|
Home > Archive > IIS Server Security > February 2004 > IWAM and IUSR
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Tony Talmage 2004-02-09, 2:35 am |
| I recently made a post on a couple Win2k newsgroups, but I believe the post
was OT and thus ignored, which I expected; hopefully this NG is better
suited for my question. Anyhow, I am trying to use ASP to add IIS accounts
to a Win2k server, and apparently, without modifications, I am required to
give IWAM and IUSR Administrative access; otherwise, I receive a "general
access denied error". Because of my fear of security holes, I have not
given Admin access to these accounts. I've been told that it's possible to
create a new account with the appropriate privileges and to use this account
only on the one page that needs the increased rights. While this sounds
logical, I am unaware as to how to force the page to use an anonymous
account other than IWAM/IUSR for a particular operation. Is it possible to
do this?
--
Tony Talmage
Web Developer
Graphic Education Corporation
http://www.graphiced.com
(888) 354-6600
| |
| Keith W. McCammon 2004-02-09, 3:36 am |
| Sure. Just set the NTFS permissions accordingly on the page in question,
and disable anonymous access to that folder or page in IIS. That should
just about do it.
"Tony Talmage" <fakeaddress@nodomain.com> wrote in message
news:%236dia%23x7DHA.1052@TK2MSFTNGP12.phx.gbl...
> I recently made a post on a couple Win2k newsgroups, but I believe the
post
> was OT and thus ignored, which I expected; hopefully this NG is better
> suited for my question. Anyhow, I am trying to use ASP to add IIS
accounts
> to a Win2k server, and apparently, without modifications, I am required to
> give IWAM and IUSR Administrative access; otherwise, I receive a "general
> access denied error". Because of my fear of security holes, I have not
> given Admin access to these accounts. I've been told that it's possible
to
> create a new account with the appropriate privileges and to use this
account
> only on the one page that needs the increased rights. While this sounds
> logical, I am unaware as to how to force the page to use an anonymous
> account other than IWAM/IUSR for a particular operation. Is it possible
to
> do this?
>
> --
> Tony Talmage
> Web Developer
> Graphic Education Corporation
> http://www.graphiced.com
> (888) 354-6600
>
>
>
| |
| SomewhatAnonymous 2004-02-19, 5:34 pm |
|
"Tony Talmage" <fakeaddress@nodomain.com> wrote in message
news:%236dia%23x7DHA.1052@TK2MSFTNGP12.phx.gbl...
> I recently made a post on a couple Win2k newsgroups, but I believe the
post
> was OT and thus ignored, which I expected; hopefully this NG is better
> suited for my question. Anyhow, I am trying to use ASP to add IIS
accounts
> to a Win2k server, and apparently, without modifications, I am required to
> give IWAM and IUSR Administrative access; otherwise, I receive a "general
> access denied error". Because of my fear of security holes, I have not
> given Admin access to these accounts. I've been told that it's possible
to
> create a new account with the appropriate privileges and to use this
account
> only on the one page that needs the increased rights. While this sounds
> logical, I am unaware as to how to force the page to use an anonymous
> account other than IWAM/IUSR for a particular operation. Is it possible
to
> do this?
>
> --
> Tony Talmage
> Web Developer
> Graphic Education Corporation
> http://www.graphiced.com
> (888) 354-6600
A good an well grounded fear, and you don't have to give them admin
privileges. See my own reply to my post here, thread titled "ASP=Events 529
& 681".
MostlyAnonymous
---
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.592 / Virus Database: 375 - Release Date: 18-Feb-04
|
|
|
|
|