Adams (another posting in this thread) said he would post the
hotfixes for the recent change-password system that uses the .htr files.
I have a page that shows a session's server variables and their values.
HTTP_CFG_ENC_CAPS is not a server variable on my IIS 6 server. I see the
code that you listed below. It is on both the IIS 5 and IIS 6 servers. My
own change password site is on an IIS 5 server.
"Fred Yarbrough" <fyarbrou@yahoo.com> wrote in message
news:Ol79BU%23yDHA.1684@TK2MSFTNGP12.phx.gbl...
> Rich,
> Thanks for the feedback. You stated that I should steer away from the
> private authentication mechanism. I agree to an extent. My intent is not
> to develop something that is already there in the .htr functionality. My
> reasoning for implementing this Access database front end authentication
was
> to keep just anyone from hitting the Password Changing site. It basically
> acts as a filter to prevent just any ole Internet user from playing with
our
> Password changing site. Since all of our employees know their username
and
> employee ID, it simply adds an additional hoop that the bad guys would
have
> to jump through to exploit the system.
>
>
> Also, I have noticed that pages that currently work on my Windows 2000
> server IIS 5.0 do not work with my Windows 2003 server IIS 6.0. When I
> submit the aexp.htr file I get the following message:
>
>
____________________________________________________________________________
> ________________
> Internet Service Manager
> for Internet Information Server 6.0
>
> Your password has expired.
>
> A secure channel ( SSL or PCT ) is necessary in order to change a
password.
>
> SSL/PCT is not installed/enabled on your system, please install it to
enable
> this functionality.
>
> Access default document or select another document.
>
>
____________________________________________________________________________
> _______________
>
>
> I am running and requiring SSL on all of the sites pages. I don't
> understand why this message comes up. From looking at the aexp.htr source
> code it appears that the variable HTTP_CFG_ENC_CAPS is not set to one.
> Where is the variable in the registry and/or is this the problem that I am
> running into?
>
>
>
>
____________________________________________________________________________
> _______________
> <snip>
> 'W3CRYPTCAPABLE corresponds to HTTP_CFG_ENC_CAPS.
> 'Tells us that the server if SecureBindings are set
> if Request.ServerVariables("HTTP_CFG_ENC_CAPS") <> 1 then%>
> <%=L_PasswordExpired_Text%>.<p>
> <%=L_SSL1_Text%>.<p>
> <%=L_SSL2_Text%>.<p>
> <a
>
href="http://<%=Server.HTMLEncode(Request.ServerVariables("Server_Name"))%>/
> "><%=L_DefDoc_Text%></a> <%=L_OrOther_Text%>.
> <%Response.End%>
> <%end if%>
> <snip>
>
____________________________________________________________________________
> _______________
>
>
> Thanks,
> Fred Yarbrough
>
>
>
>
>
>
> "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
> news:eJPFOM3yDHA.1356@TK2MSFTNGP10.phx.gbl...
> > Please post the numbers and source when you get a chance. Thanks.
> >
> > Also, is there a document describing this functionality?
> >
> > "Chris Adams (IIS)" <chrisad-msft@microsoft.com> wrote in message
> > news:%23m7LG00yDHA.1736@TK2MSFTNGP09.phx.gbl...
> > > Hey ~
> > >
> > > We recently released hotfixes for this functionality. If you have
> trouble
> > > locating them, please post back. It is important that you download
this
> > > hotfix and install it.
> > >
> > > Sorry, it is Christmas, don't have access to find the KB's for the
> > hotfix...
> > >
> > > HTH,
> > > ~Chris
> > > IIS Supportability Lead
> > >
> > >
> > > "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
> > > news:e$oWxIqyDHA.2064@TK2MSFTNGP10.phx.gbl...
> > > > Recently MS replaced the original .htr files with new versions.
> > > >
> > > > We use the standard MS system (.htr files) to do password changes.
> The
> > > .htr
> > > > files are just asp so we did some modifications on them as needed
for
> > our
> > > > environment.
> > > >
> > > > I also wrote an asp page to allow admins of OU's with reset password
> > > > permissions to do that from the web as well. The password admins
have
> > to
> > > > login to that page with their credentials.
> > > >
> > > > I would steer away from a private authentication mechanism (your
> access
> > > > database) to enable password changing. The MS mechanism works well
> and
> > > > catches conditions. It allows a user to change an expired password
as
> > > long
> > > > as the old password is known.
> > > >
> > > > "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> > > > news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
> > > > > We are a Microsoft shop here and we currently have two domains.
Our
> > > user
> > > > > base is spread across our old NT 4.0 domain and some account are
> being
> > > > > migrated to our new Windows 2003 AD domain. I am needing to allow
> our
> > > > > remote users who use OWA and other web services here that require
a
> NT
> > > > login
> > > > > the ability to change their passwords when they expire.
> > > > >
> > > > > My plan is to setup an HTTPS site and allow users to change their
NT
> > > > > password across the secured site. I plan on using the IISAdmPwd
> .htr
> > > > files
> > > > > to actually perform the password changes. I will restrict access
to
> > > this
> > > > > site with a set of front page(s) that force users to perform an
> > initial
> > > > > login using their NT username and Employee ID that I have recorded
> in
> > an
> > > > > Access database. Users cannot bypass the initial login because I
> set
> > a
> > > > > session variable that is tracked on all pages within this site.
If
> > > users
> > > > > try to go directly to the .htr files they are redirected back out
to
> a
> > > > > warning that they are not logged in and their access is monitored
> and
> > > > logged
> > > > > for future prosecution. Once they successfully login using the
> check
> > > > > against my Access database they are forwarded on to the IISAdmPwd
> > login
> > > > > pages. I have it working in my test lab but have yet to implement
> it
> > > for
> > > > > production. I am wondering if there are any security issues with
> this
> > > > > approach? I am also open to suggestions for better ways to do
this
> > > using
> > > > my
> > > > > setup or another way. I chose to use .htr files because I have
used
> > > them
> > > > in
> > > > > the past internally. I am also aware of the danger of being
> exploited
> > > by
> > > > > buffer overflows and other known exploits of the .htr files.
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Fred Yarbrough
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Robert: "EFS Private Keys"
- Previous message: nancy: "**KEY CODE***"
- In reply to: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
- Next in thread: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
- Reply: Fred Yarbrough: "Re: Best Way to Change Password via the Web?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
