Hi, Our PT team found the following vulnerability in security policy implementation with NT Server and IIS 4.0. NT user (who is locked changing his/her password by administrator) can bypass the security policy and Change the password. Vulnerable: Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0 Description: Valid NT user can bypass the administrator security policy "user cannot change password" and can change his/her password through web based ".HTR" application. Valid NT user whose account is locked changing his/her password by administrator i.e. (Administrator applied the policy " user cannot change password") can still "Change his/her password through IIS Web service http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled accounts also. Enter valid user id and password (who can not change his/her password).Enter new password. It is by passing the security policy "user can not change password" and password got changed. The following files can also be used for the same http://iis-server/iisadmpwd/aexp2.htr http://iis-server/iisadmpwd/aexp2b.htr http://iis-server/iisadmpwd/aexp4.htr Vendor status Microsoft was informed about this. Response from Microsoft "The particular policy you've mentioned, locking users out of changing Passwords, isn't something that this tool, when developed, was designed to account for. Again, though, we want to reiterate that .HTR is a deprecated technology and we very strongly urge you to unmap .htr if at all possible. The preferred method of handling accounts through HTML pages is through the use of ADSI now. As I noted, we are looking to see if we can provide an ASP based application to replace the HTR-based application at some point." Solution .HTR should be disabled by unmapping. Avoid using .HTR based password changing application. Best Regards Syed Mohamed A Technical Specialist- Technology & Practices InnerFrame - The Technology infrastructure services provider Division of The Microland Group, India www.innerframe.com email: syedmaat_private Tel: 91-80-5503313 to 18 extn. 153 Fax: 91-80-5503319 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from your computer.
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 09:14:13 PST