RE: IIS Security

In the vein of least privileges, a very useful tool for tracking and
fixing LUA (Least User Access) issues is "LUA Buglight", available from
this page:
or directly from:

I've found this to be more helpful in this context than the
SysInternals tools, though they are wonderful as well.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of k levinson
Sent: Friday, October 27, 2006 5:38 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: IIS Security

The specific reason is "least privilege," which is an
industry standard best practice. Unless the
application needs to create or manage accounts, it
does not need to be a local Administrator.

Everything else the application needs to be able to do
are permissions that can be granted to a regular
non-Administrator user. The main reason for granting
Administrator privileges to accounts that don't need
to administer other accounts is because the person is
too lazy or too ill-informed to determine the
permissions that are really needed.

If someone compromises your application
somehow, do you really want them to automatically be
able to use the permissions gained to create accounts
and otherwise have total control over everything on
the compromised system?

People typically use the Filemon, Regmon and sometimes
Process Explorer utilities free from while running the application
without admin privileges to determine what files,
registry values and other privileges are lacking. Or,
Microsoft also makes the free Application
Compatibility Toolkit for the same purpose, for
Windows XP and newer.

The last link below has a long list of reasons of
advantages of least privilege:


Karl Levinson, CISSP, MCSE

From: focus-ms-return-9489@xxxxxxxxxxxxxxxxx
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: IIS Security

We've a vertical package that includes a web based
portal. (quite common for many Enterprise packages)

The problem lies in some of the requirements that the
company puts on running this portal.

The major one is that of adding the IUSR_machinename
account to the local admin group.
I know this is horrible, but need specific reasons why
this shouldn't be done so that I can bring it to my
boss and get it fixed.

Check out the New Yahoo! Mail - Fire up a more powerful email and get
things done faster.



Relevant Pages

  • Re: Implementing privileges
    ... bank accounts, ... is nearly finished but I'm having some trouble in managing privileges. ... If the rules and policies of privilege are inherently dynamic and likely to change frequently over time, you would probably be better off keeping them out of the DBMS. ... The R1 and R3 relationships then only need to be instantiated once in the DBMS when a UserAccount or FinancialAccount is added rather than every time they are accessed by an application. ...
  • Re: How to turn linux into VMS - memory refresher for Dave ...
    ... If OpenVMS were as popular ... I'm just not going to get my system manager to provide elevated privileges ... Windows, historically, runs for all users in fully privileged accounts. ... The lack of real error reporting & even ...
  • Re: CGI apps break after DCPROMO an IIS6 server
    ... This is one of those things different on a DC vs a member server in regards ... The "built in" accounts have the minimum and necessary privileges to run ... >privileges listed in F1-help of IIS Manager UI required ...
  • Re: IIS Security
    ... The main reason for granting ... Administrator privileges to accounts that don't need ... permissions that are really needed. ...
  • Re: Admin password change
    ... Our Domain Admin acc is only used by myself when I ... require the elevated privileges that it gives. ... backup) use specific service accounts. ... > The problem with using domain accounts (specially domain administrator ...