mailing list archives
NT user (who is locked changing his/her password by administrator ) can bypass the security policy and Change the password.
From: Syed Mohamed A <SyedMA () innerframe com>
Date: Wed, 6 Mar 2002 14:37:05 +0530
Our PT team found the following vulnerability in security policy
implementation with NT Server and IIS 4.0.
NT user (who is locked changing his/her password by administrator) can
bypass the security policy and Change the password.
Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0
Valid NT user can bypass the administrator security policy "user cannot
change password" and can change his/her password through web based ".HTR"
Valid NT user whose account is locked changing his/her password by
administrator i.e. (Administrator applied the policy " user cannot change
password") can still "Change his/her password through IIS Web service
http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled
Enter valid user id and password (who can not change his/her password).Enter
new password. It is by passing the security policy "user can not change
password" and password got changed.
The following files can also be used for the same
Microsoft was informed about this.
Response from Microsoft
"The particular policy you've mentioned, locking users out of
Passwords, isn't something that this tool, when developed, was designed to
Again, though, we want to reiterate that .HTR is a deprecated technology
and we very strongly urge you to unmap .htr if at all possible. The
preferred method of handling accounts through HTML pages is through the
use of ADSI now. As I noted, we are looking to see if we can provide an
ASP based application to replace the HTR-based application at some
.HTR should be disabled by unmapping. Avoid using .HTR based password
Syed Mohamed A
Technical Specialist- Technology & Practices
InnerFrame - The Technology infrastructure services provider
Division of The Microland Group, India
email: syedma () innerframe com
Tel: 91-80-5503313 to 18 extn. 153
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, dissemination or other use of or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from your
- NT user (who is locked changing his/her password by administrator ) can bypass the security policy and Change the password. Syed Mohamed A (Mar 06)