Hi Rob,
Take a look in the following site:
- http://www.securityfocus.com/bid/2110/discussion
It is to IIS 4.0 but I think that can help you.
Regards,
Abner Carvalho
From: "Hemmings, Rob" <Rob.Hemmings@xxxxxxxxxxxxx> Reply-To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx> To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx> Subject: [exchangelist] OWA - Change Password Security Risk? Date: Fri, 4 Apr 2003 15:09:34 +0100
Hi,
I have an E2K Front-end Server in my DMZ. When running the IIS Lockdown and various other security bits and bobs, the ability for OWA users to change passwords was taken out (this was recommended to me by an E2K Guru).
I am now being asked by my client as to why the password change feature was removed. The best reply I was able to give (from my initial chat with the E2K guy) was "It's a security risk".
Now I can't get hold of the guy to ask him specifically 'why' it was taken out. And I can't find any tech bulletins to back this argument up.....
Does anyone know of any 'sound' technical reasons as to why the password change feature should be taken out of an internet-visible OWA box? And why it should stay out????
TIA.
Regards Rob Hemmings Bexley Mail Administrator / Postmaster
rob.hemmings@xxxxxxxxxxxxx <mailto:rob.hemmings@xxxxxxxxxxxxx>
-----------------------------------------------------------------------------------------
This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited.
If you have received this email in error please notify Bexley Council by telephone on +44 (0) 20 8303 7777.
Web Site: http://www.bexley.gov.uk
_________________________________________________________________ MSN Hotmail, o maior webmail do Brasil. http://www.hotmail.com