Re: IIS6 - How? Force Anonymous and impersonation

From: Wade A. Hilmo [MS] (wadeh@microsoft.com)
Date: 03/27/03 

From: "Wade A. Hilmo [MS]" <wadeh@microsoft.com>
Date: Wed, 26 Mar 2003 19:25:25 -0800

Hi Tony,

How hard core are you trying to be here? Generally, encrypt the file if you
want to protect the files in the case where someone steals the hardware.

If you simply use an ACL to grant IIS_WPG and IUSR access to the files, you
would generally be fine. To get around the ACL, someone would have to move
the drive to a machine on which they are administrator, or install another
instance of the OS on your machine, etc. Certainly just logging on to your
console would not grant them access unless they either logged on using the
IUSR account or an account in the IIS_WPG group (or logged on as an
administrator, in which case they could add themselves to the ACL.)

I hope this information is helpful,
-Wade Hilmo,
-Microsoft

"Tony Su" <tonysu@su-networking.com> wrote in message
news:3fda01c2f3e4$f5f62ec0$a601280a@phx.gbl...
> Thank you... resolved my oversight. I had assigned the
> User but not the IIS_WPG NTFS permissions.
>
> Out of curiosity, am interested if you know of a method to
> deny access to a User who may be logged on interactively
> through Windows (not through IIS). I have not read any
> recommended method but came up with a "try" to encrypt the
> files using a certificate belonging to the impersonation
> account. Now, I'm wondering if I will have issues with the
> IIS_WPG group as well since members of that group need to
> be able to read (and maybe execute) those same files
> without being prompted.
>
> Tony Su
>
>
>
> >-----Original Message-----
> >Hi Tony,
> >
> >I'm not sure what settings you are talking about, but IIS
> 6 works pretty
> >much just like IIS 5 with regard to impersonation.
> >
> >If an anonymous request is made, IIS will impersonate the
> anonymous user
> >(which is IUSR_<machine> by default). If a request is
> authenticated, IIS
> >will impersonate the authenticated user.
> >
> >In IIS 5, you would achieve your goal below by making
> sure that the content
> >is accessible only by the anonymous user or local
> system. In IIS 6, it's
> >the exact same thing, except that you would allow the
> anonymous user and the
> >IIS_WPG group. The change from local system to IIS_WPG
> is a result of the
> >fact that IIS 6 can run it's processes as any arbitrary
> user and not just
> >local system (and we require that such an arbitrary use
> be a member of that
> >group.)
> >
> >I hope this information is helpful,
> >-Wade Hilmo,
> >-Microsoft
> >
> >"Tony Su" <tonysu@su-networking.com> wrote in message
> >news:4ac601c2f3dc$78aa8130$a101280a@phx.gbl...
> >> On prior IIS, impersonation was standard and it was
> >> possible to force all Users to authenticate as
> anonymous.
> >>
> >> In IIS6, there are anonymous settings, but nothing that
> >> specifies "all are authenticated as Anonymous regardless
> >> whether the User is a member of the Domain" and I
> >> understand impersonation is disabled by default.
> >>
> >> Is there a SysAdmin way to implement the following:
> >>
> >> IIS authenticates any User as anonymous and impersonates
> >> the User with a specified User account which is not
> >> IUSER_machinename.
> >>
> >> Then, if that can be answered... optionally I'd be
> >> interested if someone can agree whether this would
> work...
> >> I'd like to encrypt the website files with a certificate
> >> belonging to the Account used for impersonation so that
> >> pages can be viewed without being prompted for
> credentials
> >> belonging to the impersonation account.
> >>
> >> The objective is to protect the files from being viewed
> or
> >> modified by any person who is able to login locally not
> >> using the impersonation account.
> >>
> >> TIA.
> >>
> >> Tony Su
> >
> >
> >.
> >

Relevant Pages