AUO.Init Method Can be Used to Get Information about a Recent User

• Microsoft Site Server version 3.0

SYMPTOMS

When you run a program, script, or other process on the same computer as Internet Information Services (IIS), you cannot use the AUO.Init method to get information about a recent user who is still in the cache. This information may be confidential.

CAUSE

The Init method of AUO is available for any process that runs on an IIS computer. Therefore, processes that use the AUO.Init method can get information for a user from the cache.

RESOLUTION

To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, please see the following article in the Microsoft Knowledge Base:

Q219292 How to Obtain the Latest Site Server 3.0 Service Pack

STATUS

This problem was first corrected in Site Server 3.0 Service Pack 3.

MORE INFORMATION

A registry key has been added to make the AUO.Init method private. When this key is enabled, the Init method can only be called internally. In other words, it becomes a private method.

Please note, however, that the default behavior does not change if the registry key is not enabled or does not exist.

To make the AUO.Init Method private, do the following:

1. Start the Registry Editor (Regedt32.exe).



2. Locate the following key in the registry:

   HKLM\Software\Microsoft\Site Server\3.0\P&M\AUO\




3. On the Edit menu, click Add Value, and then add the following registry value:

   Value Name: SecureAUO.Init
   Data Type: REG_DWORD
   Value: Enter 1 to make the AUO.Init method private.




4. Quit Registry Editor.

Additional query words: security

Keywords : SS3SP3Fix
Version : winnt:3.0
Platform : winnt
Issue type : kbbug