Re: Best Way to Change Password via the Web?

From: Rich Raffenetti (raffenetti_at_attbi.com)
Date: 12/26/03

  • Next message: Joe Richards [MVP]: "Re: hacking ntds.dit" 
    Date: Thu, 25 Dec 2003 23:42:27 -0600

    Please post the numbers and source when you get a chance. Thanks.

    Also, is there a document describing this functionality?

    "Chris Adams (IIS)" <chrisad-msft@microsoft.com> wrote in message
    news:%23m7LG00yDHA.1736@TK2MSFTNGP09.phx.gbl...
    > Hey ~
    >
    > We recently released hotfixes for this functionality. If you have trouble
    > locating them, please post back. It is important that you download this
    > hotfix and install it.
    >
    > Sorry, it is Christmas, don't have access to find the KB's for the
    hotfix...
    >
    > HTH,
    > ~Chris
    > IIS Supportability Lead
    >
    >
    > "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
    > news:e$oWxIqyDHA.2064@TK2MSFTNGP10.phx.gbl...
    > > Recently MS replaced the original .htr files with new versions.
    > >
    > > We use the standard MS system (.htr files) to do password changes. The
    > .htr
    > > files are just asp so we did some modifications on them as needed for
    our
    > > environment.
    > >
    > > I also wrote an asp page to allow admins of OU's with reset password
    > > permissions to do that from the web as well. The password admins have
    to
    > > login to that page with their credentials.
    > >
    > > I would steer away from a private authentication mechanism (your access
    > > database) to enable password changing. The MS mechanism works well and
    > > catches conditions. It allows a user to change an expired password as
    > long
    > > as the old password is known.
    > >
    > > "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
    > > news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
    > > > We are a Microsoft shop here and we currently have two domains. Our
    > user
    > > > base is spread across our old NT 4.0 domain and some account are being
    > > > migrated to our new Windows 2003 AD domain. I am needing to allow our
    > > > remote users who use OWA and other web services here that require a NT
    > > login
    > > > the ability to change their passwords when they expire.
    > > >
    > > > My plan is to setup an HTTPS site and allow users to change their NT
    > > > password across the secured site. I plan on using the IISAdmPwd .htr
    > > files
    > > > to actually perform the password changes. I will restrict access to
    > this
    > > > site with a set of front page(s) that force users to perform an
    initial
    > > > login using their NT username and Employee ID that I have recorded in
    an
    > > > Access database. Users cannot bypass the initial login because I set
    a
    > > > session variable that is tracked on all pages within this site. If
    > users
    > > > try to go directly to the .htr files they are redirected back out to a
    > > > warning that they are not logged in and their access is monitored and
    > > logged
    > > > for future prosecution. Once they successfully login using the check
    > > > against my Access database they are forwarded on to the IISAdmPwd
    login
    > > > pages. I have it working in my test lab but have yet to implement it
    > for
    > > > production. I am wondering if there are any security issues with this
    > > > approach? I am also open to suggestions for better ways to do this
    > using
    > > my
    > > > setup or another way. I chose to use .htr files because I have used
    > them
    > > in
    > > > the past internally. I am also aware of the danger of being exploited
    > by
    > > > buffer overflows and other known exploits of the .htr files.
    > > >
    > > >
    > > > Thanks,
    > > > Fred Yarbrough
    > > >
    > > >
    > >
    > >
    >
    >

  • Next message: Joe Richards [MVP]: "Re: hacking ntds.dit"

    Relevant Pages

    • Re: Best Way to Change Password via the Web?
      ... is there a document describing this functionality? ... > hotfix and install it. ... The password admins have ... >> login to that page with their credentials. ...
      (microsoft.public.win2000.security)
    • Re: Best Way to Change Password via the Web?
      ... is there a document describing this functionality? ... > hotfix and install it. ... The password admins have ... >> login to that page with their credentials. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Best Way to Change Password via the Web?
      ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ...
      (microsoft.public.windows.server.security)
    • Re: Best Way to Change Password via the Web?
      ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ...
      (microsoft.public.inetserver.iis.security)
    • Re: Best Way to Change Password via the Web?
      ... Sorry, it is Christmas, don't have access to find the KB's for the hotfix... ... > We use the standard MS system (.htr files) to do password changes. ... > login to that page with their credentials. ... >> against my Access database they are forwarded on to the IISAdmPwd login ...
      (microsoft.public.win2000.security)