In an effort to provide customers with greater defense in depth, Microsoft has released an Active Server Pages (ASP) replacement for the Internet Information Server 4 and Internet Information Services 5 change password capability, ISM.DLL. This new script code no longer runs as SYSTEM, therefore reducing the attack surface of the Web server. Note that IIS5.1 and IIS6 do not ship ISM.DLL, they both use the updated ASP functionality. This package has been tested and approved for use with Microsoft Exchange versions 5.5 and 2000 running Outlook Web Access (OWA). If you use the password change functionality of IIS, it is HIGHLY recommend you use this new package. Full details can be found at http://support.microsoft.com/?id=331834 Cheers, Michael Writing Secure Code 2nd Edition http://www.microsoft.com/mspress/books/5957.asp
