Re: IUSR_<machine_name> Default Group Membership
From: Eivaz, Ray (Ray_Eivaz@INTUIT.COM)Date: 11/21/01
- Previous message: Gerrard Leach: "Re: MS01-055"
- Maybe in reply to: Richard Bellamy: "IUSR_<machine_name> Default Group Membership"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <419D2EB7B461D411A53B00508B69181D03E3B09A@sdex02.sd.intuit.com> Date: Wed, 21 Nov 2001 08:23:18 -0800 From: "Eivaz, Ray" <Ray_Eivaz@INTUIT.COM> Subject: Re: IUSR_<machine_name> Default Group Membership To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Richard,
I have had a similar problem when I used a different user name for the IUSR
and IWAM accounts.
I had no luck from Microsoft, till I found a work around without having to
have The local\users contain domain\users!.
You will still need to have NT AUTHORITY\Authenticated Users, NT
AUTHORITY\INTERACTIVE within the local\users group.
Here is what you need to do:
1. Stop IIS
2. Verify that the local Users group contains:
1. Authenticated Users (NT Authority\Authenticated Users)
2. INTERACTIVE (NT Authority\INTERACTIVE)
3. Set the default IIS/IWAM anonymous account password. (You will need
this later)
4. Change the metabase settings:
a. adsutil set w3svc/AnonymousUserName "XXXXXXXX" - replace the
x's with the IIS user name!
b. adsutil set w3svc/AnonymousUserPass "XXXXXX" - replace
the x's with the IIS user password!
c. adsutil set w3svc/WAMUserName "XXXXXX" -
replace the x's with the IWAM user name!
d. adsutil set w3svc/WAMUserPass "XXXXXX" -
replace the x's with the IWAM user password!
e. synciwam.vbs -v (this will synch the iwam account)
5. Go to start > run > "dcomcnfg" and enter
- go to "Default Security Tab", and under "default launch
permissions", choose "Edit Default"
- Add yourDomain/IUSR account (or the group that contains it) with
launch permissions. Apply the changes.
6. go to Internet service manager, right click the default website,
choose properties >
Directory security. Edit "Anonymous access and authentication
Control".
Edit the "anonymous access" tab, and ensure that your domain/IUSR is
the anonymous user, and don't "allow IIS to control the password" is
selected apply. Enter the password, and apply changes.
7. Ensure that the Domain/IUSR account has rights or belongs to a group
that has rights to:
Logon Locally, Bypass Traverse Checking (if you have modified the
security), Access this computer from the network, and logon as a batch
file,
7. Start IIS (May have to reboot)
stat > run > iisreset /start
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate
- Previous message: Gerrard Leach: "Re: MS01-055"
- Maybe in reply to: Richard Bellamy: "IUSR_<machine_name> Default Group Membership"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
