Re: Securing IIS IUSER
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/19/05
- Next message: Rob McShinsky: "The tools to have."
- Previous message: Roger Abell [MVP]: "Re: Users are disappeared from security groups"
- In reply to: Pritchie: "Securing IIS IUSER"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Oct 2005 07:49:16 -0700
You do not mention the version of Windows, but for recent version
I have found that Iusr_/Iwam_ need to be Users group members for
them to be able to do all the things they may be called on to do.
In default install, they get login rights by being in Users, and they are
in Users in case you outline due to both Authenticated Users and
Interactive being in the Users Group.
When I have accounted for login rights, and adjusted group memberships
so that these account are not effectively Users members, then one will
see things fail in accessing some things in system32 and using some
COM component support, etc..
The solution is to ACL the machine using other than Users in areas
that are of concern, where you specifically want to make sure that the
accounts cannot go.
-- Roger Abell Microsoft MVP (Windows Server : Security) MCDBA, MCSE W2k3+W2k+Nt4 "Pritchie" <info2005@remove-this-including-dot.bigbunker.com> wrote in message news:dpO4f.3413$sm1.224@newsfe5-win.ntli.net... > Hi, > I want to restrict IUSER access to the server file system. I removed it > from the "Users" group and added it to the "Guest" group. Thinking that > if > I then explicitly granted it read permissions to the wwwroot, that would > work fine. Before granting IUSER permission to read the files/folder, I > test access was denied.. it wasn't. > > The wwwroot has the following permissions > Administrators (Full) > CREATOR OWNER (Special) > SYSTEM (Full > Users (Read) > > if I remove "Users" from wwwroot and IUSER cannot see the files, I added > "Users" back and IUSER can see the files again, even though it's not a > member of the "Users" group. > > IUSER is only a member of > Guests > > The Users groups has > ASPNET > NT AUTHORITY\Authenticated Users > NT AUTHORITY\INTERACTIVE Users > > are any of these permitting IUSER access to files and folders with "Users" > permissions. > > How can I stop IUSER seeing files and folder unless explicitly granted > NTFS > permissions. I'd rather not have to remove the "Users" permissions > granted > across the whole file system. > > Why has NTFS file and folder permission gone down hill since NT4? use to > be > so simple, now there so much implicit granting of permissions you may as > well have it set to Everyone (Full). :o( > > In brief, I want to stop IUSER see files and folders unless granted > permissions to... > D:\MyFile (Access denied) > D:\Inetpub\wwwroot (Access granted) > > Thanks > Pritchie > >
- Next message: Rob McShinsky: "The tools to have."
- Previous message: Roger Abell [MVP]: "Re: Users are disappeared from security groups"
- In reply to: Pritchie: "Securing IIS IUSER"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
