| Paulaner 2007-04-16, 1:21 pm |
|
We have a web application that uses asp pages and javascript to
display information to users. We want the data to be secure, so the
login page will redirect http:// users from port 80 to https:// on
port 443. We prompt for a username a password, then use an isapi
filter to authenticate them with our database.
The service team got a report about some trouble with this website, so
they changed the anonymous account logon from IUSR_computername to a
local user account in the administrators group. This has fixed their
problem, but I am concerned that they just opened a security hole.
The only reference to this issue I can fine in technet is this
comment: "If you use an account other than IUSR_computername for
anonymous access, choose the rights you assign to it very carefully. "
from http://msdn2.microsoft.com/en-us/library/ms951775.aspx
Can anyone point me to some documentation that says "don't do this",
or give me some sufficient ammunition to convince them to undo this
action and appropriately repair the root cause of their issue?
|