Re: Why rename the IUSR account?

From: Tom Kaminski [MVP] ((A_at_T))
Date: 05/03/05

• Next message: Tom Kaminski [MVP]: "Re: Client Permissions required for Integrated Authentication?"
• Previous message: pj_servadmin: "Selfssl.exe for multiple vhosts"
• In reply to: Ben: "Re: Why rename the IUSR account?"
• Next in thread: Ben: "Re: Why rename the IUSR account?"
• Reply: Ben: "Re: Why rename the IUSR account?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 3 May 2005 12:09:51 -0400

"Ben" <Ben@nospam.example.com> wrote in message
news:OgaQOw%23TFHA.4092@TK2MSFTNGP12.phx.gbl...
> But, if the IUSR account has access _only_ to content that is publicy
> available to anonymous users (now, that is another question if the IUSR
> account is properly configured), it would not harm to not rename it, would
> it? I mean, if all the content is already available for everyone, there
> would be no reason to "hack" the account, because you will not gain access
> to any additional resources. (but of course a "hacked" account is never
> good)

As I said before ... "with any security measure, you have to decide how
relevant it is in your specific environment."

> Would it be better to disable the original IUSR account and create a new
> one (with least privilegies, i'm trying to find a list of necessary
> permissions for the IUSR account to work)? As mentioned in the IIS Insider
> article.

http://support.microsoft.com/default.aspx/kb/812614

-- 
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserver2003/community/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS

---

• Next message: Tom Kaminski [MVP]: "Re: Client Permissions required for Integrated Authentication?"
• Previous message: pj_servadmin: "Selfssl.exe for multiple vhosts"
• In reply to: Ben: "Re: Why rename the IUSR account?"
• Next in thread: Ben: "Re: Why rename the IUSR account?"
• Reply: Ben: "Re: Why rename the IUSR account?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Anonymous Account not working ... the Iusr_ you are using may have been defined before the final ... IIS install on that box. ... I think the problem may be with the local account. ... built the server there was another server that was named WEB02, ... (microsoft.public.inetserver.iis.security) Re: IWAM out of sync (DCOM error) 10004 ... password that is cached in the IIS Metabase for the IWAM and IUSR accounts. ... This should show you whether the password is being changed in the metabase. ... If you reset the password on the domain account, ... and IIS is set to control the IUSR password? ... (microsoft.public.inetserver.iis.security) Re: Experiencing Sporadic HTTP Error 401.1 - Unauthorized errors on IIS ... I created a user identical to IUSR and set this user as the anonymous user ... account in IIS Web Sites. ... All web sites and web pages now return 401.1. ... Access to all IIS resources ... (microsoft.public.inetserver.iis) Re: authentication and impersonation question ... when asp.net impersonation is not set, authentication by IIS ... process account (the IIS application pool process account for IIS 6, ... In addition the FileAuthorizationModule checks if read access is allowed on the requested resource for the client (either the auth client or IUSR). ... (microsoft.public.dotnet.framework.aspnet.security) Re: IIS 6.0 Security, Internet Guest Account ... What you need to do is to give the right password to the IUSR account (which ... IIS attempts to use another ... >> changed the Windows user account for anonymouse access ... (microsoft.public.inetserver.iis.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2005-05