Re: IIS6 - How? Force Anonymous and impersonation

From: Wade A. Hilmo [MS] (wadeh@microsoft.com)
Date: 03/26/03 

From: "Wade A. Hilmo [MS]" <wadeh@microsoft.com>
Date: Wed, 26 Mar 2003 13:40:26 -0800

Hi Tony,

I'm not sure what settings you are talking about, but IIS 6 works pretty
much just like IIS 5 with regard to impersonation.

If an anonymous request is made, IIS will impersonate the anonymous user
(which is IUSR_<machine> by default). If a request is authenticated, IIS
will impersonate the authenticated user.

In IIS 5, you would achieve your goal below by making sure that the content
is accessible only by the anonymous user or local system. In IIS 6, it's
the exact same thing, except that you would allow the anonymous user and the
IIS_WPG group. The change from local system to IIS_WPG is a result of the
fact that IIS 6 can run it's processes as any arbitrary user and not just
local system (and we require that such an arbitrary use be a member of that
group.)

I hope this information is helpful,
-Wade Hilmo,
-Microsoft

"Tony Su" <tonysu@su-networking.com> wrote in message
news:4ac601c2f3dc$78aa8130$a101280a@phx.gbl...
> On prior IIS, impersonation was standard and it was
> possible to force all Users to authenticate as anonymous.
>
> In IIS6, there are anonymous settings, but nothing that
> specifies "all are authenticated as Anonymous regardless
> whether the User is a member of the Domain" and I
> understand impersonation is disabled by default.
>
> Is there a SysAdmin way to implement the following:
>
> IIS authenticates any User as anonymous and impersonates
> the User with a specified User account which is not
> IUSER_machinename.
>
> Then, if that can be answered... optionally I'd be
> interested if someone can agree whether this would work...
> I'd like to encrypt the website files with a certificate
> belonging to the Account used for impersonation so that
> pages can be viewed without being prompted for credentials
> belonging to the impersonation account.
>
> The objective is to protect the files from being viewed or
> modified by any person who is able to login locally not
> using the impersonation account.
>
> TIA.
>
> Tony Su

Relevant Pages

  • Re: IIS 6.0 cgi process not running as same user as worker process?
    ... It warns that it's inteneded for IIS 4 &5... ... > elevate privileges (through impersonation), but any other code can only ... it is configurable to have IIS launch CGI as either ... This will make your CGIs launch as app pool identity. ...
    (microsoft.public.inetserver.iis)
  • Re: IIS 6.0 cgi process not running as same user as worker process?
    ... It warns that it's inteneded for IIS 4 &5... ... > elevate privileges (through impersonation), but any other code can only ... it is configurable to have IIS launch CGI as either ... This will make your CGIs launch as app pool identity. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS6 - How? Force Anonymous and impersonation
    ... >I'm not sure what settings you are talking about, but IIS ... >much just like IIS 5 with regard to impersonation. ... >> possible to force all Users to authenticate as ... >> the User with a specified User account which is not ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS Folder and file security. Impersonation does not work.
    ... Custom URL navigation. ... First -- what you want to do does NOT need the impersonation DLL at all. ... Second -- you are muddling HTML and IIS concepts together and hoping for the ... Now, with IIS6, we have a custom authentication sample ISAPI that should ...
    (microsoft.public.inetserver.iis)
  • IIS6 - How? Force Anonymous and impersonation
    ... On prior IIS, impersonation was standard and it was ... possible to force all Users to authenticate as anonymous. ... belonging to the impersonation account. ...
    (microsoft.public.inetserver.iis.security)