Microsoft IIS 4.0 IISADMPWD Proxied Password Attack

Microsoft IIS 4.0 IISADMPWD Proxied Password Attack

Solution:
Microsoft refers to this as a feature for network administrators, but do point out in article Q184619 that it is a potential security risk. According to the article, "You can configure a site to support password changes by setting the following properties on the site: PasswordCacheTTL, PasswordChangeFlags and PasswordExpirePrenotifyDays. Refer to the IIS documentation for more details on these properties." It may be prudent to disable this feature if it is accessible by untrusted machines.