Re: Best Way to Change Password via the Web?
From: Fred Yarbrough (fyarbrou_at_yahoo.com)
Date: 12/28/03
- Previous message: Marc Reynolds [MSFT]: "Re: Open Ports"
- In reply to: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
- Next in thread: Paul Lynch: "Re: Best Way to Change Password via the Web?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Dec 2003 21:21:57 -0600
Rich,
This code was from my IIS 5.0 box. I had copied the "modified" working
IIS 5.0 files to my IIS 6.0 server and run it. As you stated, this
HTTP_CFG_ENC_CAPS session variable is apparently not available on IIS 6.0.
After rechecking the default .htr files on my IIS 6.0 server I see that the
aexp.htr file is slightly different.
Thanks,
Fred
"Rich Raffenetti" <raffenetti@attbi.com> wrote in message
news:eeCV15CzDHA.2540@tk2msftngp13.phx.gbl...
> Fred,
> I could suggest using a domain name filter but you would probably
> counter with the fact that your users need to change passwords from home
or
> on travel. We have the same need. We force strong passwords with 8 or
more
> characters and are relying on users knowing their strong, old password to
> make the change and the strong password to prevent hacker mischief. We
> rename the standard accounts and do all of the other evasive changes. We
> also are relying on Microsoft having plugged the vulnerabilities in the
.htr
> files. Chris Adams (another posting in this thread) said he would post
the
> hotfixes for the recent change-password system that uses the .htr files.
>
> I have a page that shows a session's server variables and their
values.
> HTTP_CFG_ENC_CAPS is not a server variable on my IIS 6 server. I see the
> code that you listed below. It is on both the IIS 5 and IIS 6 servers.
My
> own change password site is on an IIS 5 server.
>
>
> "Fred Yarbrough" <fyarbrou@yahoo.com> wrote in message
> news:Ol79BU%23yDHA.1684@TK2MSFTNGP12.phx.gbl...
> > Rich,
> > Thanks for the feedback. You stated that I should steer away from
the
> > private authentication mechanism. I agree to an extent. My intent is
not
> > to develop something that is already there in the .htr functionality.
My
> > reasoning for implementing this Access database front end authentication
> was
> > to keep just anyone from hitting the Password Changing site. It
basically
> > acts as a filter to prevent just any ole Internet user from playing with
> our
> > Password changing site. Since all of our employees know their username
> and
> > employee ID, it simply adds an additional hoop that the bad guys would
> have
> > to jump through to exploit the system.
> >
> >
> > Also, I have noticed that pages that currently work on my Windows
2000
> > server IIS 5.0 do not work with my Windows 2003 server IIS 6.0. When I
> > submit the aexp.htr file I get the following message:
> >
> >
>
____________________________________________________________________________
> > ________________
> > Internet Service Manager
> > for Internet Information Server 6.0
> >
> > Your password has expired.
> >
> > A secure channel ( SSL or PCT ) is necessary in order to change a
> password.
> >
> > SSL/PCT is not installed/enabled on your system, please install it to
> enable
> > this functionality.
> >
> > Access default document or select another document.
> >
> >
>
____________________________________________________________________________
> > _______________
> >
> >
> > I am running and requiring SSL on all of the sites pages. I don't
> > understand why this message comes up. From looking at the aexp.htr
source
> > code it appears that the variable HTTP_CFG_ENC_CAPS is not set to one.
> > Where is the variable in the registry and/or is this the problem that I
am
> > running into?
> >
> >
> >
> >
>
____________________________________________________________________________
> > _______________
> > <snip>
> > 'W3CRYPTCAPABLE corresponds to HTTP_CFG_ENC_CAPS.
> > 'Tells us that the server if SecureBindings are set
> > if Request.ServerVariables("HTTP_CFG_ENC_CAPS") <> 1 then%>
> > <%=L_PasswordExpired_Text%>.<p>
> > <%=L_SSL1_Text%>.<p>
> > <%=L_SSL2_Text%>.<p>
> > <a
> >
>
href="http://<%=Server.HTMLEncode(Request.ServerVariables("Server_Name"))%>/
> > "><%=L_DefDoc_Text%></a> <%=L_OrOther_Text%>.
> > <%Response.End%>
> > <%end if%>
> > <snip>
> >
>
____________________________________________________________________________
> > _______________
> >
> >
> > Thanks,
> > Fred Yarbrough
> >
> >
> >
> >
> >
> >
> > "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
> > news:eJPFOM3yDHA.1356@TK2MSFTNGP10.phx.gbl...
> > > Please post the numbers and source when you get a chance. Thanks.
> > >
> > > Also, is there a document describing this functionality?
> > >
> > > "Chris Adams (IIS)" <chrisad-msft@microsoft.com> wrote in message
> > > news:%23m7LG00yDHA.1736@TK2MSFTNGP09.phx.gbl...
> > > > Hey ~
> > > >
> > > > We recently released hotfixes for this functionality. If you have
> > trouble
> > > > locating them, please post back. It is important that you download
> this
> > > > hotfix and install it.
> > > >
> > > > Sorry, it is Christmas, don't have access to find the KB's for the
> > > hotfix...
> > > >
> > > > HTH,
> > > > ~Chris
> > > > IIS Supportability Lead
> > > >
> > > >
> > > > "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
> > > > news:e$oWxIqyDHA.2064@TK2MSFTNGP10.phx.gbl...
> > > > > Recently MS replaced the original .htr files with new versions.
> > > > >
> > > > > We use the standard MS system (.htr files) to do password changes.
> > The
> > > > .htr
> > > > > files are just asp so we did some modifications on them as needed
> for
> > > our
> > > > > environment.
> > > > >
> > > > > I also wrote an asp page to allow admins of OU's with reset
password
> > > > > permissions to do that from the web as well. The password admins
> have
> > > to
> > > > > login to that page with their credentials.
> > > > >
> > > > > I would steer away from a private authentication mechanism (your
> > access
> > > > > database) to enable password changing. The MS mechanism works
well
> > and
> > > > > catches conditions. It allows a user to change an expired
password
> as
> > > > long
> > > > > as the old password is known.
> > > > >
> > > > > "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> > > > > news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
> > > > > > We are a Microsoft shop here and we currently have two domains.
> Our
> > > > user
> > > > > > base is spread across our old NT 4.0 domain and some account are
> > being
> > > > > > migrated to our new Windows 2003 AD domain. I am needing to
allow
> > our
> > > > > > remote users who use OWA and other web services here that
require
> a
> > NT
> > > > > login
> > > > > > the ability to change their passwords when they expire.
> > > > > >
> > > > > > My plan is to setup an HTTPS site and allow users to change
their
> NT
> > > > > > password across the secured site. I plan on using the IISAdmPwd
> > .htr
> > > > > files
> > > > > > to actually perform the password changes. I will restrict
access
> to
> > > > this
> > > > > > site with a set of front page(s) that force users to perform an
> > > initial
> > > > > > login using their NT username and Employee ID that I have
recorded
> > in
> > > an
> > > > > > Access database. Users cannot bypass the initial login because
I
> > set
> > > a
> > > > > > session variable that is tracked on all pages within this site.
> If
> > > > users
> > > > > > try to go directly to the .htr files they are redirected back
out
> to
> > a
> > > > > > warning that they are not logged in and their access is
monitored
> > and
> > > > > logged
> > > > > > for future prosecution. Once they successfully login using the
> > check
> > > > > > against my Access database they are forwarded on to the
IISAdmPwd
> > > login
> > > > > > pages. I have it working in my test lab but have yet to
implement
> > it
> > > > for
> > > > > > production. I am wondering if there are any security issues
with
> > this
> > > > > > approach? I am also open to suggestions for better ways to do
> this
> > > > using
> > > > > my
> > > > > > setup or another way. I chose to use .htr files because I have
> used
> > > > them
> > > > > in
> > > > > > the past internally. I am also aware of the danger of being
> > exploited
> > > > by
> > > > > > buffer overflows and other known exploits of the .htr files.
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > Fred Yarbrough
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Previous message: Marc Reynolds [MSFT]: "Re: Open Ports"
- In reply to: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
- Next in thread: Paul Lynch: "Re: Best Way to Change Password via the Web?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
