IIS Server Security - Re: SCW question.

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > November 2006 > Re: SCW question.





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: SCW question.
Dan Kyle

2006-11-13, 8:59 am

Thanks again for the information. I can also perform the test you suggest
and post the results.

I do have more to add. I left the Server for a bit and returned to it and
checked the Local Security policy...and found the IUSR and IWAM users to NOT
be there.

SO..I rebooted and looked at the Local Security Policy and foun them to be
there (even though the winlogon.log showed them as being removed). I then
ran a GPUPDATE /FORCE ..looked at the Local Security Policy and they were
GONE! CHecked the winlogon.log and again it showed them as being
removed...only this time they WERE removed. It looks like this is only an
issue at boot time and once the GPO's apply for a second time..the GPO
hierarchy takes precedence.

So..why do the SCW settings take precedence at boot and then have to wait
for the first GPO refresh to occur before being taken out?

Dan



"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%23ycMjTBBHHA.992@TK2MSFTNGP03.phx.gbl...
> Hi Dan,
>
> For your detailed questions on the IIS docs relative to minimum required
> user rights, and perhaps also for verification of IIS 6's behavior
> relative
> to restoring which user rights to its default-form named IUsr_ and IWam_
> accounts I am cross-posting this to the inetserver.iis.security newsgroup.
> Hopefully David, Bernard, Ken, or another can clarify your specifc
> questions on the doc conflicts.
>
> As to your test, after the build, and before or after the join, but
> certainly before use of SCW, it would have been telling if you had
> removed the IUsr_machine and IWam_machine accounts from their
> user rights grants and then stopped and restarted all IIS services (i.e.
> IIS Admin and dependents). At one point during beta the IIS 6 team
> was talking about extending the IIS 5 behavior of guaranteeing user
> rights grants to all accounts (not just the default named ones), but I
> was very vocal against this (as a sys admin I do not want _anything_
> touching what rights grants I have defined, even for the default named
> accounts) and I think they relented some but did keep the IIS-ish
> behavior for the default named accounts. I will check later after
> I get to the shop to see if there is something I can infer without tests.
> It would be a pretty simple test with a W2k3 virt machine image
> around (longhorn has pretty much pushed these out of storage for me).
>
>
> Roger
>
> "Dan Kyle" <beaker@Spamsucks.com> wrote in message
> news:OcdOnZABHHA.4844@TK2MSFTNGP02.phx.gbl...
>
>


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com