Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 297
  • Last Modified:

howto: setup ability for users to change their passwords via IIS without using HTR scripts?

Hello Experts,

I am working with an IIS 5.0 web server that has the capabilitiy of allowing our users to change their passwords. This current capability relies on htr scripts, which I have since learned are not very secure.

My question is, can someone point me to an alternative that will work on the win2k/iis5 platform?

Thanks in advance for any help.
0
MrBeebs
Asked:
MrBeebs
  • 5
  • 5
  • 2
1 Solution
 
Ted BouskillSenior Software DeveloperCommented:
There is no secure way to do this.  It's very high risk.  Web servers were built to run in a sandbox and prevent web users from direct access to the system or network.  You have to lower security for this functionality to work.
0
 
DauheeCommented:
where are the passwords stored? database, active directory, file?

If you show the htr code it will be possible to do a secure password change but will need to use SSL
0
 
Ted BouskillSenior Software DeveloperCommented:
I don't know where the passwords are stored.  I assumed you were changing the passwords for Windows accounts which you CANNOT access.

SSL will only secure traffic between the server and the client.  It will NOT protect the server.

By default a web application has NO access to the network or host operating system.  In order to allow users to change Windows passwords you have to lower security and therefore expose the server to the risk of being penetrated.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
DauheeCommented:
Hi tedbilly, I was asking MrBeebs where the passwords are stored, obviously you don't know that.

I never said SSL would secure the server - that is outside the scope of this post. It is essential however for transmitting passwords.

We find out where the passwords are stored before comment can be given.

P.S.
" In order to allow users to change Windows passwords you have to lower security" - is totally incorrect. Have a look at a recent post of mine:
http://www.experts-exchange.com/Microsoft/Development/.NET/Q_23502025.html
You can try to pick holes in it if you want :), like if the server was compromised and a malicous exe was peeking at memory, but then could just use SecureString, and the server is compromised anyway so whats the point . . .
0
 
MrBeebsAuthor Commented:
Hi everyone,

Just a follow up post. The HTR script is a pre-canned one from MS. Yes I know it has some "holes", but it was working before. The script consists of two parts. The one, which I posted the rendering of is called pwdchg.htr which does not contain much except the AD Domain name. It uses the WINNT Provider to communicate to the DC. Once the user enters their info, the script pushes the results to another file called achg.htr. This does its magic, again using the winnt provider. There is a text file that is references which contains error message codes that are referenced by the 2nd script.

Its a strange problem, and the trigger is that changed the domain name variable as I wanted the site to authenticate users to a new AD Domain. And yes, the server hosting these files is a domain member of the AD Domain.

I am not sure what security settings the WINNT Provider needs, but that may be a factor.
0
 
DauheeCommented:
Cool - so you are changing AD user passwords. So is IIS configured to be anonymous - users have will have to supply their username + password. Or if not anonymous, the users logged on account can be obtained from their pc - this will tighten things down a little further security wise but not essential

MrBeebs - we won't be able to develop a fully working solution but can aid with the foundation. What is your preferance for scripting - vbscript or javascript. Just my own preferance for this stuff is vbscript.

Typically to change a password it would be:

Set objUser = GetObject("LDAP://cn=KenMyer,ou=Finance,dc=fabrikam,dc=com")
objUser.SetPassword("i5A2sj*!")

obtained from:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx
0
 
MrBeebsAuthor Commented:
Hi Dauhee,

Yes. IIS is configured to be anonymous and is using a local account on the member server. Thank you for your help. I would prefer vbscript.

I should add more background. The IIS site was working fine upto the point when I changed the AD Domain name in the script. This is because it was the final task in migrating uses and computers into a new AD Domain. So the break may be caused by the new domain controller which is likey operating under a high level of security that the old one.

After changing the domain name in the scripts, I was and am getting:
"specified user or domain does not exist"

So switching to LDAP from WINNT may be the trick.
0
 
DauheeCommented:
I would see the following options then:

1) Turn off anonymous access (for the relevant web page at least) so the asp script will have privledges of the logged in user to change the password
2) Leave anonymous on but change from iusr_XXX to a domain account that has as little access as possible but can change users passwords
3) Temporarily elevate privileges in your script like something I suggested in http://www.experts-exchange.com/Microsoft/Development/.NET/Q_23502025.html

If you choose 3, hopefully .NET will be an option for you?
0
 
MrBeebsAuthor Commented:
Hi Dauhee,

Thanks. I will try option 2 first. If it is of any use, attached are the 2 scripts that I am using. They are both in a word doc, with the first script supplying data to the second. Perhaps this might help.
Scripts.doc
0
 
DauheeCommented:
Thanks MrBeebs.

If that doesn't work, II would be interested if you debugged out (response.write) the relevant values that are used in your code below:

set root = GetObject("WinNT:")
set pUser = root.OpenDSObject("WinNT://" & domain & "/" & username & ",user", username, Request.Form("old"),1)
pUser.ChangePassword Request.Form("old"), Request.Form("new")

and then run the script as a .vbs file on the server desktop (with decoded values)

Best of luck!
0
 
MrBeebsAuthor Commented:
Hi everyone,

My problem is fixed. I think I had a number of problems, but MS article 831047 pretty much nailed a big part of it. Specifically I had to register .asp and .htr exensions to the asp.dll in the applications mapping windows for the virtual directory hosting the scripts. That took care of one part of the problem.

As for the ability to communicate to the domain, I believe it was a GPO issue and specifically access to the network and the fact that the win2k boxes were not getting the GPO settings.

Thanks everyone for your help.

Regards
0
 
MrBeebsAuthor Commented:
I would also add this reference to an MS article which helped..
MS article 831047 .
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now