Re: IUSR_computername security question

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 01/29/04 

Date: Thu, 29 Jan 2004 18:06:25 +0800

Mm.. try filemon (sysinternals.com) to see what account actually accessing
the file. 

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> ????
news:#BVgta23DHA.3436@tk2msftngp13.phx.gbl...
> Hi Bernard,
>
> I removed the IIS_WPG also, and was still able to access the web. I also
> restarted the machine, after making my security changes, and was still
able
> to access the web from an account login I created specifically for testing
> access from an unauthenticated user on the LAN. Sometimes I've forgotten
to
> check with a normal account, instead of my account that has Admin
> permissions.
>
> I'll keep testing different scenarios, and report back to the thread if I
> discover anything significant. Thanks for the input!
>
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:%23G33$6v3DHA.2404@TK2MSFTNGP12.phx.gbl...
> > I'm sure iusr belong to one group that you had permission granted to it.
> > do you see IIS_WPG group ?
> >
> > if yes, try remove this group and see if iusr can acccess without
problem.
> >
> > -- 
> > Regards,
> > Bernard Cheah
> > http://support.microsoft.com/
> > Please respond to newsgroups only ...
> >
> >
> >
> > "AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> ????
> > news:#cKFZ3s3DHA.4060@TK2MSFTNGP11.phx.gbl...
> > > Hi Tom,
> > >
> > > That is interesting that you use Everyone, instead of the IUSR
account.
> > I've
> > > always read that doing so was less secure, but I'm not an NTFS
security
> > > expert. I checked, and Everyone was not enable, and I was still able
to
> > > browse the web even after the IUSR account was removed. Again, the
> result
> > > was opposite when doing the same thing in IIS5. Weird! Being as IIS6
is
> > > supposed to be more secure by nature than IIS5, this strikes me as
> REALLY
> > > odd. I'll keep playing with it to see if I can find out why I am still
> > able
> > > to access the web, even though NTFS should be denying access. Thanks
for
> > > your input!
> > >
> > >
> > > "Tom Pepper Willett" <tompepper@mvps.org> wrote in message
> > > news:uQnGWBs3DHA.1428@TK2MSFTNGP12.phx.gbl...
> > > > John:  By default, the Everyone account should have read rights.
This
> > is
> > > > what we use on our Win2K servers, which is set up as local machine,
> and
> > do
> > > > not use the IUSR account.  In fact, I was doing some research on the
> > > > internet, and found a few websites that said using the Everyone
> account
> > in
> > > > lieu of the IUSR account was actually more secure.  True or not, I
> don't
> > > > know.  But, we've never used the IUSR account, FWIW.
> > > >
> > > > Tom
> > > > "AspDotNetDeveloper" <aspdotnetdeveloper@hotmail.com> wrote in
message
> > > > news:ePnSZ9r3DHA.1504@TK2MSFTNGP12.phx.gbl...
> > > > > I don't think so, but I'll double check. Interestingly, I tried
the
> > same
> > > > > thing on a Win 2k IIS 5 server, and I was not able to access the
> > website
> > > > > through a browser. Might be something to do with IIS6. I'll go
check
> a
> > > few
> > > > > things, and respond afterwards...
> > > > >
> > > > > "Richie" <anonymous@discussions.microsoft.com> wrote in message
> > > > > news:093a01c3deb9$efa611a0$a501280a@phx.gbl...
> > > > > > Does 'everyone' have read rights as well?
> > > > > > >-----Original Message-----
> > > > > > >I've always understood that you need to have the
> > > > > > >IUSR_computername account setup with read access on the
> > > > > > >NTFS directory where you keep your website files.
> > > > > > >
> > > > > > >Is this correct?
> > > > > > >
> > > > > > >Reason I'm asking, is that I removed the account, and my
> > > > > > >IIS6 website still works just fine. I'm trying to tighten
> > > > > > >security, and was puzzled that the website still
> > > > > > >functioned after removing the IUSR_computername account
> > > > > > >in NTFS. I thought that the security model first went to
> > > > > > >IIS, then if that passed, then it went to NTFS, before
> > > > > > >allowing a visitor to see the web content.
> > > > > > >
> > > > > > >Please help clear up my confusion! Thanks!
> > > > > > >.
> > > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: authenticated access prob. - cant login!
    ... Now - check if the account is be locked out or disabled. ... >, the IIS logs aren't showing anything ... >> Bernard Cheah ... >>> basic authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: FTP NT 4.0
    ... "Yosemite Sam" wrote in message ... >> Bernard Cheah ... >>> This server was once a domain Controller for now defunct domain. ... >>>>>All the docs I read say I can use an account on the local computer. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: authenticated access prob. - cant login!
    ... post the request IIS log here. ... > using the account) and switching to basic authentication doesn't help. ... >> Bernard Cheah ... >> Please respond to newsgroups only ... ...
    (microsoft.public.inetserver.iis.security)
  • Re: Change IWAM account
    ... Rename the IWAM Account > b). ... Name it> "DisableUserAccountRestore". ... > IIS Supportability Lead ... >> Bernard Cheah ...
    (microsoft.public.inetserver.iis.security)
  • Re: GAIN $50,000 LEGALLY WITH PAYPAL
    ... WE CAN WORK TOGETHER AND MAKE MONEY USING PAYPAL ... PayPal account will have several hundred dollars deposited into it ... sent out 100 copies to emails and 300 copies on newsgroups to further ... work to get started - no mailing lists. ...
    (sci.med.dentistry)