Security Basics mailing list archives
RE: Active Directory Web-Based Password Reset
From: "thalm" <thalm () netcabo pt>
Date: Tue, 18 Nov 2003 20:38:19 -0000
Jason, The quick and functional way. Note that this "way" is not taking into account much of the security needed, although some security measures have been taken. Such as: - The message returned to the user must always be the same, regardless of the error that occured. - IIS uses NTLM (Integrated Windows Authentication) - IIS uses SSL One "must-do" is to log the error messages (with username and domain) in some place (such as EventLog) so that a reported problem can be further analised and solved. Another way that needs further analisys is how to do it using Kerberos. You would need a SPN (Service Principal Name) and Delegation. Haven't had the time to investigate, so a simpler version follows using NTLM.
HTM page <<<<
IIS with SSL, NTLM (Integrated Windows Authentication) A page with a form asks for (.htm): - last password - new password - confirm new password
ASP page <<<<
After posting do (.asp): - sDomain (via Request.ServerVariables("LOGON_USER")) - sUsername (via Request.ServerVariables("LOGON_USER")) - sOldPwd (via Request.QueryString) - sNewPwd (via Request.QueryString) - Execute the following script: -------------------------------------------------------------------- Set oUser = GetObject("WinNT://" & sDomain & "/" & sUsername & ",user") If Not IsObject(oUser) Then Set oUser = GetObject("WinNT:").OpenDSObject( _ "WinNT://" & sDomain & "/" & sUsername & ",user", sUsername, sOldPwd,1) End If If Not IsObject(oUser) Then ' User does not exist If Err.Number = -2147024843 Then Response.Write "User does not exist or invalid password" ' An error ocurred (Err.Number - Err.Description) Else Response.Write "User does not exist or invalid password" End If Response.End End If oUser.ChangePassword sOldPwd, sNewPwd If err.number <> 0 Then ' Wrong password If Err.Number = -2147024810 Then Response.Write "User does not exist or invalid password" ' bad password policy criteria ElseIf Err.Number = -2147022651 Then Response.Write "User does not exist or invalid password" ' An error ocurred (Err.Number - Err.Description) Else Response.Write "User does not exist or invalid password" End If Response.End End If Response.Write "Success" -------------------------------------------------------------------- Hope it helps, Tiago Halm http://www.kodeit.org -----Original Message----- From: Jason Brooks [mailto:jbrooks () longwood edu] Sent: Tue 11/18/2003 3:09 PM To: unisog () sans org Cc: security-basics () securityfocus com Subject: Active Directory Web-Based Password Reset We are looking at implementing a web-based password reset system for our entire campus. This would allow us numerous enhancements and security benefits without requiring a 24 hour help desk staff. I know that there are disadvantages to such a system. Our initial plan is to develop one in-house. So doing, we don't want to reinvent the wheel, or follow others into known pitfalls. So, what I am requesting is any advice, war stories, suggestions, pitfalls, etc you can muster. Thanks, Jason Jason Brooks Information Security Technician IITS 116 - B Coyner Longwood University 201 High Street Farmville, VA 23901 (434) 395-2796 --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Active Directory Web-Based Password Reset Jason Brooks (Nov 18)
- <Possible follow-ups>
- RE: Active Directory Web-Based Password Reset thalm (Nov 19)
- RE: Active Directory Web-Based Password Reset Jimi Thompson (Nov 24)