Home page logo

basics logo Security Basics mailing list archives

RE: Active Directory Web-Based Password Reset
From: Jimi Thompson <jimit () myrealbox com>
Date: Sun, 23 Nov 2003 23:29:39 -0600

Not really sure what you are referring to by "password reset". If you mean for uses that have forgotten their password, you are getting in to some shaky territory, particularly if you have sensitive information on your network that would be available by performing the password reset.

Item 1 - Using common information (like last 4 digits of SSN, mother's maiden name, pets name, favorite color, etc.) - to verify identity - Since this information is likely available from someone or somewhere within the company, I've now been able to reset to the HR director's password. Don't be surprised when the salary information for all the upper managers gets posted on the web sometime next week. Most information like this is also available from sites like www.publicdata.com and/or it's competitors.

Item 2 - Using a token (like RSA token or Rainbow iKey) - to verify identity - usually pretty effective against the general public. usually not very effective against insiders who can wait for you to go to lunch, to a meeting or to the bathroom to "borrow" the token.

Item 3 - restricting password reset by ip address - spoofing an IP is very easy to do but the low tech method of waiting for the bathroom, meeting, or lunch break is even easier. Also very hard to keep up with and prevents any one working off site from using the process.

Suggestion - have all users supply an alternate email address AT THE TIME OF ACCOUNT CREATION (i.e. one that not depend on them having domain access such as www.myrealbox.com) and send a single use password to it. That should allow them to authenticate and then change a forgotten password.



t 8:38 PM +0000 11/18/03, thalm wrote:

The quick and functional way.
Note that this "way" is not taking into account much of the security needed, although some security measures have been taken.
Such as:
- The message returned to the user must always be the same, regardless of the error that occured.
- IIS uses NTLM (Integrated Windows Authentication)
- IIS uses SSL
One "must-do" is to log the error messages (with username and domain) in some place (such as EventLog) so that a reported problem can be further analised and solved.

Another way that needs further analisys is how to do it using Kerberos.
You would need a SPN (Service Principal Name) and Delegation.
Haven't had the time to investigate, so a simpler version follows using NTLM.

 HTM page <<<<
IIS with SSL, NTLM (Integrated Windows Authentication)
A page with a form asks for (.htm):
- last password
- new password
- confirm new password

 ASP page <<<<
After posting do (.asp):
- sDomain (via Request.ServerVariables("LOGON_USER"))
- sUsername (via Request.ServerVariables("LOGON_USER"))
- sOldPwd (via Request.QueryString)
- sNewPwd (via Request.QueryString)
- Execute the following script:

Set oUser = GetObject("WinNT://" & sDomain & "/" & sUsername & ",user")
If Not IsObject(oUser) Then
     Set oUser = GetObject("WinNT:").OpenDSObject( _
"WinNT://" & sDomain & "/" & sUsername & ",user", sUsername, sOldPwd,1)
End If
If Not IsObject(oUser) Then
     ' User does not exist
     If Err.Number = -2147024843 Then
          Response.Write "User does not exist or invalid password"

     ' An error ocurred (Err.Number - Err.Description)
          Response.Write "User does not exist or invalid password"
     End If
End If

oUser.ChangePassword sOldPwd, sNewPwd
If err.number <> 0 Then
     ' Wrong password
     If Err.Number = -2147024810 Then
          Response.Write "User does not exist or invalid password"

     ' bad password policy criteria
     ElseIf Err.Number = -2147022651 Then
          Response.Write "User does not exist or invalid password"

     ' An error ocurred (Err.Number - Err.Description)
          Response.Write "User does not exist or invalid password"
     End If
End If
Response.Write "Success"

Hope it helps,
Tiago Halm

        -----Original Message-----
        From: Jason Brooks [mailto:jbrooks () longwood edu]
        Sent: Tue 11/18/2003 3:09 PM
        To: unisog () sans org
        Cc: security-basics () securityfocus com
        Subject: Active Directory Web-Based Password Reset

We are looking at implementing a web-based password reset system for our
        entire campus.  This would allow us numerous enhancements and security
benefits without requiring a 24 hour help desk staff. I know that there
        are disadvantages to such a system.  Our initial plan is to develop one
in-house. So doing, we don't want to reinvent the wheel, or follow others into known pitfalls. So, what I am requesting is any advice, war stories,
        suggestions, pitfalls, etc you can muster.


        Jason Brooks
        Information Security Technician
        116 - B Coyner
        Longwood University
        201 High Street
        Farmville, VA 23901
        (434) 395-2796

The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs
        by up to 80%.
        FREE WHITEPAPER & 30 Day Trial -





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]