Re: Disabled IIS Anonymous account
From: Steven L Umbach (n9rou_at_nsattbi.com)
Date: 08/16/03
- Next message: Karl Levinson [x y] mvp: "** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.08.16"
- Previous message: Jason Conradt: "Re: I no longer can use WindowsUpdate.microsoft.com"
- In reply to: Boogie Woogie Flu: "Re: Disabled IIS Anonymous account"
- Next in thread: Jason Conradt: "Re: Disabled IIS Anonymous account"
- Reply: Jason Conradt: "Re: Disabled IIS Anonymous account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 16 Aug 2003 18:13:01 GMT
When a user goes to a website and has anonymous access, they actually
are authenticating with the IUSR_computername account. The anonymous logon
events you are seeing are probably normal system "null" connections that are
used by the browse service and other system network connections. A malicious
user can create null connections to enumerate your sam users and group info,
but if your firewall is blocking netbios/smb ports from the internet, that
should not be a concern. If you do not need file and print sharing on that
machine, disabling/uninstalling it should reduce or eliminate those logons.
There is also a security option restritcing anonymous access that you may
want to implement after reading the whole KB article. --- Steve
http://support.microsoft.com/?kbid=246261
"Boogie Woogie Flu" <spam@email.sux> wrote in message
news:WVt%a.2891$_P1.127@nwrddc01.gnilink.net...
> Thanks for your response, but did you read the post? I explained that I
> don't allow anonymous access in IIS and that the anonymous account
> (IUSR_computername) is disabled.
>
> My question is why do I still see "Success Audit" for logins on this
account
> in my security log when the account is disabled?
>
>
> "Jason Conradt" <jconradt1@hotmail.com> wrote in message
> news:#FagZnBZDHA.1716@TK2MSFTNGP09.phx.gbl...
> > It's not if you're using anonymous auth for FTP or IIS, change
> > authentication types.
> >
> > "Boogie Woogie Flu" <spam@email.sux> wrote in message
> > news:OMn%a.3457$kK4.2691@nwrddc02.gnilink.net...
> > > Yes. That's the one I'm talking about. It's disabled.
> > >
> > >
> > > "Jason Conradt" <jconradt1@hotmail.com> wrote in message
> > > news:e#sxrn8YDHA.2032@TK2MSFTNGP10.phx.gbl...
> > > > IUSR_computername is used for impersonation when you check "allow
IIS
> to
> > > > control password". It's also used if you configure FTP to allow
> > anonymous.
> > > >
> > > >
> > >
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
> > >
> >
>
windows2000/techinfo/reskit/en-us/iisbook/c09_anonymous_authentication_and_a
> > > llow_iis_to_control_password.asp
> > > >
> > > >
> > > > "Boogie Woogie Flu" <spam@email.sux> wrote in message
> > > > news:rzk%a.1674$_P1.278@nwrddc01.gnilink.net...
> > > > > I'm running an IIS FTP server on W2k Server SP3. I don't allow
> > anonymous
> > > > > logins and I have the anonymous account disabled.
> > > > >
> > > > > I have auditing enabled for login success and failure. Why am I
> seeing
> > > > > "Success Audit" events in my security log for this account?
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Karl Levinson [x y] mvp: "** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.08.16"
- Previous message: Jason Conradt: "Re: I no longer can use WindowsUpdate.microsoft.com"
- In reply to: Boogie Woogie Flu: "Re: Disabled IIS Anonymous account"
- Next in thread: Jason Conradt: "Re: Disabled IIS Anonymous account"
- Reply: Jason Conradt: "Re: Disabled IIS Anonymous account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
