Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Active Directory Web-Based Password Reset

From: "thalm" <thalm () netcabo pt>
Date: Tue, 18 Nov 2003 20:38:19 -0000
Jason,
 
The quick and functional way.
Note that this "way" is not taking into account much of the security needed, although some security measures have been 
taken.
Such as:
- The message returned to the user must always be the same, regardless of the error that occured.
- IIS uses NTLM (Integrated Windows Authentication)
- IIS uses SSL
One "must-do" is to log the error messages (with username and domain) in some place (such as EventLog) so that a 
reported problem can be further analised and solved.
 
Another way that needs further analisys is how to do it using Kerberos.
You would need a SPN (Service Principal Name) and Delegation.
Haven't had the time to investigate, so a simpler version follows using NTLM.
 

HTM page <<<<

IIS with SSL, NTLM (Integrated Windows Authentication)
A page with a form asks for (.htm):
- last password
- new password
- confirm new password
 

ASP page <<<<

After posting do (.asp):
- sDomain (via Request.ServerVariables("LOGON_USER"))
- sUsername (via Request.ServerVariables("LOGON_USER"))
- sOldPwd (via Request.QueryString)
- sNewPwd (via Request.QueryString)
- Execute the following script:
 
--------------------------------------------------------------------
Set oUser = GetObject("WinNT://" & sDomain & "/" & sUsername & ",user")
If Not IsObject(oUser) Then
     Set oUser = GetObject("WinNT:").OpenDSObject( _
          "WinNT://" & sDomain & "/" & sUsername & ",user", sUsername, sOldPwd,1)
End If
If Not IsObject(oUser) Then
     ' User does not exist
     If Err.Number = -2147024843 Then
          Response.Write "User does not exist or invalid password"
 
     ' An error ocurred (Err.Number - Err.Description)
     Else 
          Response.Write "User does not exist or invalid password"
     End If
     Response.End
End If
 
oUser.ChangePassword sOldPwd, sNewPwd
If err.number <> 0 Then
     ' Wrong password
     If Err.Number = -2147024810 Then
          Response.Write "User does not exist or invalid password"
 
     ' bad password policy criteria
     ElseIf Err.Number = -2147022651 Then
          Response.Write "User does not exist or invalid password"
 
     ' An error ocurred (Err.Number - Err.Description)
     Else
          Response.Write "User does not exist or invalid password"
     End If
     Response.End
End If
Response.Write "Success"
--------------------------------------------------------------------
 
Hope it helps,
Tiago Halm
http://www.kodeit.org
 

        -----Original Message----- 
        From: Jason Brooks [mailto:jbrooks () longwood edu] 
        Sent: Tue 11/18/2003 3:09 PM 
        To: unisog () sans org 
        Cc: security-basics () securityfocus com 
        Subject: Active Directory Web-Based Password Reset
        
        


        We are looking at implementing a web-based password reset system for our
        entire campus.  This would allow us numerous enhancements and security
        benefits without requiring a 24 hour help desk staff.  I know that there
        are disadvantages to such a system.  Our initial plan is to develop one
        in-house.  So doing, we don't want to reinvent the wheel, or follow others
        into known pitfalls.  So, what I am requesting is any advice, war stories,
        suggestions, pitfalls, etc you can muster.
        
        Thanks,
        Jason
        
        Jason Brooks
        Information Security Technician
        IITS
        116 - B Coyner
        Longwood University
        201 High Street
        Farmville, VA 23901
        (434) 395-2796
        
        
        ---------------------------------------------------------------------------
        Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
        The Presidio integrates PGP data encryption and XML Web Services security to
        simplify the management and deployment of PGP and reduce overall PGP costs
        by up to 80%.
        FREE WHITEPAPER & 30 Day Trial -
        http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
        ----------------------------------------------------------------------------
        
        


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: