IUSR_<machine_name> Default Group Membership
From: Richard Bellamy (rbellamy@XMLSWEB.COM)Date: 11/10/01
- Previous message: Lester, Don: "URLScan Update"
- Next in thread: Eivaz, Ray: "Re: IUSR_<machine_name> Default Group Membership"
- Reply: Eivaz, Ray: "Re: IUSR_<machine_name> Default Group Membership"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <005b01c1699c$40d9ba30$671dd7cf@xmlsweb.com> Date: Fri, 9 Nov 2001 20:00:36 -0800 From: Richard Bellamy <rbellamy@XMLSWEB.COM> Subject: IUSR_<machine_name> Default Group Membership To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
When Windows 2000 first came out, I attempted, through Restricted Groups
membership, and GPO's, to lock down my member servers in a way I thought
appropriate. When the GPO was applied, it slowly disabled the ability
for my IIS servers to function. come to find out, I had restricted
membership to the Users Local group, and by removing the INTERACTIVE,
and Authenticate Users I caused IIS to fail to load Objects in a
Server.CreateObject call.
I've been looking everywhere for an explanation of the Default Group
membership of the IUSR account in an install of IIS 5.0.
1. Domain Controller:
A. Domain Users
B. Guests
2. Member Server:
A. Guests
However, within the member server, the Local\Users group has the
following membership:
A. NT AUTHORITY\Authenticated Users
B. NT AUTHORITY\INTERACTIVE
C. DOMAIN\Domain Users
So. if I'm not mistaken, this then means that the IUSR_<machine_name>
account which is installed on a Domain Controller then has normal users
rights on a member server, because it is technically an "Authenticated
User". Maybe I'm missing something here. perhaps I don't understand the
ramifications of the membership of the Domain-level IUSR account
belonging to the Guests group, as well as the Domain Users group.
My question is: Why does IIS require that IUSR belong to the Domain
Users group when installed on a Domain Controller?
G. Richard Bellamy
Office: 707-887-1830
<Mailto:rbellamy@xmlsweb.com>
<Mailto:richardbellamy@homeseekers.com>
"Welcome to Open Fire"
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate
- Previous message: Lester, Don: "URLScan Update"
- Next in thread: Eivaz, Ray: "Re: IUSR_<machine_name> Default Group Membership"
- Reply: Eivaz, Ray: "Re: IUSR_<machine_name> Default Group Membership"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
