Re: Disabled IIS Anonymous account

From: Jason Conradt (jconradt1_at_hotmail.com)
Date: 08/16/03 

Date: Sat, 16 Aug 2003 11:26:02 -0700

Okay backup a second - how are you allowing users to connect to FTP? If you
want to truly disable all access to IUSR_computername, you have to make
certain that NOTHING is allowing impersonation. Here is how I configured FTP
in a quick test to confirm that IUSR is not authenticating with the FTP
service properly configured and IUSR disabled:

Goto IIS master properties for the site, edit, goto directory security, edit
Anonymous acces and authentication control. Change type to Basic, clear the
anonymous access checkbox. Goto the default website properties and do the
same thing. Next, goto the FTP site, administer properties, click on
Security Accounts tab, uncheck "allow anonymous connections" and apply the
changes.

Disable IUSR_computername account in users and groups. Enable logon/logoff
events in local security policy.

Restart IIS at the master properties level, login to FTP, do an ls or a dir,
whatever, then do a bye. Check events logs. I'm seeing the administrator
username login and out, not IUSR.

hth,

Jason

"Boogie Woogie Flu" <spam@email.sux> wrote in message
news:WVt%a.2891$_P1.127@nwrddc01.gnilink.net...
> Thanks for your response, but did you read the post? I explained that I
> don't allow anonymous access in IIS and that the anonymous account
> (IUSR_computername) is disabled.
>
> My question is why do I still see "Success Audit" for logins on this
account
> in my security log when the account is disabled?
>
>
> "Jason Conradt" <jconradt1@hotmail.com> wrote in message
> news:#FagZnBZDHA.1716@TK2MSFTNGP09.phx.gbl...
> > It's not if you're using anonymous auth for FTP or IIS, change
> > authentication types.
> >
> > "Boogie Woogie Flu" <spam@email.sux> wrote in message
> > news:OMn%a.3457$kK4.2691@nwrddc02.gnilink.net...
> > > Yes. That's the one I'm talking about. It's disabled.
> > >
> > >
> > > "Jason Conradt" <jconradt1@hotmail.com> wrote in message
> > > news:e#sxrn8YDHA.2032@TK2MSFTNGP10.phx.gbl...
> > > > IUSR_computername is used for impersonation when you check "allow
IIS
> to
> > > > control password". It's also used if you configure FTP to allow
> > anonymous.
> > > >
> > > >
> > >
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
> > >
> >
>
windows2000/techinfo/reskit/en-us/iisbook/c09_anonymous_authentication_and_a
> > > llow_iis_to_control_password.asp
> > > >
> > > >
> > > > "Boogie Woogie Flu" <spam@email.sux> wrote in message
> > > > news:rzk%a.1674$_P1.278@nwrddc01.gnilink.net...
> > > > > I'm running an IIS FTP server on W2k Server SP3. I don't allow
> > anonymous
> > > > > logins and I have the anonymous account disabled.
> > > > >
> > > > > I have auditing enabled for login success and failure. Why am I
> seeing
> > > > > "Success Audit" events in my security log for this account?
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>