This four lines code displays the users account information from any
browser. This is a big security hole. Is there away to set ADSI USERS
permission so we can fix this bug.

Any comments

Thank you

It's not a bug. You have to write this script and place it on your server
for the information to be displayed. Just limit access to the web/virtual
directory containing this script using one of the many authentication
methods.

I believe that anyone who logs on to an NT machine can enumerate all of the
users of that machine. Since ASP logs on as IUSR_Machine (or the actual user
if Anonymous access is turned off), it is quite likely to have this right.

As the other post suggests, simply turn off anonymous access to the page.

(Although as veterans of the group will tell you, I'm no security expert
<g>)

Peter

--
Peter J. Torr - Microsoft Windows Script Program Manager

Please do not e-mail me with questions - post them to this
newsgroup instead. Thankyou!