IIS Server Security - Best Way to Change Password via the Web?

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > January 2004 > Best Way to Change Password via the Web?





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Best Way to Change Password via the Web?
Fred Yarbrough

2004-01-24, 1:58 am

We are a Microsoft shop here and we currently have two domains. Our user
base is spread across our old NT 4.0 domain and some account are being
migrated to our new Windows 2003 AD domain. I am needing to allow our
remote users who use OWA and other web services here that require a NT login
the ability to change their passwords when they expire.

My plan is to setup an HTTPS site and allow users to change their NT
password across the secured site. I plan on using the IISAdmPwd .htr files
to actually perform the password changes. I will restrict access to this
site with a set of front page(s) that force users to perform an initial
login using their NT username and Employee ID that I have recorded in an
Access database. Users cannot bypass the initial login because I set a
session variable that is tracked on all pages within this site. If users
try to go directly to the .htr files they are redirected back out to a
warning that they are not logged in and their access is monitored and logged
for future prosecution. Once they successfully login using the check
against my Access database they are forwarded on to the IISAdmPwd login
pages. I have it working in my test lab but have yet to implement it for
production. I am wondering if there are any security issues with this
approach? I am also open to suggestions for better ways to do this using my
setup or another way. I chose to use .htr files because I have used them in
the past internally. I am also aware of the danger of being exploited by
buffer overflows and other known exploits of the .htr files.


Thanks,
Fred Yarbrough


Rich Raffenetti

2004-01-24, 1:58 am

Recently MS replaced the original .htr files with new versions.

We use the standard MS system (.htr files) to do password changes. The .htr
files are just asp so we did some modifications on them as needed for our
environment.

I also wrote an asp page to allow admins of OU's with reset password
permissions to do that from the web as well. The password admins have to
login to that page with their credentials.

I would steer away from a private authentication mechanism (your access
database) to enable password changing. The MS mechanism works well and
catches conditions. It allows a user to change an expired password as long
as the old password is known.

"Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
quote:

> We are a Microsoft shop here and we currently have two domains. Our user
> base is spread across our old NT 4.0 domain and some account are being
> migrated to our new Windows 2003 AD domain. I am needing to allow our
> remote users who use OWA and other web services here that require a NT

login
quote:

> the ability to change their passwords when they expire.
>
> My plan is to setup an HTTPS site and allow users to change their NT
> password across the secured site. I plan on using the IISAdmPwd .htr

files
quote:

> to actually perform the password changes. I will restrict access to this
> site with a set of front page(s) that force users to perform an initial
> login using their NT username and Employee ID that I have recorded in an
> Access database. Users cannot bypass the initial login because I set a
> session variable that is tracked on all pages within this site. If users
> try to go directly to the .htr files they are redirected back out to a
> warning that they are not logged in and their access is monitored and

logged
quote:

> for future prosecution. Once they successfully login using the check
> against my Access database they are forwarded on to the IISAdmPwd login
> pages. I have it working in my test lab but have yet to implement it for
> production. I am wondering if there are any security issues with this
> approach? I am also open to suggestions for better ways to do this using

my
quote:

> setup or another way. I chose to use .htr files because I have used them

in
quote:

> the past internally. I am also aware of the danger of being exploited by
> buffer overflows and other known exploits of the .htr files.
>
>
> Thanks,
> Fred Yarbrough
>
>



Chris Adams \(IIS\)

2004-01-24, 1:58 am

Hey ~

We recently released hotfixes for this functionality. If you have trouble
locating them, please post back. It is important that you download this
hotfix and install it.

Sorry, it is Christmas, don't have access to find the KB's for the hotfix...

HTH,
~Chris
IIS Supportability Lead


"Rich Raffenetti" <raffenetti@attbi.com> wrote in message
news:e$oWxIqyDHA.2064@TK2MSFTNGP10.phx.gbl...
quote:

> Recently MS replaced the original .htr files with new versions.
>
> We use the standard MS system (.htr files) to do password changes. The

..htr
quote:

> files are just asp so we did some modifications on them as needed for our
> environment.
>
> I also wrote an asp page to allow admins of OU's with reset password
> permissions to do that from the web as well. The password admins have to
> login to that page with their credentials.
>
> I would steer away from a private authentication mechanism (your access
> database) to enable password changing. The MS mechanism works well and
> catches conditions. It allows a user to change an expired password as

long
quote:

> as the old password is known.
>
> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
user[QUOTE][color=darkred]
> login
> files
this[QUOTE][color=darkred]
users[QUOTE][color=darkred]
> logged
for[QUOTE][color=darkred]
using[QUOTE][color=darkred]
> my
them[QUOTE][color=darkred]
> in
by[QUOTE][color=darkred]
>
>



Rich Raffenetti

2004-01-24, 1:58 am

Please post the numbers and source when you get a chance. Thanks.

Also, is there a document describing this functionality?

"Chris Adams (IIS)" <chrisad-msft@microsoft.com> wrote in message
news:%23m7LG00yDHA.1736@TK2MSFTNGP09.phx.gbl...
quote:

> Hey ~
>
> We recently released hotfixes for this functionality. If you have trouble
> locating them, please post back. It is important that you download this
> hotfix and install it.
>
> Sorry, it is Christmas, don't have access to find the KB's for the

hotfix...
quote:

>
> HTH,
> ~Chris
> IIS Supportability Lead
>
>
> "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
> news:e$oWxIqyDHA.2064@TK2MSFTNGP10.phx.gbl...
> .htr
our[QUOTE][color=darkred]
to[QUOTE][color=darkred]
> long
> user
> this
initial[QUOTE][color=darkred]
an[QUOTE][color=darkred]
a[QUOTE][color=darkred]
> users
login[QUOTE][color=darkred]
> for
> using
> them
> by
>
>



Fred Yarbrough

2004-01-24, 1:58 am

Rich,
Thanks for the feedback. You stated that I should steer away from the
private authentication mechanism. I agree to an extent. My intent is not
to develop something that is already there in the .htr functionality. My
reasoning for implementing this Access database front end authentication was
to keep just anyone from hitting the Password Changing site. It basically
acts as a filter to prevent just any ole Internet user from playing with our
Password changing site. Since all of our employees know their username and
employee ID, it simply adds an additional hoop that the bad guys would have
to jump through to exploit the system.


Also, I have noticed that pages that currently work on my Windows 2000
server IIS 5.0 do not work with my Windows 2003 server IIS 6.0. When I
submit the aexp.htr file I get the following message:

________________________________________
____________________________________
________________
Internet Service Manager
for Internet Information Server 6.0

Your password has expired.

A secure channel ( SSL or PCT ) is necessary in order to change a password.

SSL/PCT is not installed/enabled on your system, please install it to enable
this functionality.

Access default document or select another document.

________________________________________
____________________________________
_______________


I am running and requiring SSL on all of the sites pages. I don't
understand why this message comes up. From looking at the aexp.htr source
code it appears that the variable HTTP_CFG_ENC_CAPS is not set to one.
Where is the variable in the registry and/or is this the problem that I am
running into?



________________________________________
____________________________________
_______________
<snip>
'W3CRYPTCAPABLE corresponds to HTTP_CFG_ENC_CAPS.
'Tells us that the server if SecureBindings are set
if Request.ServerVariables("HTTP_CFG_ENC_CAPS") <> 1 then%>
<%=L_PasswordExpired_Text%>.<p>
<%=L_SSL1_Text%>.<p>
<%=L_SSL2_Text%>.<p>
<a
href="http://<%=Server.HTMLEncode(Request.ServerVariables("Server_Name"))%>/
"><%=L_DefDoc_Text%></a> <%=L_OrOther_Text%>.
<%Response.End%>
<%end if%>
<snip>
________________________________________
____________________________________
_______________


Thanks,
Fred Yarbrough






"Rich Raffenetti" <raffenetti@attbi.com> wrote in message
news:eJPFOM3yDHA.1356@TK2MSFTNGP10.phx.gbl...
quote:

> Please post the numbers and source when you get a chance. Thanks.
>
> Also, is there a document describing this functionality?
>
> "Chris Adams (IIS)" <chrisad-msft@microsoft.com> wrote in message
> news:%23m7LG00yDHA.1736@TK2MSFTNGP09.phx.gbl...
trouble[QUOTE][color=darkred]
> hotfix...
The[QUOTE][color=darkred]
> our
> to
access[QUOTE][color=darkred]
and[QUOTE][color=darkred]
being[QUOTE][color=darkred]
our[QUOTE][color=darkred]
NT[QUOTE][color=darkred]
..htr[QUOTE][color=darkred]
> initial
in[QUOTE][color=darkred]
> an
set[QUOTE][color=darkred]
> a
a[QUOTE][color=darkred]
and[QUOTE][color=darkred]
check[QUOTE][color=darkred]
> login
it[QUOTE][color=darkred]
this[QUOTE][color=darkred]
exploited[QUOTE][color=darkred]
>
>



Rich Raffenetti

2004-01-24, 1:58 am

Fred,
I could suggest using a domain name filter but you would probably
counter with the fact that your users need to change passwords from home or
on travel. We have the same need. We force strong passwords with 8 or more
characters and are relying on users knowing their strong, old password to
make the change and the strong password to prevent hacker mischief. We
rename the standard accounts and do all of the other evasive changes. We
also are relying on Microsoft having plugged the vulnerabilities in the .htr
files. Chris Adams (another posting in this thread) said he would post the
hotfixes for the recent change-password system that uses the .htr files.

I have a page that shows a session's server variables and their values.
HTTP_CFG_ENC_CAPS is not a server variable on my IIS 6 server. I see the
code that you listed below. It is on both the IIS 5 and IIS 6 servers. My
own change password site is on an IIS 5 server.


"Fred Yarbrough" <fyarbrou@yahoo.com> wrote in message
news:Ol79BU%23yDHA.1684@TK2MSFTNGP12.phx.gbl...
quote:

> Rich,
> Thanks for the feedback. You stated that I should steer away from the
> private authentication mechanism. I agree to an extent. My intent is not
> to develop something that is already there in the .htr functionality. My
> reasoning for implementing this Access database front end authentication

was
quote:

> to keep just anyone from hitting the Password Changing site. It basically
> acts as a filter to prevent just any ole Internet user from playing with

our
quote:

> Password changing site. Since all of our employees know their username

and
quote:

> employee ID, it simply adds an additional hoop that the bad guys would

have
quote:

> to jump through to exploit the system.
>
>
> Also, I have noticed that pages that currently work on my Windows 2000
> server IIS 5.0 do not work with my Windows 2003 server IIS 6.0. When I
> submit the aexp.htr file I get the following message:
>
>

________________________________________
____________________________________[QUO
TE]
> ________________
> Internet Service Manager
> for Internet Information Server 6.0
>
> Your password has expired.
>
> A secure channel ( SSL or PCT ) is necessary in order to change a[/QUOTE]
password.
quote:

>
> SSL/PCT is not installed/enabled on your system, please install it to

enable
quote:

> this functionality.
>
> Access default document or select another document.
>
>

________________________________________
____________________________________[QUO
TE]
> _______________
>
>
> I am running and requiring SSL on all of the sites pages. I don't
> understand why this message comes up. From looking at the aexp.htr source
> code it appears that the variable HTTP_CFG_ENC_CAPS is not set to one.
> Where is the variable in the registry and/or is this the problem that I am
> running into?
>
>
>
>[/QUOTE]
________________________________________
____________________________________[QUO
TE]
> _______________
> <snip>
> 'W3CRYPTCAPABLE corresponds to HTTP_CFG_ENC_CAPS.
> 'Tells us that the server if SecureBindings are set
> if Request.ServerVariables("HTTP_CFG_ENC_CAPS") <> 1 then%>
> <%=L_PasswordExpired_Text%>.<p>
> <%=L_SSL1_Text%>.<p>
> <%=L_SSL2_Text%>.<p>
> <a
>[/QUOTE]
href="http://<%=Server.HTMLEncode(Request.ServerVariables("Server_Name"))%>/
quote:

> "><%=L_DefDoc_Text%></a> <%=L_OrOther_Text%>.
> <%Response.End%>
> <%end if%>
> <snip>
>

________________________________________
____________________________________[QUO
TE]
> _______________
>
>
> Thanks,
> Fred Yarbrough
>
>
>
>
>
>
> "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
> news:eJPFOM3yDHA.1356@TK2MSFTNGP10.phx.gbl...
> trouble
this
quote:
[color=darkred]
> The
for[QUOTE][color=darkred]
have[QUOTE][color=darkred]
> access
> and
as[QUOTE][color=darkred]
Our[QUOTE][color=darkred]
> being
> our
a[QUOTE][color=darkred]
> NT
NT[QUOTE][color=darkred]
> .htr
to[QUOTE][color=darkred]
> in
> set
If[QUOTE][color=darkred]
to[QUOTE][color=darkred]
> a
> and
> check
> it
> this
this[QUOTE][color=darkred]
used[QUOTE][color=darkred]
> exploited
>
>



Paul Lynch

2004-01-24, 1:58 am

On Thu, 25 Dec 2003 17:10:14 -0800, "Chris Adams \(IIS\)"
<chrisad-msft@microsoft.com> wrote:
quote:

>Hey ~
>
>We recently released hotfixes for this functionality. If you have trouble
>locating them, please post back. It is important that you download this
>hotfix and install it.
>
>Sorry, it is Christmas, don't have access to find the KB's for the hotfix...
>
>HTH,
>~Chris
>IIS Supportability Lead


Chris,

Is this the KB article you were referring to ?

IIS: Change Password Functionality Replaced with Active Server Pages
http://support.microsoft.com/?id=331834


Regards,

Paul Lynch
MCSE
Fred Yarbrough

2004-01-24, 1:58 am

Rich,
This code was from my IIS 5.0 box. I had copied the "modified" working
IIS 5.0 files to my IIS 6.0 server and run it. As you stated, this
HTTP_CFG_ENC_CAPS session variable is apparently not available on IIS 6.0.
After rechecking the default .htr files on my IIS 6.0 server I see that the
aexp.htr file is slightly different.


Thanks,
Fred

"Rich Raffenetti" <raffenetti@attbi.com> wrote in message
news:eeCV15CzDHA.2540@tk2msftngp13.phx.gbl...
quote:

> Fred,
> I could suggest using a domain name filter but you would probably
> counter with the fact that your users need to change passwords from home

or
quote:

> on travel. We have the same need. We force strong passwords with 8 or

more
quote:

> characters and are relying on users knowing their strong, old password to
> make the change and the strong password to prevent hacker mischief. We
> rename the standard accounts and do all of the other evasive changes. We
> also are relying on Microsoft having plugged the vulnerabilities in the

..htr
quote:

> files. Chris Adams (another posting in this thread) said he would post

the
quote:

> hotfixes for the recent change-password system that uses the .htr files.
>
> I have a page that shows a session's server variables and their

values.
quote:

> HTTP_CFG_ENC_CAPS is not a server variable on my IIS 6 server. I see the
> code that you listed below. It is on both the IIS 5 and IIS 6 servers.

My
quote:

> own change password site is on an IIS 5 server.
>
>
> "Fred Yarbrough" <fyarbrou@yahoo.com> wrote in message
> news:Ol79BU%23yDHA.1684@TK2MSFTNGP12.phx.gbl...
the
quote:
[color=darkred]
not[QUOTE][color=darkred]
My[QUOTE][color=darkred]
> was
basically[QUOTE][color=darkred]
> our
> and
> have
2000[QUOTE][color=darkred]
>

________________________________________
____________________________________[QUO
TE]
> password.
> enable
>

________________________________________
____________________________________[QUO
TE]
source
quote:
[color=darkred]
am
quote:
[color=darkred]
>

________________________________________
____________________________________[QUO
TE]
>

href="http://<%=Server.HTMLEncode(Request.ServerVariables("Server_Name"))%>/
quote:

>

________________________________________
____________________________________[QUO
TE]
> this
> for
password
quote:
[color=darkred]
> have
well[QUOTE][color=darkred]
password[QUOTE][color=darkred]
> as
> Our
allow[QUOTE][color=darkred]
require[QUOTE][color=darkred]
> a
their[QUOTE][color=darkred]
> NT
access[QUOTE][color=darkred]
> to
recorded[QUOTE][color=darkred]
I[QUOTE][color=darkred]
> If
out[QUOTE][color=darkred]
> to
monitored[QUOTE][color=darkred]
IISAdmPwd[QUOTE][color=darkred]
implement[QUOTE][color=darkred]
with[QUOTE][color=darkred]
> this
> used
>
>



Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com