|
Home > Archive > IIS Server Security > July 2006 > Flaw in default permissions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Flaw in default permissions
|
|
| Anthony Yates 2006-07-12, 1:21 pm |
| The documentation states that the IUSR account by default has Read, Execute
NTFS permissions to the web site folders:
http://support.microsoft.com/?kbid=812614
I have done many default installations and it does not. It just has a Deny
Write. Any comments? Is that just a straightforward documentation error?
Anthony
| |
| Anthony Yates 2006-07-12, 1:21 pm |
| Furthermore, the document says that Anon also requires the Logon Locally
right. However another document:
http://www.microsoft.com/technet/pr...e.mspx?mfr=true
explains that in IIS6 basic and anon authentication by default use the
NETWORK_CLEARTEXT method which does not require Logon Locally rights.
Any comments on that one?
Anthony
"Anthony Yates" <anthony.yates@nospam.com> wrote in message
news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl...
> The documentation states that the IUSR account by default has Read,
> Execute NTFS permissions to the web site folders:
> http://support.microsoft.com/?kbid=812614
> I have done many default installations and it does not. It just has a Deny
> Write. Any comments? Is that just a straightforward documentation error?
> Anthony
>
| |
| David Wang [Msft] 2006-07-13, 1:23 am |
| Mixture of Documentation errors and "backwards compatibility" cruft.
This is how basic/anon authentication, network_cleartext, and "Logon
Locally" all fit together.
http://blogs.msdn.com/david.wang/ar...entication.aspx
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Anthony Yates" <anthony.yates@nospam.com> wrote in message
news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl...
> Furthermore, the document says that Anon also requires the Logon Locally
> right. However another document:
> http://www.microsoft.com/technet/pr...e.mspx?mfr=true
> explains that in IIS6 basic and anon authentication by default use the
> NETWORK_CLEARTEXT method which does not require Logon Locally rights.
> Any comments on that one?
> Anthony
>
>
>
> "Anthony Yates" <anthony.yates@nospam.com> wrote in message
> news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl...
>
>
| |
| Anthony 2006-07-13, 7:27 am |
| Its really quite an important documentation error. When something is not
working, I look to go back to the defaults. If the documentation about the
defaults is wrong, troubleshooting becomes much more difficult.
Anthony
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl...
> Mixture of Documentation errors and "backwards compatibility" cruft.
>
> This is how basic/anon authentication, network_cleartext, and "Logon
> Locally" all fit together.
>
> http://blogs.msdn.com/david.wang/ar...entication.aspx
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "Anthony Yates" <anthony.yates@nospam.com> wrote in message
> news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl...
>
>
| |
| Ken Schaefer 2006-07-13, 7:27 am |
| That is not good about the documentation.
If you really want to be sure, I suppose you can check the secsetup.inf
security template that secedit uses to configure the NTFS permissions when
Windows Server 2003 is setup.
See:
http://support.microsoft.com/?kbid=313222
Cheers
Ken
"Anthony" <anthony.spam@spammedout.com> wrote in message
news:ehgfT0kpGHA.524@TK2MSFTNGP05.phx.gbl...
> Its really quite an important documentation error. When something is not
> working, I look to go back to the defaults. If the documentation about the
> defaults is wrong, troubleshooting becomes much more difficult.
> Anthony
>
>
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl...
>
>
| |
| David Wang [Msft] 2006-07-13, 7:27 am |
| I do not think we ever definitively document what the "defaults" are because
it really depends with such a flexible system involved with IIS. Hence it is
sitting in a KB and not Technet/MSDN documentation.
I know how that KB's information came about - it is not definitive and
probably out of date already. It takes but one setup change to invalidate
the article, and people making those changes are often not aware of the KB
consequences.
The meaning of "default" can vary, depending on whether the system is
upgraded or clean installed, whether the machine is a DC or not, etc. The KB
only represents *one* working configuration; it definitely does not
represent the minimal/optimal configuration; it may not work for all
situations, and there may be other working configurations.
In other words, I don't bother returning to the defaults because it is not
guaranteed to make things work and hence cannot function the way you are
expecting and useless for troubleshooting.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Anthony" <anthony.spam@spammedout.com> wrote in message
news:ehgfT0kpGHA.524@TK2MSFTNGP05.phx.gbl...
> Its really quite an important documentation error. When something is not
> working, I look to go back to the defaults. If the documentation about the
> defaults is wrong, troubleshooting becomes much more difficult.
> Anthony
>
>
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl...
>
>
|
|
|
|
|