|
Home > Archive > IIS Server > July 2005 > logon problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| I have IIS 5.1 on an XP Pro SP2 box. When I installed it, I got the server extensions.
Then I downloaded the 2002 extensions and installed that, along with Sharepoint Services.
The 2002 stuff wants a user id and password, either from the tasks dialog, or from
Properties, then Server Extensions 2002 tab.
I don't log onto any of my XP boxes, so I don't know what it's asking for.
Thanks,
MikeR
| |
| David Wang [Msft] 2005-07-24, 8:48 pm |
| When XP is running with the "user without passwords autologon", this is
purely for your ease of use locally and interactively with that machine..
Question: with this lowered security, what should happen if someone REMOTELY
tries to access your machine, files, network shares, etc as that user
account without a password? Should it work?
By default, when you use "no password logon", your account cannot be used
remotely to access this machine (try to remotely RDP into the machine, or
remotely access a UNC share from this machine, etc -- you see they all
fail).
There is a registry switch that controls whether "users without passwords"
are allowed to logon. It is disabled by default for security reasons. My
guess is that you have the web server configured to require AUTHENTICATION,
and IE tried to authenticate your user account without a password. Since the
browser is considered "remote" as far as the web server is concerned, this
is like a remote logon, which fails. This causes IIS to return a 401, which
results in the password dialog box. Since your user account has no password
and is denied network logon, it will always fail.
You have some choices, and you need to figure out what you need and how to
do it, because it is your responsibility and security at stake:
1. Add a new user account to the machine that has a password. This user
should work with the web applications on the web server
2. Allow users without passwords to log on remotely. This is a huge security
risk, especially if your user account is administrator.
3. Only enable anonymous authentication. I have no idea whether it works
with Sharepoint/FPSE, though.
Personally, on my machines, I use the "no password logon" feature for
convenience, and I also tweak my systems to allow users without passwords to
log on remotely so that they can seamlessly RDP/access network resources
without a password. What I do to secure this is to:
1. users without passwords are normal users. Administrators all have
passwords. So, even if a rogue can remotely login as a user without a
password, they are normal unprivileged user
2. I run the Windows Firewall on all machines to only allow RDP and UNC
ports to control exposure and ACL to control what the user can access over
those ports.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"MikeR" <NOnf4lSPAM@pobox.com> wrote in message
news:%23oXtaiKkFHA.708@TK2MSFTNGP09.phx.gbl...
I have IIS 5.1 on an XP Pro SP2 box. When I installed it, I got the server
extensions.
Then I downloaded the 2002 extensions and installed that, along with
Sharepoint Services.
The 2002 stuff wants a user id and password, either from the tasks dialog,
or from
Properties, then Server Extensions 2002 tab.
I don't log onto any of my XP boxes, so I don't know what it's asking for.
Thanks,
MikeR
| |
|
| Hi David -
Thanks for the quick response.
David Wang [Msft] wrote:
> When XP is running with the "user without passwords autologon", this is
> purely for your ease of use locally and interactively with that machine..
>
> Question: with this lowered security, what should happen if someone REMOTELY
> tries to access your machine, files, network shares, etc as that user
> account without a password? Should it work?
No, there should be no outside access.
>
> By default, when you use "no password logon", your account cannot be used
> remotely to access this machine (try to remotely RDP into the machine, or
> remotely access a UNC share from this machine, etc -- you see they all
> fail).
RDP?
> There is a registry switch that controls whether "users without passwords"
> are allowed to logon. It is disabled by default for security reasons. My
> guess is that you have the web server configured to require AUTHENTICATION,
> and IE tried to authenticate your user account without a password. Since the
> browser is considered "remote" as far as the web server is concerned, this
> is like a remote logon, which fails. This causes IIS to return a 401, which
> results in the password dialog box. Since your user account has no password
> and is denied network logon, it will always fail.
What's the reg key?
Anonymous, allow iis to control password, integrated Windows authentication.
Since I'm greener than grass at this, I'm not sure we're talking about the same things.
The web server serves pages fine. All the FP stuff works, no problem. I can run any of the
admin tasks for 2000 extensions, just not for the 2002 ones.
>
> You have some choices, and you need to figure out what you need and how to
> do it, because it is your responsibility and security at stake:
> 1. Add a new user account to the machine that has a password. This user
> should work with the web applications on the web server
> 2. Allow users without passwords to log on remotely. This is a huge security
> risk, especially if your user account is administrator.
> 3. Only enable anonymous authentication. I have no idea whether it works
> with Sharepoint/FPSE, though.
I only set up IIS so I can run FP locally, and mimic as closely as possible what my webs
look like on commercial ISPs. I don't want any access from the outside world.
>
> Personally, on my machines, I use the "no password logon" feature for
> convenience, and I also tweak my systems to allow users without passwords to
> log on remotely so that they can seamlessly RDP/access network resources
> without a password. What I do to secure this is to:
> 1. users without passwords are normal users. Administrators all have
> passwords. So, even if a rogue can remotely login as a user without a
> password, they are normal unprivileged user
> 2. I run the Windows Firewall on all machines to only allow RDP and UNC
> ports to control exposure and ACL to control what the user can access over
> those ports.
>
I don't have the Firewall enabled, but the router between me and the net is my protection
(I hope)
MikeR
| |
| David Wang [Msft] 2005-07-26, 7:58 am |
| > No, there should be no outside access.
Correct, but servers are not able to distinguish between a client that runs
from the server's machine or a different machine, whether "inside" your LAN
or "outside" your LAN. To the server, everyone is "outside", period. It is
up to you to define what "outside" really means.
>RDP?
Remote Desktop Protocol -- this allows you to remote-control your XP Pro
machine from any other machine.
>What's the reg key?
HKLM\System\CurrentControlSet\Control\LS
A\LimitBlankPasswordUse = 0
HKLM\System\CurrentControlSet\Control\LS
A\ForceGuest = 0
These settings leave your computer pretty wide open. Allows you to have
users with blank passwords, and allows network connections to this machine
as any user identity that authenticates -- including your users with blank
passwords. This is why I run my blank users as normal Users so that even if
compromised, they can't do much. My administrator accounts all have
passwords.
> I don't have the Firewall enabled, but the router between me and the net
is my
> protection (I hope)
Security is best when implemented in depth/layers. So that attackers have to
break down multiple layers to attack you. If you just have one firewall, you
have a defense system that is like an egg -- as soon as you crack the shell,
you're toast.
I'm not really certain what is going on with FrontPage 2002 -- I'm just
talking from the IIS/security point of view.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
| |
|
| Thanks David -
I thought since the FP extensions are part of the IIS install, this would be the place to
ask, rather than the FP groups. I'll try there. So far, no security compromises, knock on
wood.
MikeR
David Wang [Msft] wrote:
>
>
> Correct, but servers are not able to distinguish between a client that runs
> from the server's machine or a different machine, whether "inside" your LAN
> or "outside" your LAN. To the server, everyone is "outside", period. It is
> up to you to define what "outside" really means.
>
>
>
>
> Remote Desktop Protocol -- this allows you to remote-control your XP Pro
> machine from any other machine.
>
>
>
>
> HKLM\System\CurrentControlSet\Control\LS
A\LimitBlankPasswordUse = 0
> HKLM\System\CurrentControlSet\Control\LS
A\ForceGuest = 0
>
> These settings leave your computer pretty wide open. Allows you to have
> users with blank passwords, and allows network connections to this machine
> as any user identity that authenticates -- including your users with blank
> passwords. This is why I run my blank users as normal Users so that even if
> compromised, they can't do much. My administrator accounts all have
> passwords.
>
>
>
> is my
>
>
> Security is best when implemented in depth/layers. So that attackers have to
> break down multiple layers to attack you. If you just have one firewall, you
> have a defense system that is like an egg -- as soon as you crack the shell,
> you're toast.
>
>
> I'm not really certain what is going on with FrontPage 2002 -- I'm just
> talking from the IIS/security point of view.
>
|
|
|
|
|