Re: Security templates and IUSR account log on locally

Another strange aspect of the security templates. If you enable them for
member servers but not web servers, you can't connect from a member server
to a web server because of the Signing requirements. If you do enable the
template for web servers, anon authentication breaks.
Anthony


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eLH9ZD0nGHA.4124@xxxxxxxxxxxxxxxxxxxxxxx
Hi Anthony,

Thank you for your summation.

I am not so sure the route I outlined is the only resolution, but it is
one
I have found of use. Alternatively one can let the machine local Users
group carry the load of granting local logon user right, and institute
shop
standards/practices that minimize Users membership for example.

As you may have noticed, I was involved in edit review of the W2k3
guidance, and I am passing along your astute observations relative to
the discussions of the templates that future revision to the text might
be clarified.

Roger

"Anthony Yates" <anthony.yates@xxxxxxxxxx> wrote in message
news:urrtRtpnGHA.780@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Roger and David for these replies.
My questions are exclusively about the default behaviour of IIS6 in a
Windows 2003 domain. It does seem that:
1) anon authentication requires the Log on Locally right for the IUSR
account, as the IIS guide says.
2) the Enterprise security template for Member Servers breaks IIS6 anon
authentication. The Windows 2003 Security Guide is wrong on this point,
as the guideline is to apply the member servers baseline policy and then
the web servers policy. It only says you can't do this for the Restricted
Functionality template:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch09.mspx#EAF.
Evidently you need to do the same for the Enterprise template as well.
The reason is obvious once you accept that 1) is correct.
3) Advanced Digest and Subauthentication is a red-herring in this
context.
I can see that Roger's solution is the only way to control the Log on
Locally right for IUSR accounts in group policy,
Regards,
Anthony



"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OOI9rHfnGHA.1668@xxxxxxxxxxxxxxxxxxxxxxx
Anthony,

You may also want to revisit the download for the W2k3 Security Guide as
it had a minor revision posted to web 6/29, the main impact of which was
updates to the inf files, not to the doc text.

The issue with using the templates out-of-the-box for situations like
the
one you outline is that there is no standard name that would be suited
for use, in this case, for the grant of Logon on locally user right.
I circumvent the problem by defining a practice that each IIS will have
standard named groups that collect all IUsr_ and all IWam_ accounts
defined on the IIS box. Then, at domain level I can use this to grant
the
needed user rights, since by convention it will exist on each IIS box.

Roger
"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message
news:eSWWFlOnGHA.964@xxxxxxxxxxxxxxxxxxxxxxx
Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain.
Everything standard.

1) The Microsoft security guide for IIS6.0 says that the IUSR account
needs Log on Locally rights.
2) The Microsoft group policy Enterprise security template for Member
Servers removes this right. When the policy is applied, anonymous
access is broken.
3) The Member Server template is a baseline for all servers. You are
supposed to ADD a Web Server template on top for web servers.
4) The Security Policy guide specifies that if you apply the more
restrictive Limited Functionality template to Member Servers, then you
need to move the web server out of that OU so the policy is not
applied. By inference you don't do this for the standard Enterprise
policy template.
5) Question: do the policy templates contradict the security guide?
6) Question: I read somewhere that if you enable Basic authentication,
you no longer need the Log on Locally right for anon. Is that correct?
7) Question: I have enabled Advanced Digest authentication with the
UseDigestSSP property set in the metabase. This works fine. I read
something about this disabling subauthentication, and I recognise that
subauthentication is something to do with the way IIS handles the IUSR
account. Could it be that with Advanced Digest enabled, the IUSR
account no longer works unless it has Log on Locally rights?

Thanks very much,
Anthony









.

Relevant Pages

  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • W32time NET ID 50, Help PLEASE!!
    ... story) with about 30 Windows 2003 Member servers. ... The time service is no longer synchronized and cannot provide the ...
    (microsoft.public.windows.server.general)
  • Re: Web Services DNS Round Robin
    ... w/ a LB machine inbetwen holding the single IP w/ several machines behind ... or later, as a DNS server. ... Suppose you have 50 identical www.heaven.af.mil web servers running on IP ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: [Full-Disclosure] IE is just as safe as FireFox
    ... you will *generally* need fewer intranet ... servers but it depends entirely on the business model and IT organization. ... intranet web servers, the proxy isn't doing much for you. ...
    (Full-Disclosure)
Loading