| Anthony 2006-07-01, 3:35 am |
| Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain. Everything
standard.
1) The Microsoft security guide for IIS6.0 says that the IUSR account needs
Log on Locally rights.
2) The Microsoft group policy Enterprise security template for Member
Servers removes this right. When the policy is applied, anonymous access is
broken.
3) The Member Server template is a baseline for all servers. You are
supposed to ADD a Web Server template on top for web servers.
4) The Security Policy guide specifies that if you apply the more
restrictive Limited Functionality template to Member Servers, then you need
to move the web server out of that OU so the policy is not applied. By
inference you don't do this for the standard Enterprise policy template.
5) Question: do the policy templates contradict the security guide?
6) Question: I read somewhere that if you enable Basic authentication, you
no longer need the Log on Locally right for anon. Is that correct?
7) Question: I have enabled Advanced Digest authentication with the
UseDigestSSP property set in the metabase. This works fine. I read something
about this disabling subauthentication, and I recognise that
subauthentication is something to do with the way IIS handles the IUSR
account. Could it be that with Advanced Digest enabled, the IUSR account no
longer works unless it has Log on Locally rights?
Thanks very much,
Anthony
|