Users login

Create an account »


Users login

Home » Hacking News » Vulnerability in security policy implementation with NT Server and IIS 4.0.

Vulnerability in security policy implementation with NT Server and IIS 4.0.

by Nikola Strahija on March 6th, 2002 NT user (who is locked changing his/her password by administrator) can bypass the security policy and Change the password.


Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0


Valid NT user can bypass the administrator security policy "user cannot
change password" and can change his/her password through web based ".HTR"

Valid NT user whose account is locked changing his/her password by
administrator i.e. (Administrator applied the policy " user cannot change
password") can still "Change his/her password through IIS Web service
http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled
accounts also.

Enter valid user id and password (who can not change his/her password).Enter
new password. It is by passing the security policy "user can not change
password" and password got changed.

The following files can also be used for the same


Vendor status

Microsoft was informed about this.

Response from Microsoft

"The particular policy you've mentioned, locking users out of
Passwords, isn't something that this tool, when developed, was designed to
account for.

Again, though, we want to reiterate that .HTR is a deprecated technology
and we very strongly urge you to unmap .htr if at all possible. The
preferred method of handling accounts through HTML pages is through the
use of ADSI now. As I noted, we are looking to see if we can provide an
ASP based application to replace the HTR-based application at some


.HTR should be disabled by unmapping. Avoid using .HTR based password
changing application.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »