|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IISADMPWD VulerabilitiesWhat problems would be caused if the IISADMPWD page is accessed via
Anonymous access to the pages to the Internet? What kind of vulnerability would Active Directory be in should this be configured this way? We need a way for users who are on the road all the time and never come to the office and change their Active Directory password. One thought is to use "Windows Integrated" authentication that would prompt them for username and password, but if their password has expired this is not an option due to they will not be able to logon via "Windows Integrated" security. Any KB's out there on this? I have searched but I have not found anything. Any suggestions on this are most grateful. Thanks, Mike B. use basic authentication and hardcode the domain in the asp pages. this way,
they only need to remember their uid & old password and not a domain. be sure to force this site to use ssl http://support.microsoft.com/kb/269082/ Show quoteHide quote "Mike B." <Mi***@discussions.microsoft.com> wrote in message news:C5F3B068-CB06-453A-9E17-C6FFDFDD3DF2@microsoft.com... > What problems would be caused if the IISADMPWD page is accessed via > Anonymous access to the pages to the Internet? What kind of vulnerability > would Active Directory be in should this be configured this way? We need > a > way for users who are on the road all the time and never come to the > office > and change their Active Directory password. One thought is to use > "Windows > Integrated" authentication that would prompt them for username and > password, > but if their password has expired this is not an option due to they will > not > be able to logon via "Windows Integrated" security. Any KB's out there on > this? I have searched but I have not found anything. Any suggestions on > this are most grateful. > > Thanks, > > Mike B. I guess I should clarify. It is a Windows 2003 IIS 6.0 server.
What I really need to know what any vulnerabilites may be by having the IISADMPWD password page open with "Anonymous" authentication. In other words open to the public. We are actually using UPN as the logon so there is no domain to put in. I just want to know if anyone sees a problem doing it this way. Thanks, Mike B. Show quoteHide quote "Consultant" wrote: > use basic authentication and hardcode the domain in the asp pages. this way, > they only need to remember their uid & old password and not a domain. be > sure to force this site to use ssl > > http://support.microsoft.com/kb/269082/ > > > "Mike B." <Mi***@discussions.microsoft.com> wrote in message > news:C5F3B068-CB06-453A-9E17-C6FFDFDD3DF2@microsoft.com... > > What problems would be caused if the IISADMPWD page is accessed via > > Anonymous access to the pages to the Internet? What kind of vulnerability > > would Active Directory be in should this be configured this way? We need > > a > > way for users who are on the road all the time and never come to the > > office > > and change their Active Directory password. One thought is to use > > "Windows > > Integrated" authentication that would prompt them for username and > > password, > > but if their password has expired this is not an option due to they will > > not > > be able to logon via "Windows Integrated" security. Any KB's out there on > > this? I have searched but I have not found anything. Any suggestions on > > this are most grateful. > > > > Thanks, > > > > Mike B. > > > anytime you allow anonymous access to your resources, you open a potential
security hole. that being said, you've give free access to the tool directly tied to your active directory. http://www.windowsitpro.com/Web/Article/ArticleID/21218/21218.html Show quoteHide quote "Mike B." <Mi***@discussions.microsoft.com> wrote in message news:BCDEA6CC-E7FE-4EE6-AE3F-8B2BF9F050A9@microsoft.com... >I guess I should clarify. It is a Windows 2003 IIS 6.0 server. > What I really need to know what any vulnerabilites may be by having the > IISADMPWD password page open with "Anonymous" authentication. In other > words > open to the public. We are actually using UPN as the logon so there is > no > domain to put in. I just want to know if anyone sees a problem doing it > this > way. > > Thanks, > > Mike B. > > "Consultant" wrote: > >> use basic authentication and hardcode the domain in the asp pages. this >> way, >> they only need to remember their uid & old password and not a domain. be >> sure to force this site to use ssl >> >> http://support.microsoft.com/kb/269082/ >> >> >> "Mike B." <Mi***@discussions.microsoft.com> wrote in message >> news:C5F3B068-CB06-453A-9E17-C6FFDFDD3DF2@microsoft.com... >> > What problems would be caused if the IISADMPWD page is accessed via >> > Anonymous access to the pages to the Internet? What kind of >> > vulnerability >> > would Active Directory be in should this be configured this way? We >> > need >> > a >> > way for users who are on the road all the time and never come to the >> > office >> > and change their Active Directory password. One thought is to use >> > "Windows >> > Integrated" authentication that would prompt them for username and >> > password, >> > but if their password has expired this is not an option due to they >> > will >> > not >> > be able to logon via "Windows Integrated" security. Any KB's out there >> > on >> > this? I have searched but I have not found anything. Any suggestions >> > on >> > this are most grateful. >> > >> > Thanks, >> > >> > Mike B. >> >> >> 
Other interesting topics
Problems with IIS6 / SSL
Locking down FPSE HELP!!! - Our images pulled from other servers Lock user in website folder Intermittent login issue Getting Server SSL Cert Expiration Info IIS requires credentials all the time....PART II Cannot Issue the IISRESET remotely ASP app upgrade to IIS6 with new Authentication scheme SSL redirect to non-SSL |
|||||||||||||||||||||||
