|
Home > Archive > IIS Server Security > January 2004 > IUSR_computername security question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IUSR_computername security question
|
|
|
| I've always understood that you need to have the
IUSR_computername account setup with read access on the
NTFS directory where you keep your website files.
Is this correct?
Reason I'm asking, is that I removed the account, and my
IIS6 website still works just fine. I'm trying to tighten
security, and was puzzled that the website still
functioned after removing the IUSR_computername account
in NTFS. I thought that the security model first went to
IIS, then if that passed, then it went to NTFS, before
allowing a visitor to see the web content.
Please help clear up my confusion! Thanks!
| |
| AspDotNetDeveloper 2004-01-24, 2:01 am |
| I don't think so, but I'll double check. Interestingly, I tried the same
thing on a Win 2k IIS 5 server, and I was not able to access the website
through a browser. Might be something to do with IIS6. I'll go check a few
things, and respond afterwards...
"Richie" <anonymous@discussions.microsoft.com> wrote in message
news:093a01c3deb9$efa611a0$a501280a@phx.gbl...[QUOTE][color=darkred]
> Does 'everyone' have read rights as well?
| |
| Tom Pepper Willett 2004-01-24, 2:01 am |
| John: By default, the Everyone account should have read rights. This is
what we use on our Win2K servers, which is set up as local machine, and do
not use the IUSR account. In fact, I was doing some research on the
internet, and found a few websites that said using the Everyone account in
lieu of the IUSR account was actually more secure. True or not, I don't
know. But, we've never used the IUSR account, FWIW.
Tom
"AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> wrote in message
news:ePnSZ9r3DHA.1504@TK2MSFTNGP12.phx.gbl...quote:
> I don't think so, but I'll double check. Interestingly, I tried the same
> thing on a Win 2k IIS 5 server, and I was not able to access the website
> through a browser. Might be something to do with IIS6. I'll go check a few
> things, and respond afterwards...
>
> "Richie" <anonymous@discussions.microsoft.com> wrote in message
> news:093a01c3deb9$efa611a0$a501280a@phx.gbl...
>
>
| |
| AspDotNetDeveloper 2004-01-24, 2:01 am |
| Hi Tom,
That is interesting that you use Everyone, instead of the IUSR account. I've
always read that doing so was less secure, but I'm not an NTFS security
expert. I checked, and Everyone was not enable, and I was still able to
browse the web even after the IUSR account was removed. Again, the result
was opposite when doing the same thing in IIS5. Weird! Being as IIS6 is
supposed to be more secure by nature than IIS5, this strikes me as REALLY
odd. I'll keep playing with it to see if I can find out why I am still able
to access the web, even though NTFS should be denying access. Thanks for
your input!
"Tom Pepper Willett" <tompepper@mvps.org> wrote in message
news:uQnGWBs3DHA.1428@TK2MSFTNGP12.phx.gbl...quote:
> John: By default, the Everyone account should have read rights. This is
> what we use on our Win2K servers, which is set up as local machine, and do
> not use the IUSR account. In fact, I was doing some research on the
> internet, and found a few websites that said using the Everyone account in
> lieu of the IUSR account was actually more secure. True or not, I don't
> know. But, we've never used the IUSR account, FWIW.
>
> Tom
> "AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> wrote in message
> news:ePnSZ9r3DHA.1504@TK2MSFTNGP12.phx.gbl...
few[QUOTE][color=darkred]
>
>
| |
| Tom Pepper Willett 2004-01-24, 2:01 am |
| Well, I did some more checking with some local IT professionals, and the
consensus is that the IUSR is more secure. So, I'm going to forget what I
read on the various web sites, and stick with the IUSR.
Tom
"AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> wrote in message
news:%23cKFZ3s3DHA.4060@TK2MSFTNGP11.phx.gbl...
| Hi Tom,
|
| That is interesting that you use Everyone, instead of the IUSR account.
I've
| always read that doing so was less secure, but I'm not an NTFS security
| expert. I checked, and Everyone was not enable, and I was still able to
| browse the web even after the IUSR account was removed. Again, the result
| was opposite when doing the same thing in IIS5. Weird! Being as IIS6 is
| supposed to be more secure by nature than IIS5, this strikes me as REALLY
| odd. I'll keep playing with it to see if I can find out why I am still
able
| to access the web, even though NTFS should be denying access. Thanks for
| your input!
|
|
| "Tom Pepper Willett" <tompepper@mvps.org> wrote in message
| news:uQnGWBs3DHA.1428@TK2MSFTNGP12.phx.gbl...
| > John: By default, the Everyone account should have read rights. This
is
| > what we use on our Win2K servers, which is set up as local machine, and
do
| > not use the IUSR account. In fact, I was doing some research on the
| > internet, and found a few websites that said using the Everyone account
in
| > lieu of the IUSR account was actually more secure. True or not, I don't
| > know. But, we've never used the IUSR account, FWIW.
| >
| > Tom
| > "AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> wrote in message
| > news:ePnSZ9r3DHA.1504@TK2MSFTNGP12.phx.gbl...
| > > I don't think so, but I'll double check. Interestingly, I tried the
same
| > > thing on a Win 2k IIS 5 server, and I was not able to access the
website
| > > through a browser. Might be something to do with IIS6. I'll go check a
| few
| > > things, and respond afterwards...
| > >
| > > "Richie" <anonymous@discussions.microsoft.com> wrote in message
| > > news:093a01c3deb9$efa611a0$a501280a@phx.gbl...
| > > > Does 'everyone' have read rights as well?
| > > > >-----Original Message-----
| > > > >I've always understood that you need to have the
| > > > >IUSR_computername account setup with read access on the
| > > > >NTFS directory where you keep your website files.
| > > > >
| > > > >Is this correct?
| > > > >
| > > > >Reason I'm asking, is that I removed the account, and my
| > > > >IIS6 website still works just fine. I'm trying to tighten
| > > > >security, and was puzzled that the website still
| > > > >functioned after removing the IUSR_computername account
| > > > >in NTFS. I thought that the security model first went to
| > > > >IIS, then if that passed, then it went to NTFS, before
| > > > >allowing a visitor to see the web content.
| > > > >
| > > > >Please help clear up my confusion! Thanks!
| > > > >.
| > > > >
| > >
| > >
| >
| >
|
|
| |
| Bernard 2004-01-24, 2:01 am |
| I'm sure iusr belong to one group that you had permission granted to it.
do you see IIS_WPG group ?
if yes, try remove this group and see if iusr can acccess without problem.
--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> ????
news:#cKFZ3s3DHA.4060@TK2MSFTNGP11.phx.gbl...quote:
> Hi Tom,
>
> That is interesting that you use Everyone, instead of the IUSR account.
I'vequote:
> always read that doing so was less secure, but I'm not an NTFS security
> expert. I checked, and Everyone was not enable, and I was still able to
> browse the web even after the IUSR account was removed. Again, the result
> was opposite when doing the same thing in IIS5. Weird! Being as IIS6 is
> supposed to be more secure by nature than IIS5, this strikes me as REALLY
> odd. I'll keep playing with it to see if I can find out why I am still
ablequote:
> to access the web, even though NTFS should be denying access. Thanks for
> your input!
>
>
> "Tom Pepper Willett" <tompepper@mvps.org> wrote in message
> news:uQnGWBs3DHA.1428@TK2MSFTNGP12.phx.gbl...
is[QUOTE][color=darkred]
do[QUOTE][color=darkred]
in[QUOTE][color=darkred]
same[QUOTE][color=darkred]
website[QUOTE][color=darkred]
> few
>
>
| |
| Fred Yarbrough 2004-01-24, 2:01 am |
| Jon,
Reboot your web server after you set the permissions or try the access from
a different client that has not hit the site in a while. Sometimes these
types of security changes on the fly can be deceptive. I have seen it time
and again when locking down IIS. It probably has to do with cached
credentials on the client so rebooting the server kills any of these. Just
a thought.
Fred
"Jon" <anonymous@discussions.microsoft.com> wrote in message
news:00ef01c3deaa$53ef63b0$a101280a@phx.gbl...quote:
> I've always understood that you need to have the
> IUSR_computername account setup with read access on the
> NTFS directory where you keep your website files.
>
> Is this correct?
>
> Reason I'm asking, is that I removed the account, and my
> IIS6 website still works just fine. I'm trying to tighten
> security, and was puzzled that the website still
> functioned after removing the IUSR_computername account
> in NTFS. I thought that the security model first went to
> IIS, then if that passed, then it went to NTFS, before
> allowing a visitor to see the web content.
>
> Please help clear up my confusion! Thanks!
| |
| Bernard 2004-01-28, 8:34 pm |
| Mm.. try filemon (sysinternals.com) to see what account actually accessing
the file.
--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> ????
news:#BVgta23DHA.3436@tk2msftngp13.phx.gbl...quote:
> Hi Bernard,
>
> I removed the IIS_WPG also, and was still able to access the web. I also
> restarted the machine, after making my security changes, and was still
ablequote:
> to access the web from an account login I created specifically for testing
> access from an unauthenticated user on the LAN. Sometimes I've forgotten
toquote:
> check with a normal account, instead of my account that has Admin
> permissions.
>
> I'll keep testing different scenarios, and report back to the thread if I
> discover anything significant. Thanks for the input!
>
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:%23G33$6v3DHA.2404@TK2MSFTNGP12.phx.gbl...
problem.[QUOTE][color=darkred]
account.[QUOTE][color=darkred]
security[QUOTE][color=darkred]
to[QUOTE][color=darkred]
> result
is[QUOTE][color=darkred]
> REALLY
for[QUOTE][color=darkred]
This[QUOTE][color=darkred]
> and
> account
> don't
message[QUOTE][color=darkred]
the[QUOTE][color=darkred]
check[QUOTE][color=darkred]
> a
>
>
|
|
|
|
|