how to stop login credentials being passed automatically?

Discussion in 'Server Security' started by geek-y-guy, Jun 23, 2006.

  1. geek-y-guy

    geek-y-guy Guest

    Hi All:

    I have a server running 2003 std. ed. with sp1. It's running web services
    with a single website and ftpsite configured on it.

    This is a development server, so neither the website nor the FTP site allow
    anonymous access. The FTP site was set up without "user isolation".

    I have one developer working on this site, connecting to this server
    remotely from an xp pro sp2 computer, who claims that they never get a login
    prompt when they connect using Internet Explorer. A long time ago they
    probably checked "remember password" when prompted for their login
    credentials.

    If I browse to the server in IE, either with http or ftp, I receive a
    windows login prompt, as do other people who have tried to connect without
    passing the credentials in the URL string (for ftp).

    The developer claims that they've done everything they can in Internet
    Options to remove the "remembered" login, including deleting their cache,
    cookies, history and clearing the password cache in "autocomplete". The only
    other software they use to interact with the server Visual Studio Ent. Ed.
    ver. 6 (the old Visual Studio).

    This is a problem because occasionally HTML mail gets sent from this server
    with URLs referencing images on a public server...if the URLs accidentally
    point to the development server, someone viewing the mail in OE gets a login
    prompt when they try to view the mail. The problem is, the developer never
    sees that happen (he just sees the email without any errors).

    Is there any place else that his login credentials would be stored on his
    computer where they could be removed? Or is there some other explanation to
    this phenomenon?

    TIA!
     
    geek-y-guy, Jun 23, 2006
    #1
    1. Advertisements

  2. Have them check in IE under Tools / Internet Option, on Security tab,
    with appropriate zone highlighted (Intranet?) click on Custom and scroll
    to the User Authentication section at the bottom. There they should have
    selected Prompt for user name and password
    It is also possible that the dev server is seen as being in Intranet zone
    on the one person's PC but in Internet by the rest.
     
    Roger Abell [MVP], Jun 24, 2006
    #2
    1. Advertisements

  3. geek-y-guy

    geek-y-guy Guest

    Thanks Roger. He says that:

    "I went to all the "zones"
    and required login for each. Then clear everything I can think of, open a
    new window, type in ftp://thewebsite.com and I'm in."

    BTW: He's not connect on the intranet. This is a server in a colo cabinet
    and there's no locally connected users. The user in question is connecting
    over a cable connection from his house to the colo facility 1000 miles away.

    Is there any chance a proxy server could be passing authentication creds on
    his behalf? I wouldn't think that's possible but...
     
    geek-y-guy, Jun 26, 2006
    #3
  4. I should have thought of this before.
    Have him go to the User Accounts applet in control panel,
    highlight his account and then access the link to manage
    network passwords to see if there are cached credentials
    stored there.
     
    Roger Abell [MVP], Jun 30, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.