Disabling Password Reset Option for Users on Login Page

Overview

DNN allows you to disable or enable access to the password reset page to comply with your security policy.

 

Solution

When a user visits your site, they will usually be able to see a Reset Password link on the login page:

mceclip0.png

If you want to disable this feature, you can do so via the web.config file and using SQL queries.

 

Site configuration solution

  1. Navigate to the site's web.config file and edit the file with a text editor.
  2. Look for the enablePasswordReset field.
  3. Edit the value enablePasswordReset="true" to enable or enablePasswordReset="false" to disable.
  4. Restart the site for changes to take effect.
  5. If someone browses your site, they will not have a password reset option:
    NoPasswordResetButton.png
  6. Clients who know the URL for the password reset link and attempt to bypass this restriction will be given an error message.

 

API redirection solution

If you are worried about more sophisticated attacks, you can begin by performing the site configuration solution above, then add an extra layer of security by redirecting SendPassword requests. This can be done with a SQL command run against your site database. As with any SQL query, we recommend you backup your database first and test all solutions in a safe, non-production environment.

All the following commands can be run in your SQL IDE of choice or in the SQL Console:

  1. Create a table to back up the value of the controlsrc column in your modulecontrols table.
    • create table _mcbackup (
      bcid int identity primary key
      ,controlsrc varchar(255) null
      ,controlkey varchar(255) null
      ,modulecontrolid int null
      ,moduledefid int null
      ,backupdate datetime2 null
      );
  2. Backup the key columns in the row corresponding to the SendPassword control. This will allow you to restore these values later if you want to re-enable the feature.
    • insert into _mcbackup 
      (controlsrc, controlkey, modulecontrolid, moduledefid, backupdate)
      select controlsrc, controlkey, modulecontrolid, moduledefid, getdate()
      from modulecontrols
      where controlkey='SendPassword'
    • Ensure that only one row is affected by this script. If more than one row is affected, we do not recommend moving forward.
  3. Change the value in that table to your preferred controller. We'll use AccessDenied in this example.
    • update modulecontrols 
      set ControlSrc='Admin/Security/accessdenied.ascx'
      where controlkey='SendPassword'
  4. Clear your cache and restart the application to complete the process.

 

Testing

  1. Browse to your site and click the login screen
  2. There should be no password reset option
  3. (Optional) You can attempt to bypass the Reset Password button by using a direct link. If you performed the API redirect, it will show a blank page. If you did not, you should receive the error "Password retrieval is disabled on this site."

Comments

0 comments

Article is closed for comments.