IIS Server Security, Security templates and IUSR account log on locally

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> Security templates and IUSR account log on locally

by Anthony » Sat, 01 Jul 2006 16:35:06 GMT

Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain. Everything
standard.

1) The Microsoft security guide for IIS6.0 says that the IUSR account needs
Log on Locally rights.
2) The Microsoft group policy Enterprise security template for Member
Servers removes this right. When the policy is applied, anonymous access is
broken.
3) The Member Server template is a baseline for all servers. You are
supposed to ADD a Web Server template on top for web servers.
4) The Security Policy guide specifies that if you apply the more
restrictive Limited Functionality template to Member Servers, then you need
to move the web server out of that OU so the policy is not applied. By
inference you don't do this for the standard Enterprise policy template.
5) Question: do the policy templates contradict the security guide?
6) Question: I read somewhere that if you enable Basic authentication, you
no longer need the Log on Locally right for anon. Is that correct?
7) Question: I have enabled Advanced Digest authentication with the
UseDigestSSP property set in the metabase. This works fine. I read something
about this disabling subauthentication, and I recognise that
subauthentication is something to do with the way IIS handles the IUSR
account. Could it be that with Advanced Digest enabled, the IUSR account no
longer works unless it has Log on Locally rights?

Thanks very much,
Anthony



Top

IIS Server Security >> Security templates and IUSR account log on locally

by David Wang [Msft] » Sun, 02 Jul 2006 06:51:31 GMT


http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Security_Templates_and_Anonymous_Authentication.aspx

Your questions actually had non-causal assumptions. I clarified them in the
blog entry

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//







Top

IIS Server Security >> Security templates and IUSR account log on locally

by David Wang [Msft] » Sun, 02 Jul 2006 06:52:06 GMT

Maybe you have a WebDAV link in your "My Network Places" special folder
(available from the Start Menu) to your webserver that the virus scanner
unknowningly traverses during scanning.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//






Top

Security templates and IUSR account log on locally

by David Wang [Msft] » Sun, 02 Jul 2006 18:12:11 GMT

Hmm, weird newsgroup reader behavior. Don't remember sending this one
because it's not relevant to your question. :-) . The blog entry is all
about your question, though.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//








Top

Security templates and IUSR account log on locally

by Roger Abell [MVP] » Mon, 03 Jul 2006 00:09:42 GMT

Anthony,

You may also want to revisit the download for the W2k3 Security Guide as
it had a minor revision posted to web 6/29, the main impact of which was
updates to the inf files, not to the doc text.

The issue with using the templates out-of-the-box for situations like the
one you outline is that there is no standard name that would be suited
for use, in this case, for the grant of Logon on locally user right.
I circumvent the problem by defining a practice that each IIS will have
standard named groups that collect all IUsr_ and all IWam_ accounts
defined on the IIS box. Then, at domain level I can use this to grant the
needed user rights, since by convention it will exist on each IIS box.

Roger





Top

Security templates and IUSR account log on locally

by Anthony Yates » Mon, 03 Jul 2006 20:22:22 GMT

hanks Roger and David for these replies.
My questions are exclusively about the default behaviour of IIS6 in a
Windows 2003 domain. It does seem that:
1) anon authentication requires the Log on Locally right for the IUSR
account, as the IIS guide says.
2) the Enterprise security template for Member Servers breaks IIS6 anon
authentication. The Windows 2003 Security Guide is wrong on this point, as
the guideline is to apply the member servers baseline policy and then the
web servers policy. It only says you can't do this for the Restricted
Functionality template:
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch09.mspx#EAF.
Evidently you need to do the same for the Enterprise template as well. The
reason is obvious once you accept that 1) is correct.
3) Advanced Digest and Subauthentication is a red-herring in this context.
I can see that Roger's solution is the only way to control the Log on
Locally right for IUSR accounts in group policy,
Regards,
Anthony



"Roger Abell [MVP]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...



Top

Security templates and IUSR account log on locally

by Roger Abell [MVP] » Tue, 04 Jul 2006 16:07:17 GMT

i Anthony,

Thank you for your summation.

I am not so sure the route I outlined is the only resolution, but it is one
I have found of use. Alternatively one can let the machine local Users
group carry the load of granting local logon user right, and institute shop
standards/practices that minimize Users membership for example.

As you may have noticed, I was involved in edit review of the W2k3
guidance, and I am passing along your astute observations relative to
the discussions of the templates that future revision to the text might
be clarified.

Roger

"Anthony Yates" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...



Top

Security templates and IUSR account log on locally

by Anthony » Tue, 11 Jul 2006 04:31:51 GMT

nother strange aspect of the security templates. If you enable them for
member servers but not web servers, you can't connect from a member server
to a web server because of the Signing requirements. If you do enable the
template for web servers, anon authentication breaks.
Anthony


"Roger Abell [MVP]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...



Top
Similar Threads

1. IUSR account account logging on about every two hours

2. Problems with IUSR after installing security templates

3. Could not locate the security tab to add IUSR account in a xp - ASP

4. Could not locate the security tab to add IUSR account in a xp lapt 

Hi,
I have copied a web based application to a new laptop having windows xp 
professional. Now in one of the folders where the database is physically 
located, I want to give IUSR_Computermachine rights so that the applcation 
allows to update and insert records. However, when I am right clicking to 
find the security tab, it is missing. OTher tabl like general, sharing, web 
sharing and customize are all there. I wonder why it is so and how to handle 
this situation. Any help is appreciated. Thanks.

5. Rename IUSR Account and Security

6. IUSR\IWAM Web Accounts and Security 

Hello, I have a question concerning the accounts for web access to a
2000 web server: IUSR_<systemname> and IWAM_<servername>.
  
I have my Security Policy set to lockout accounts on multiple invalid
login attempts.  The accounts give no issue during normal web
operation but some hackers are attempting to break into my web server
using them (and locking the accounts out in the process).

Can I rename them without causing any issues?


Thanks for the advice,

Michael

7. IUSR Account from another machine Logging into my server - IIS Server Security

8. security template for Bastion Host (from W2K3 Security Guide) 

When I look at this (Bastion Host.inf) template in notepad it lists 89 
registry entries.  But when I look at it using the Security Templates MMC 
snap-in, there is nothing listed under the Registry folder!  I'm confused!  
Also, is there somewhere to find documentation on what settings each of these 
templates applies?