Solved

howto: setup ability for users to change their passwords via IIS without using HTR scripts?

Posted on 2008-06-20
12
241 Views
Last Modified: 2013-12-05
Hello Experts,

I am working with an IIS 5.0 web server that has the capabilitiy of allowing our users to change their passwords. This current capability relies on htr scripts, which I have since learned are not very secure.

My question is, can someone point me to an alternative that will work on the win2k/iis5 platform?

Thanks in advance for any help.
0
Comment
Question by:MrBeebs
  • 5
  • 5
  • 2
12 Comments
 
LVL 51

Expert Comment

by:tedbilly
ID: 21836518
There is no secure way to do this.  It's very high risk.  Web servers were built to run in a sandbox and prevent web users from direct access to the system or network.  You have to lower security for this functionality to work.
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21837790
where are the passwords stored? database, active directory, file?

If you show the htr code it will be possible to do a secure password change but will need to use SSL
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 21838030
I don't know where the passwords are stored.  I assumed you were changing the passwords for Windows accounts which you CANNOT access.

SSL will only secure traffic between the server and the client.  It will NOT protect the server.

By default a web application has NO access to the network or host operating system.  In order to allow users to change Windows passwords you have to lower security and therefore expose the server to the risk of being penetrated.
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21838148
Hi tedbilly, I was asking MrBeebs where the passwords are stored, obviously you don't know that.

I never said SSL would secure the server - that is outside the scope of this post. It is essential however for transmitting passwords.

We find out where the passwords are stored before comment can be given.

P.S.
" In order to allow users to change Windows passwords you have to lower security" - is totally incorrect. Have a look at a recent post of mine:
http://www.experts-exchange.com/Microsoft/Development/.NET/Q_23502025.html
You can try to pick holes in it if you want :), like if the server was compromised and a malicous exe was peeking at memory, but then could just use SecureString, and the server is compromised anyway so whats the point . . .
0
 

Author Comment

by:MrBeebs
ID: 21839010
Hi everyone,

Just a follow up post. The HTR script is a pre-canned one from MS. Yes I know it has some "holes", but it was working before. The script consists of two parts. The one, which I posted the rendering of is called pwdchg.htr which does not contain much except the AD Domain name. It uses the WINNT Provider to communicate to the DC. Once the user enters their info, the script pushes the results to another file called achg.htr. This does its magic, again using the winnt provider. There is a text file that is references which contains error message codes that are referenced by the 2nd script.

Its a strange problem, and the trigger is that changed the domain name variable as I wanted the site to authenticate users to a new AD Domain. And yes, the server hosting these files is a domain member of the AD Domain.

I am not sure what security settings the WINNT Provider needs, but that may be a factor.
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21840459
Cool - so you are changing AD user passwords. So is IIS configured to be anonymous - users have will have to supply their username + password. Or if not anonymous, the users logged on account can be obtained from their pc - this will tighten things down a little further security wise but not essential

MrBeebs - we won't be able to develop a fully working solution but can aid with the foundation. What is your preferance for scripting - vbscript or javascript. Just my own preferance for this stuff is vbscript.

Typically to change a password it would be:

Set objUser = GetObject("LDAP://cn=KenMyer,ou=Finance,dc=fabrikam,dc=com")
objUser.SetPassword("i5A2sj*!")

obtained from:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:MrBeebs
ID: 21840496
Hi Dauhee,

Yes. IIS is configured to be anonymous and is using a local account on the member server. Thank you for your help. I would prefer vbscript.

I should add more background. The IIS site was working fine upto the point when I changed the AD Domain name in the script. This is because it was the final task in migrating uses and computers into a new AD Domain. So the break may be caused by the new domain controller which is likey operating under a high level of security that the old one.

After changing the domain name in the scripts, I was and am getting:
"specified user or domain does not exist"

So switching to LDAP from WINNT may be the trick.
0
 
LVL 7

Accepted Solution

by:
Dauhee earned 500 total points
ID: 21841753
I would see the following options then:

1) Turn off anonymous access (for the relevant web page at least) so the asp script will have privledges of the logged in user to change the password
2) Leave anonymous on but change from iusr_XXX to a domain account that has as little access as possible but can change users passwords
3) Temporarily elevate privileges in your script like something I suggested in http://www.experts-exchange.com/Microsoft/Development/.NET/Q_23502025.html

If you choose 3, hopefully .NET will be an option for you?
0
 

Author Comment

by:MrBeebs
ID: 21845827
Hi Dauhee,

Thanks. I will try option 2 first. If it is of any use, attached are the 2 scripts that I am using. They are both in a word doc, with the first script supplying data to the second. Perhaps this might help.
Scripts.doc
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21845954
Thanks MrBeebs.

If that doesn't work, II would be interested if you debugged out (response.write) the relevant values that are used in your code below:

set root = GetObject("WinNT:")
set pUser = root.OpenDSObject("WinNT://" & domain & "/" & username & ",user", username, Request.Form("old"),1)
pUser.ChangePassword Request.Form("old"), Request.Form("new")

and then run the script as a .vbs file on the server desktop (with decoded values)

Best of luck!
0
 

Author Comment

by:MrBeebs
ID: 21858699
Hi everyone,

My problem is fixed. I think I had a number of problems, but MS article 831047 pretty much nailed a big part of it. Specifically I had to register .asp and .htr exensions to the asp.dll in the applications mapping windows for the virtual directory hosting the scripts. That took care of one part of the problem.

As for the ability to communicate to the domain, I believe it was a GPO issue and specifically access to the network and the fact that the win2k boxes were not getting the GPO settings.

Thanks everyone for your help.

Regards
0
 

Author Closing Comment

by:MrBeebs
ID: 31469207
I would also add this reference to an MS article which helped..
MS article 831047 .
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now