Re: Security templates and IUSR account log on locally

http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Security_Templates_and_Anonymous_Authentication.aspx

Your questions actually had non-causal assumptions. I clarified them in the
blog entry

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message
news:eSWWFlOnGHA.964@xxxxxxxxxxxxxxxxxxxxxxx
Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain. Everything
standard.

1) The Microsoft security guide for IIS6.0 says that the IUSR account
needs Log on Locally rights.
2) The Microsoft group policy Enterprise security template for Member
Servers removes this right. When the policy is applied, anonymous access
is broken.
3) The Member Server template is a baseline for all servers. You are
supposed to ADD a Web Server template on top for web servers.
4) The Security Policy guide specifies that if you apply the more
restrictive Limited Functionality template to Member Servers, then you
need to move the web server out of that OU so the policy is not applied.
By inference you don't do this for the standard Enterprise policy
template.
5) Question: do the policy templates contradict the security guide?
6) Question: I read somewhere that if you enable Basic authentication, you
no longer need the Log on Locally right for anon. Is that correct?
7) Question: I have enabled Advanced Digest authentication with the
UseDigestSSP property set in the metabase. This works fine. I read
something about this disabling subauthentication, and I recognise that
subauthentication is something to do with the way IIS handles the IUSR
account. Could it be that with Advanced Digest enabled, the IUSR account
no longer works unless it has Log on Locally rights?

Thanks very much,
Anthony



.

Relevant Pages

  • Re: Security templates and IUSR account log on locally
    ... You may also want to revisit the download for the W2k3 Security Guide as ... The Microsoft group policy Enterprise security template for Member ... The Member Server template is a baseline for all servers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Security templates and IUSR account log on locally
    ... The Microsoft security guide for IIS6.0 says that the IUSR account needs ... The Microsoft group policy Enterprise security template for Member ... The Member Server template is a baseline for all servers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Applying Custom Security Templates with GPOs
    ... The template (and, therefore, policy) is not being ... privliges to apply the GPO. ... >servers need to reside in that OU or possibly a sub OU. ...
    (microsoft.public.win2000.security)