Re: Removing IUSR_computername rights on IIS5

From: Bronek Kozicki (brok@rubikon.pl)
Date: 07/25/01

• Previous message: Jean-Pierre Harvey: "RE: IUSR_computername, IWAM_computername rights"
• In reply to: Art Norman: "Re: Removing IUSR_computername rights on IIS5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <003a01c114db$b9ab9e30$c503a8c0@waw.getin.pl>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: <focus-ms@securityfocus.com>, "Art Norman" <art_norman@altavista.com>
Subject: Re: Removing IUSR_computername rights on IIS5
Date: Wed, 25 Jul 2001 09:30:48 +0200

> Hi Eric,
>
> Thanks for reply. I know about NSA papers.
>
> Workaround on p. 32 looks strange. Ok, I could replace the anonymous
account with
> new one. But, this new one still must have access from network right to
work porperly.
>
> What about IWAM_computername account?

IWAM_computername is necessary to run IIS COM+ application. In order _not_
to run web sites inside inetinfo.exe (which uses LocalSystem account) you
may (and definitely should) set "application protection level" to "medium"
or "high" . Medium (pooled) application protection will cause web site to
run in shared dllhost.exe process, namely COM+ application "IIS
Out-Of-Process Pooled Application". This process runs under
IWAM_computername account (which is much safer than LocalSystem used by
inetinfo.exe). As COM+ in order to start process under any account needs to
logon user somehow on the machine, and it uses "logo as batch job" logon
type. That's why IWAM_.... needs this priviledge. If you set your app.
protection to "High" you will just create additional COM+ app. , running
under the same account. It's good practice to set each such application to
run under other (specific) account, but this logon type is anyway required
by COM+ to start the application.

Regards

B.

---

• Previous message: Jean-Pierre Harvey: "RE: IUSR_computername, IWAM_computername rights"
• In reply to: Art Norman: "Re: Removing IUSR_computername rights on IIS5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ... (Bugtraq) Re: ATTN : Microsoft - Security Event 529....Second Request for help.... ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ... (microsoft.public.windows.server.sbs) Re: Is it really true that NTFS is secure? ... > and failure auditing starting with "Audit Account Management," and also try ... > The account Group got put back in the Administrator group again. ... > The logon to account: ... (microsoft.public.security) Re: Please help refresh my memory on AD DC ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ... (microsoft.public.windows.server.active_directory) Re: Logon Server Unavailable ... >> More Connections Can Be Made At This Time ... >> The network folder specified is currently mapped using a different user ... >> account in its primary domain is missing or the password on that account ... >> There are currently no logon servers available to service the logon ... (microsoft.public.windows.server.dns)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)