| Author |
IUSR_ and IWAM_ with admin privileges
|
|
|
| An application has been purchased that requires the IUSR_ and IWAM_ accounts
be placed in the local administrators group in order for the application to
work.
Could you please detail the security risks?
| |
| Ken Schaefer 2007-01-28, 7:21 am |
| It means that if someone can get your web application to something
unintended (e.g. there is a bug in the application), then the attacker can
take control of your entire server.
Alternatively, if an attacker can get your IWAM or IUSR users to run some
code (e.g. by uploading a webpage, and then requesting it) then they have
full control over your server as well.
Cheers
Ken
"Nicee" <Nicee@discussions.microsoft.com> wrote in message
news:B15C5AC5-F71D-4124-8C15-767C8840A2D3@microsoft.com...
> An application has been purchased that requires the IUSR_ and IWAM_
> accounts
> be placed in the local administrators group in order for the application
> to
> work.
>
> Could you please detail the security risks?
| |
| Roger Abell [MVP] 2007-01-29, 1:32 am |
|
"Nicee" <Nicee@discussions.microsoft.com> wrote in message
news:B15C5AC5-F71D-4124-8C15-767C8840A2D3@microsoft.com...
> An application has been purchased that requires the IUSR_ and IWAM_
> accounts
> be placed in the local administrators group in order for the application
> to
> work.
>
> Could you please detail the security risks?
Absurd. The risks are total for that machine, or
worse if installed on a DC (ex. SBS server).
I hope they did not ask for money in exchange !!
|
|
|
|