Best Way to Change Password via the Web?

[Fred Yarbrough]

We are a Microsoft shop here and we currently have two domains. Our user
base is spread across our old NT 4.0 domain and some account are being
migrated to our new Windows 2003 AD domain. I am needing to allow our
remote users who use OWA and other web services here that require a NT login
the ability to change their passwords when they expire.

My plan is to setup an HTTPS site and allow users to change their NT
password across the secured site. I plan on using the IISAdmPwd .htr files
to actually perform the password changes. I will restrict access to this
site with a set of front page(s) that force users to perform an initial
login using their NT username and Employee ID that I have recorded in an
Access database. Users cannot bypass the initial login because I set a
session variable that is tracked on all pages within this site. If users
try to go directly to the .htr files they are redirected back out to a
warning that they are not logged in and their access is monitored and logged
for future prosecution. Once they successfully login using the check
against my Access database they are forwarded on to the IISAdmPwd login
pages. I have it working in my test lab but have yet to implement it for
production. I am wondering if there are any security issues with this
approach? I am also open to suggestions for better ways to do this using my
setup or another way. I chose to use .htr files because I have used them in
the past internally. I am also aware of the danger of being exploited by
buffer overflows and other known exploits of the .htr files.


Thanks,
Fred Yarbrough

 

[Rich Raffenetti]

Recently MS replaced the original .htr files with new versions.

We use the standard MS system (.htr files) to do password changes. The .htr
files are just asp so we did some modifications on them as needed for our
environment.

I also wrote an asp page to allow admins of OU's with reset password
permissions to do that from the web as well. The password admins have to
login to that page with their credentials.

I would steer away from a private authentication mechanism (your access
database) to enable password changing. The MS mechanism works well and
catches conditions. It allows a user to change an expired password as long
as the old password is known.

 

[Chris Adams \(IIS\)]

Hey ~

We recently released hotfixes for this functionality. If you have trouble
locating them, please post back. It is important that you download this
hotfix and install it.

Sorry, it is Christmas, don't have access to find the KB's for the hotfix...

HTH,
~Chris
IIS Supportability Lead

 

[Rich Raffenetti]

Please post the numbers and source when you get a chance. Thanks.

Also, is there a document describing this functionality?

 

[Fred Yarbrough]

Rich,
Thanks for the feedback. You stated that I should steer away from the
private authentication mechanism. I agree to an extent. My intent is not
to develop something that is already there in the .htr functionality. My
reasoning for implementing this Access database front end authentication was
to keep just anyone from hitting the Password Changing site. It basically
acts as a filter to prevent just any ole Internet user from playing with our
Password changing site. Since all of our employees know their username and
employee ID, it simply adds an additional hoop that the bad guys would have
to jump through to exploit the system.


Also, I have noticed that pages that currently work on my Windows 2000
server IIS 5.0 do not work with my Windows 2003 server IIS 6.0. When I
submit the aexp.htr file I get the following message:

____________________________________________________________________________
________________
Internet Service Manager
for Internet Information Server 6.0

Your password has expired.

A secure channel ( SSL or PCT ) is necessary in order to change a password.

SSL/PCT is not installed/enabled on your system, please install it to enable
this functionality.

Access default document or select another document.

____________________________________________________________________________
_______________


I am running and requiring SSL on all of the sites pages. I don't
understand why this message comes up. From looking at the aexp.htr source
code it appears that the variable HTTP_CFG_ENC_CAPS is not set to one.
Where is the variable in the registry and/or is this the problem that I am
running into?



____________________________________________________________________________
_______________
<snip>
'W3CRYPTCAPABLE corresponds to HTTP_CFG_ENC_CAPS.
'Tells us that the server if SecureBindings are set
if Request.ServerVariables("HTTP_CFG_ENC_CAPS") <> 1 then%>
<%=L_PasswordExpired_Text%>.<p>
<%=L_SSL1_Text%>.<p>
<%=L_SSL2_Text%>.<p>
<a
href="http://<%=Server.HTMLEncode(Request.ServerVariables("Server_Name"))%>/
"><%=L_DefDoc_Text%></a> <%=L_OrOther_Text%>.
<%Response.End%>
<%end if%>
<snip>
____________________________________________________________________________
_______________


Thanks,
Fred Yarbrough

 

[Rich Raffenetti]

Fred,
I could suggest using a domain name filter but you would probably
counter with the fact that your users need to change passwords from home or
on travel. We have the same need. We force strong passwords with 8 or more
characters and are relying on users knowing their strong, old password to
make the change and the strong password to prevent hacker mischief. We
rename the standard accounts and do all of the other evasive changes. We
also are relying on Microsoft having plugged the vulnerabilities in the .htr
files. Chris Adams (another posting in this thread) said he would post the
hotfixes for the recent change-password system that uses the .htr files.

I have a page that shows a session's server variables and their values.
HTTP_CFG_ENC_CAPS is not a server variable on my IIS 6 server. I see the
code that you listed below. It is on both the IIS 5 and IIS 6 servers. My
own change password site is on an IIS 5 server.

 

[Paul Lynch]

Hey ~

We recently released hotfixes for this functionality. If you have trouble
locating them, please post back. It is important that you download this
hotfix and install it.

Sorry, it is Christmas, don't have access to find the KB's for the hotfix...

HTH,
~Chris
IIS Supportability Lead

Chris,

Is this the KB article you were referring to ?

IIS: Change Password Functionality Replaced with Active Server Pages
http://support.microsoft.com/?id=331834


Regards,

Paul Lynch
MCSE

 

[Fred Yarbrough]

Rich,
This code was from my IIS 5.0 box. I had copied the "modified" working
IIS 5.0 files to my IIS 6.0 server and run it. As you stated, this
HTTP_CFG_ENC_CAPS session variable is apparently not available on IIS 6.0.
After rechecking the default .htr files on my IIS 6.0 server I see that the
aexp.htr file is slightly different.


Thanks,
Fred