Security Basics mailing list archives
RE: Active Directory Web-Based Password Reset
From: Jimi Thompson <jimit () myrealbox com>
Date: Sun, 23 Nov 2003 23:29:39 -0600
Not really sure what you are referring to by "password reset". If you mean for uses that have forgotten their password, you are getting in to some shaky territory, particularly if you have sensitive information on your network that would be available by performing the password reset.
Item 1 - Using common information (like last 4 digits of SSN, mother's maiden name, pets name, favorite color, etc.) - to verify identity - Since this information is likely available from someone or somewhere within the company, I've now been able to reset to the HR director's password. Don't be surprised when the salary information for all the upper managers gets posted on the web sometime next week. Most information like this is also available from sites like www.publicdata.com and/or it's competitors.
Item 2 - Using a token (like RSA token or Rainbow iKey) - to verify identity - usually pretty effective against the general public. usually not very effective against insiders who can wait for you to go to lunch, to a meeting or to the bathroom to "borrow" the token.
Item 3 - restricting password reset by ip address - spoofing an IP is very easy to do but the low tech method of waiting for the bathroom, meeting, or lunch break is even easier. Also very hard to keep up with and prevents any one working off site from using the process.
Suggestion - have all users supply an alternate email address AT THE TIME OF ACCOUNT CREATION (i.e. one that not depend on them having domain access such as www.myrealbox.com) and send a single use password to it. That should allow them to authenticate and then change a forgotten password.
HTH, Jimi A t 8:38 PM +0000 11/18/03, thalm wrote:
Jason, The quick and functional way.Note that this "way" is not taking into account much of the security needed, although some security measures have been taken.Such as:- The message returned to the user must always be the same, regardless of the error that occured.- IIS uses NTLM (Integrated Windows Authentication) - IIS uses SSLOne "must-do" is to log the error messages (with username and domain) in some place (such as EventLog) so that a reported problem can be further analised and solved.Another way that needs further analisys is how to do it using Kerberos. You would need a SPN (Service Principal Name) and Delegation. Haven't had the time to investigate, so a simpler version follows using NTLM.HTM page <<<<IIS with SSL, NTLM (Integrated Windows Authentication) A page with a form asks for (.htm): - last password - new password - confirm new passwordASP page <<<<After posting do (.asp): - sDomain (via Request.ServerVariables("LOGON_USER")) - sUsername (via Request.ServerVariables("LOGON_USER")) - sOldPwd (via Request.QueryString) - sNewPwd (via Request.QueryString) - Execute the following script: -------------------------------------------------------------------- Set oUser = GetObject("WinNT://" & sDomain & "/" & sUsername & ",user") If Not IsObject(oUser) Then Set oUser = GetObject("WinNT:").OpenDSObject( _"WinNT://" & sDomain & "/" & sUsername & ",user", sUsername, sOldPwd,1)End If If Not IsObject(oUser) Then ' User does not exist If Err.Number = -2147024843 Then Response.Write "User does not exist or invalid password" ' An error ocurred (Err.Number - Err.Description) Else Response.Write "User does not exist or invalid password" End If Response.End End If oUser.ChangePassword sOldPwd, sNewPwd If err.number <> 0 Then ' Wrong password If Err.Number = -2147024810 Then Response.Write "User does not exist or invalid password" ' bad password policy criteria ElseIf Err.Number = -2147022651 Then Response.Write "User does not exist or invalid password" ' An error ocurred (Err.Number - Err.Description) Else Response.Write "User does not exist or invalid password" End If Response.End End If Response.Write "Success" -------------------------------------------------------------------- Hope it helps, Tiago Halm http://www.kodeit.org -----Original Message----- From: Jason Brooks [mailto:jbrooks () longwood edu] Sent: Tue 11/18/2003 3:09 PM To: unisog () sans org Cc: security-basics () securityfocus com Subject: Active Directory Web-Based Password ResetWe are looking at implementing a web-based password reset system for ourentire campus. This would allow us numerous enhancements and securitybenefits without requiring a 24 hour help desk staff. I know that thereare disadvantages to such a system. Our initial plan is to develop onein-house. So doing, we don't want to reinvent the wheel, or follow others into known pitfalls. So, what I am requesting is any advice, war stories,suggestions, pitfalls, etc you can muster. Thanks, Jason Jason Brooks Information Security Technician IITS 116 - B Coyner Longwood University 201 High Street Farmville, VA 23901 (434) 395-2796 --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costsby up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Active Directory Web-Based Password Reset Jason Brooks (Nov 18)
- <Possible follow-ups>
- RE: Active Directory Web-Based Password Reset thalm (Nov 19)
- RE: Active Directory Web-Based Password Reset Jimi Thompson (Nov 24)