IUSR_<machine_name> Default Group Membership

From: Richard Bellamy (rbellamy@XMLSWEB.COM)
Date: 11/10/01


Message-ID:  <005b01c1699c$40d9ba30$671dd7cf@xmlsweb.com>
Date:         Fri, 9 Nov 2001 20:00:36 -0800
From: Richard Bellamy <rbellamy@XMLSWEB.COM>
Subject:      IUSR_<machine_name> Default Group Membership
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

When Windows 2000 first came out, I attempted, through Restricted Groups
membership, and GPO's, to lock down my member servers in a way I thought
appropriate. When the GPO was applied, it slowly disabled the ability
for my IIS servers to function. come to find out, I had restricted
membership to the Users Local group, and by removing the INTERACTIVE,
and Authenticate Users I caused IIS to fail to load Objects in a
Server.CreateObject call.

I've been looking everywhere for an explanation of the Default Group
membership of the IUSR account in an install of IIS 5.0.

1. Domain Controller:
        A. Domain Users
        B. Guests

2. Member Server:
        A. Guests

However, within the member server, the Local\Users group has the
following membership:
        A. NT AUTHORITY\Authenticated Users
        B. NT AUTHORITY\INTERACTIVE
        C. DOMAIN\Domain Users

So. if I'm not mistaken, this then means that the IUSR_<machine_name>
account which is installed on a Domain Controller then has normal users
rights on a member server, because it is technically an "Authenticated
User". Maybe I'm missing something here. perhaps I don't understand the
ramifications of the membership of the Domain-level IUSR account
belonging to the Guests group, as well as the Domain Users group.

My question is: Why does IIS require that IUSR belong to the Domain
Users group when installed on a Domain Controller?

G. Richard Bellamy
Office: 707-887-1830
<Mailto:rbellamy@xmlsweb.com>
<Mailto:richardbellamy@homeseekers.com>
"Welcome to Open Fire"

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate