Solved

howto: setup ability for users to change their passwords via IIS without using HTR scripts?

Posted on 2008-06-20
12
269 Views
Last Modified: 2013-12-05
Hello Experts,

I am working with an IIS 5.0 web server that has the capabilitiy of allowing our users to change their passwords. This current capability relies on htr scripts, which I have since learned are not very secure.

My question is, can someone point me to an alternative that will work on the win2k/iis5 platform?

Thanks in advance for any help.
0
Comment
Question by:MrBeebs
  • 5
  • 5
  • 2
12 Comments
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 21836518
There is no secure way to do this.  It's very high risk.  Web servers were built to run in a sandbox and prevent web users from direct access to the system or network.  You have to lower security for this functionality to work.
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21837790
where are the passwords stored? database, active directory, file?

If you show the htr code it will be possible to do a secure password change but will need to use SSL
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 21838030
I don't know where the passwords are stored.  I assumed you were changing the passwords for Windows accounts which you CANNOT access.

SSL will only secure traffic between the server and the client.  It will NOT protect the server.

By default a web application has NO access to the network or host operating system.  In order to allow users to change Windows passwords you have to lower security and therefore expose the server to the risk of being penetrated.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 7

Expert Comment

by:Dauhee
ID: 21838148
Hi tedbilly, I was asking MrBeebs where the passwords are stored, obviously you don't know that.

I never said SSL would secure the server - that is outside the scope of this post. It is essential however for transmitting passwords.

We find out where the passwords are stored before comment can be given.

P.S.
" In order to allow users to change Windows passwords you have to lower security" - is totally incorrect. Have a look at a recent post of mine:
http://www.experts-exchange.com/Microsoft/Development/.NET/Q_23502025.html
You can try to pick holes in it if you want :), like if the server was compromised and a malicous exe was peeking at memory, but then could just use SecureString, and the server is compromised anyway so whats the point . . .
0
 

Author Comment

by:MrBeebs
ID: 21839010
Hi everyone,

Just a follow up post. The HTR script is a pre-canned one from MS. Yes I know it has some "holes", but it was working before. The script consists of two parts. The one, which I posted the rendering of is called pwdchg.htr which does not contain much except the AD Domain name. It uses the WINNT Provider to communicate to the DC. Once the user enters their info, the script pushes the results to another file called achg.htr. This does its magic, again using the winnt provider. There is a text file that is references which contains error message codes that are referenced by the 2nd script.

Its a strange problem, and the trigger is that changed the domain name variable as I wanted the site to authenticate users to a new AD Domain. And yes, the server hosting these files is a domain member of the AD Domain.

I am not sure what security settings the WINNT Provider needs, but that may be a factor.
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21840459
Cool - so you are changing AD user passwords. So is IIS configured to be anonymous - users have will have to supply their username + password. Or if not anonymous, the users logged on account can be obtained from their pc - this will tighten things down a little further security wise but not essential

MrBeebs - we won't be able to develop a fully working solution but can aid with the foundation. What is your preferance for scripting - vbscript or javascript. Just my own preferance for this stuff is vbscript.

Typically to change a password it would be:

Set objUser = GetObject("LDAP://cn=KenMyer,ou=Finance,dc=fabrikam,dc=com")
objUser.SetPassword("i5A2sj*!")

obtained from:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx
0
 

Author Comment

by:MrBeebs
ID: 21840496
Hi Dauhee,

Yes. IIS is configured to be anonymous and is using a local account on the member server. Thank you for your help. I would prefer vbscript.

I should add more background. The IIS site was working fine upto the point when I changed the AD Domain name in the script. This is because it was the final task in migrating uses and computers into a new AD Domain. So the break may be caused by the new domain controller which is likey operating under a high level of security that the old one.

After changing the domain name in the scripts, I was and am getting:
"specified user or domain does not exist"

So switching to LDAP from WINNT may be the trick.
0
 
LVL 7

Accepted Solution

by:
Dauhee earned 500 total points
ID: 21841753
I would see the following options then:

1) Turn off anonymous access (for the relevant web page at least) so the asp script will have privledges of the logged in user to change the password
2) Leave anonymous on but change from iusr_XXX to a domain account that has as little access as possible but can change users passwords
3) Temporarily elevate privileges in your script like something I suggested in http://www.experts-exchange.com/Microsoft/Development/.NET/Q_23502025.html

If you choose 3, hopefully .NET will be an option for you?
0
 

Author Comment

by:MrBeebs
ID: 21845827
Hi Dauhee,

Thanks. I will try option 2 first. If it is of any use, attached are the 2 scripts that I am using. They are both in a word doc, with the first script supplying data to the second. Perhaps this might help.
Scripts.doc
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21845954
Thanks MrBeebs.

If that doesn't work, II would be interested if you debugged out (response.write) the relevant values that are used in your code below:

set root = GetObject("WinNT:")
set pUser = root.OpenDSObject("WinNT://" & domain & "/" & username & ",user", username, Request.Form("old"),1)
pUser.ChangePassword Request.Form("old"), Request.Form("new")

and then run the script as a .vbs file on the server desktop (with decoded values)

Best of luck!
0
 

Author Comment

by:MrBeebs
ID: 21858699
Hi everyone,

My problem is fixed. I think I had a number of problems, but MS article 831047 pretty much nailed a big part of it. Specifically I had to register .asp and .htr exensions to the asp.dll in the applications mapping windows for the virtual directory hosting the scripts. That took care of one part of the problem.

As for the ability to communicate to the domain, I believe it was a GPO issue and specifically access to the network and the fact that the win2k boxes were not getting the GPO settings.

Thanks everyone for your help.

Regards
0
 

Author Closing Comment

by:MrBeebs
ID: 31469207
I would also add this reference to an MS article which helped..
MS article 831047 .
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question