Re: Best Way to Change Password via the Web?
From: Rich Raffenetti (raffenetti_at_attbi.com)
Date: 12/25/03
- Previous message: Fred Yarbrough: "Best Way to Change Password via the Web?"
- In reply to: Fred Yarbrough: "Best Way to Change Password via the Web?"
- Next in thread: Chris Adams \(IIS\): "Re: Best Way to Change Password via the Web?"
- Reply: Chris Adams \(IIS\): "Re: Best Way to Change Password via the Web?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Dec 2003 22:47:28 -0600
Recently MS replaced the original .htr files with new versions.
We use the standard MS system (.htr files) to do password changes. The .htr
files are just asp so we did some modifications on them as needed for our
environment.
I also wrote an asp page to allow admins of OU's with reset password
permissions to do that from the web as well. The password admins have to
login to that page with their credentials.
I would steer away from a private authentication mechanism (your access
database) to enable password changing. The MS mechanism works well and
catches conditions. It allows a user to change an expired password as long
as the old password is known.
"Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
> We are a Microsoft shop here and we currently have two domains. Our user
> base is spread across our old NT 4.0 domain and some account are being
> migrated to our new Windows 2003 AD domain. I am needing to allow our
> remote users who use OWA and other web services here that require a NT
login
> the ability to change their passwords when they expire.
>
> My plan is to setup an HTTPS site and allow users to change their NT
> password across the secured site. I plan on using the IISAdmPwd .htr
files
> to actually perform the password changes. I will restrict access to this
> site with a set of front page(s) that force users to perform an initial
> login using their NT username and Employee ID that I have recorded in an
> Access database. Users cannot bypass the initial login because I set a
> session variable that is tracked on all pages within this site. If users
> try to go directly to the .htr files they are redirected back out to a
> warning that they are not logged in and their access is monitored and
logged
> for future prosecution. Once they successfully login using the check
> against my Access database they are forwarded on to the IISAdmPwd login
> pages. I have it working in my test lab but have yet to implement it for
> production. I am wondering if there are any security issues with this
> approach? I am also open to suggestions for better ways to do this using
my
> setup or another way. I chose to use .htr files because I have used them
in
> the past internally. I am also aware of the danger of being exploited by
> buffer overflows and other known exploits of the .htr files.
>
>
> Thanks,
> Fred Yarbrough
>
>
- Previous message: Fred Yarbrough: "Best Way to Change Password via the Web?"
- In reply to: Fred Yarbrough: "Best Way to Change Password via the Web?"
- Next in thread: Chris Adams \(IIS\): "Re: Best Way to Change Password via the Web?"
- Reply: Chris Adams \(IIS\): "Re: Best Way to Change Password via the Web?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
