RE: IUSR_computername, IWAM_computername rights

From: Jean-Pierre Harvey (jean-pierre.harvey@edivision.com.au)
Date: 07/25/01 

Message-ID: <81200F7AD624D4118A9000508B8BBD2C487CBC@edivex001.edivision.com.au>
From: Jean-Pierre Harvey <jean-pierre.harvey@edivision.com.au>
To: 'Art Norman' <art_norman@altavista.com>, focus-ms@securityfocus.com
Subject: RE: IUSR_computername, IWAM_computername rights
Date: Wed, 25 Jul 2001 11:27:38 +1000

The easiest way to find out which files the IUSR_computername account needs
is to turn on full filesystem auditing for that user, and look in the
security log. It will be different depending on how many features of IIS you
are using.

From memory the account only needs read access to the web directories and a
couple of dlls in the \system32\inetsrv directory if you are only doing .asp
serving.

JP

-----Original Message-----
From: Art Norman [mailto:art_norman@altavista.com]
Sent: Tuesday, July 24, 2001 6:47 AM
To: focus-ms@securityfocus.com
Subject: IUSR_computername, IWAM_computername rights

Hi,

I'm fighting bastion host with IIS 5.

What exactly NTFS rights should have IUSR_computername, IWAM_computername?
What rights should be asigned to COM+ Web application user (Administrative
Tools>Component Services>My Computer>Com+ Applications>My
Application>Properties>Identity) on IIS 5 server?

I've started by disabling users rights to Winnt directory. Only System and
Administrator are left.
Then I've started to asign rights to IUSR_computername, IWAM_computername
according to Microsoft and other recommendations. Microsoft has quite brief
paper about that. Are there around any papers regarding these users
permisions? I could add permissions to winnt, system32, Program Files for
IUSR_computername, IWAM_computername, my user. Then I should allow these
users to logon from network ......

But the question is how to know exactly what rights for every user should be
asigned? How to keep these users at minimum level of permisions?

Art

Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com

Relevant Pages

  • Re: IIS 5.0 - Create Server Certificate Wizard
    ... "sgm" wrote: ... I have admin rights to my machine. ... >>> Jason Brown ... >>> Microsoft GTSC, IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: Make IIS 5.0 recognize NTFS Permissions??
    ... I've played with the IIS ... The rights on the ... Configure IIS 5.0 Web Site Authentication in Windows 2000 ...
    (microsoft.public.inetserver.iis)
  • Re: Traverse rights - yet can read files. Help?
    ... I'm not an NTFS ACL expert, but this definitely is not an IIS security ... You need to ask this in a core Windows Security group about how NT ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.inetserver.iis.security)
  • Re: web cam?
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... I'll just have to camera take incremental> shots, store the images in a directory, and set-up an IIS web pointing to> the folder so I can see them. ... >> Jason Brown ...
    (microsoft.public.inetserver.asp.general)
  • Re: IIS rights without being administrator
    ... person or group administrative rights on that object. ... > provide some of web/apps developers I work with the ability to ... > MMC with the IIS Admin snap-in, but, when they expand it to, they are ...
    (microsoft.public.windows.server.general)