Re: Security templates and IUSR account log on locally

Hmm, weird newsgroup reader behavior. Don't remember sending this one
because it's not relevant to your question. :-) . The blog entry is all
about your question, though.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"David Wang [Msft]" <someone@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OsmylDWnGHA.3436@xxxxxxxxxxxxxxxxxxxxxxx
Maybe you have a WebDAV link in your "My Network Places" special folder
(available from the Start Menu) to your webserver that the virus scanner
unknowningly traverses during scanning.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no
rights.
//

"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message
news:eSWWFlOnGHA.964@xxxxxxxxxxxxxxxxxxxxxxx
Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain.
Everything standard.

1) The Microsoft security guide for IIS6.0 says that the IUSR account
needs Log on Locally rights.
2) The Microsoft group policy Enterprise security template for Member
Servers removes this right. When the policy is applied, anonymous access
is broken.
3) The Member Server template is a baseline for all servers. You are
supposed to ADD a Web Server template on top for web servers.
4) The Security Policy guide specifies that if you apply the more
restrictive Limited Functionality template to Member Servers, then you
need to move the web server out of that OU so the policy is not applied.
By inference you don't do this for the standard Enterprise policy
template.
5) Question: do the policy templates contradict the security guide?
6) Question: I read somewhere that if you enable Basic authentication,
you no longer need the Log on Locally right for anon. Is that correct?
7) Question: I have enabled Advanced Digest authentication with the
UseDigestSSP property set in the metabase. This works fine. I read
something about this disabling subauthentication, and I recognise that
subauthentication is something to do with the way IIS handles the IUSR
account. Could it be that with Advanced Digest enabled, the IUSR account
no longer works unless it has Log on Locally rights?

Thanks very much,
Anthony





.

Relevant Pages

  • Re: Security templates and IUSR account log on locally
    ... You may also want to revisit the download for the W2k3 Security Guide as ... The Microsoft group policy Enterprise security template for Member ... The Member Server template is a baseline for all servers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Security templates and IUSR account log on locally
    ... The Microsoft security guide for IIS6.0 says that the IUSR account needs ... The Microsoft group policy Enterprise security template for Member ... The Member Server template is a baseline for all servers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Security templates and IUSR account log on locally
    ... The Microsoft security guide for IIS6.0 says that the IUSR account ... The Microsoft group policy Enterprise security template for Member ... The Member Server template is a baseline for all servers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)