RE: IIS Security

In the vein of least privileges, a very useful tool for tracking and
fixing LUA (Least User Access) issues is "LUA Buglight", available from
this page:
or directly from:

I've found this to be more helpful in this context than the
SysInternals tools, though they are wonderful as well.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of k levinson
Sent: Friday, October 27, 2006 5:38 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: IIS Security

The specific reason is "least privilege," which is an
industry standard best practice. Unless the
application needs to create or manage accounts, it
does not need to be a local Administrator.

Everything else the application needs to be able to do
are permissions that can be granted to a regular
non-Administrator user. The main reason for granting
Administrator privileges to accounts that don't need
to administer other accounts is because the person is
too lazy or too ill-informed to determine the
permissions that are really needed.

If someone compromises your application
somehow, do you really want them to automatically be
able to use the permissions gained to create accounts
and otherwise have total control over everything on
the compromised system?

People typically use the Filemon, Regmon and sometimes
Process Explorer utilities free from while running the application
without admin privileges to determine what files,
registry values and other privileges are lacking. Or,
Microsoft also makes the free Application
Compatibility Toolkit for the same purpose, for
Windows XP and newer.

The last link below has a long list of reasons of
advantages of least privilege:


Karl Levinson, CISSP, MCSE

From: focus-ms-return-9489@xxxxxxxxxxxxxxxxx
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: IIS Security

We've a vertical package that includes a web based
portal. (quite common for many Enterprise packages)

The problem lies in some of the requirements that the
company puts on running this portal.

The major one is that of adding the IUSR_machinename
account to the local admin group.
I know this is horrible, but need specific reasons why
this shouldn't be done so that I can bring it to my
boss and get it fixed.

Check out the New Yahoo! Mail - Fire up a more powerful email and get
things done faster.