A. When you use the default IISADMPWD virtual directory to enable a Web page where users can change passwords, as I discussed in the FAQ "Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?", the Microsoft IIS server sends the user's password information unencrypted over the network, which creates a security risk. To avoid transmitting unencrypted passwords, you must enable Secure Sockets Layer (SSL) by following these steps:
- Start a command prompt by clicking Start, Run and typing
- Navigate to the C:\Inetpub\Adminscripts directory.
- At the command prompt, type
adsutil.vbs set w3svc/1/PasswordChangeFlags 0This command runs the adsutil.vbs script, which sets the password change option (specified by the PasswordChangeFlags value). The w3svc/1 parameter means the first default Web site; 0 means SSL is required. Setting the PasswordChangeFlags value to 1 specifies that SSL isn't used. (Setting the value to 2 disables the user's ability to change the password.)
- Restart the IIS server to effect the change.