Re: Removing IUSR_computername rights on IIS5

From: Bronek Kozicki (brok@rubikon.pl)
Date: 07/25/01 

Message-ID: <003a01c114db$b9ab9e30$c503a8c0@waw.getin.pl>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: <focus-ms@securityfocus.com>, "Art Norman" <art_norman@altavista.com>
Subject: Re: Removing IUSR_computername rights on IIS5
Date: Wed, 25 Jul 2001 09:30:48 +0200

> Hi Eric,
>
> Thanks for reply. I know about NSA papers.
>
> Workaround on p. 32 looks strange. Ok, I could replace the anonymous
account with
> new one. But, this new one still must have access from network right to
work porperly.
>
> What about IWAM_computername account?

IWAM_computername is necessary to run IIS COM+ application. In order _not_
to run web sites inside inetinfo.exe (which uses LocalSystem account) you
may (and definitely should) set "application protection level" to "medium"
or "high" . Medium (pooled) application protection will cause web site to
run in shared dllhost.exe process, namely COM+ application "IIS
Out-Of-Process Pooled Application". This process runs under
IWAM_computername account (which is much safer than LocalSystem used by
inetinfo.exe). As COM+ in order to start process under any account needs to
logon user somehow on the machine, and it uses "logo as batch job" logon
type. That's why IWAM_.... needs this priviledge. If you set your app.
protection to "High" you will just create additional COM+ app. , running
under the same account. It's good practice to set each such application to
run under other (specific) account, but this logon type is anyway required
by COM+ to start the application.

Regards

B.

Relevant Pages