The scope of Everyone, Auth Users and IUSR_Machine accounts

From: FB (FB_at_discussions.microsoft.com)
Date: 08/23/05


Date: Tue, 23 Aug 2005 11:50:19 -0700

I´m testing a web site hosted on a Win2003 machine with diverse content (asp,
htm, pdf, etc) and i´m confused about certain concepts on authenticationa and
authorization access.

i have a folder with ZIPs and ASP pages and ONLY Anonymous access enabled.
i have made several tests, changing NTFS permissions (IIS permissions is
always as Read) and the results were strange.

IUSR_ and Users group have Logon Locally Right and Let Everyone Permissions
Apply to Anonymous is on default (Disabled)

If IUSR_MAchine is anonymous user, access have to be denied when ONLY
Everyone or Users is permitted on ACLs. Is it right?

The tests i´ve made with RX permissions on NTFS Folder´s ACL

=============================================
ACL on folder ACTION
RESULT
=============================================
Everyone Get zip file and process ASP page OK and OK
Auth Users Get zip file and process ASP page OK and OK
IUSR_Machine Get zip file and process ASP page OK and OK
Users Get zip file and process ASP page OK and
OK
ASPNET Get zip file and process ASP page 401.3 and
401.5
SYSTEM only Get zip file and process ASP page 401.3 and
401.5
=============================================

If IUSR_Machine user is a nonymous user, why NTFS´s ACLs with Auth USers or
Everyone we have normal access? If IUSR_Machine user is accessing the web
page, why it can access even without proper NTFS permissions?



Relevant Pages

  • Re: EFS and IIS
    ... > NTFS permissions should be as secure as EFS for this purpose, ... > Neither NTFS nor EFS necessarily protect against remote attacks such as ... > permissions, if System is required to have permissions to those files. ... > as showcode.asp, save your include files as .ASP instead of .INC, etc. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Folder permissions
    ... I wouldn't jump right to any conclusions about NTFS permissions because one ... as other pages that load fine and all your files inherit permissions from ... > the ASP script locally. ...
    (microsoft.public.inetserver.asp.general)
  • Re: Invalid path?
    ... Something is different about this one user's permissions. ... not an ASP issue, but a system and/or domain issue. ... > All users that have NTFS permissions to access the database through the ...
    (microsoft.public.inetserver.asp.general)
  • Re: about common group & user ID space (PR kern/14584)
    ... most security "extensions" I've seen contain relatively ... many applications exist that make strong ... permissions: uid 0 and the uid used to represent NOVAL in vop_setattr ... I should take a moment also to respond to your comments on ACLs. ...
    (FreeBSD-Security)
  • Re: Folder/Drive Permissions
    ... applies the stored acls to files in directory. ... changes the owner of all matching names. ... the permissions replace any previously granted explicit permissions. ... - container inherit ...
    (microsoft.public.windows.vista.security)