| Author |
Message |
Pritchie
Guest
|
 Posted:
Mon Oct 17, 2005 4:51 pm Post subject:
Securing IIS IUSER |
|
|
Hi,
I want to restrict IUSER access to the server file system. I removed it
from the "Users" group and added it to the "Guest" group. Thinking that if
I then explicitly granted it read permissions to the wwwroot, that would
work fine. Before granting IUSER permission to read the files/folder, I
test access was denied.. it wasn't.
The wwwroot has the following permissions
Administrators (Full)
CREATOR OWNER (Special)
SYSTEM (Full
Users (Read)
if I remove "Users" from wwwroot and IUSER cannot see the files, I added
"Users" back and IUSER can see the files again, even though it's not a
member of the "Users" group.
IUSER is only a member of
Guests
The Users groups has
ASPNET
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE Users
are any of these permitting IUSER access to files and folders with "Users"
permissions.
How can I stop IUSER seeing files and folder unless explicitly granted NTFS
permissions. I'd rather not have to remove the "Users" permissions granted
across the whole file system.
Why has NTFS file and folder permission gone down hill since NT4? use to be
so simple, now there so much implicit granting of permissions you may as
well have it set to Everyone (Full). :o(
In brief, I want to stop IUSER see files and folders unless granted
permissions to...
D:\MyFile (Access denied)
D:\Inetpub\wwwroot (Access granted)
Thanks
Pritchie |
|
| Back to top |
|
 |
Miha Pihler [MVP]
Guest
|
| Posted:
Mon Oct 17, 2005 8:51 pm Post subject:
Re: Securing IIS IUSER |
|
|
Hi,
IUSER account is also "member of group" (it is "added" to the group
dynamically) called "Authenticated Users" and that is the reason why it
worked when the Users group had Read permission on the folder.
You might also want to post this question in
"microsoft.public.inetserver.iis.security"
--
Mike
Microsoft MVP - Windows Security
"Pritchie" <info2005@remove-this-including-dot.bigbunker.com> wrote in
message news:dpO4f.3413$sm1.224@newsfe5-win.ntli.net...
| Quote: | Hi,
I want to restrict IUSER access to the server file system. I removed it
from the "Users" group and added it to the "Guest" group. Thinking that
if
I then explicitly granted it read permissions to the wwwroot, that would
work fine. Before granting IUSER permission to read the files/folder, I
test access was denied.. it wasn't.
The wwwroot has the following permissions
Administrators (Full)
CREATOR OWNER (Special)
SYSTEM (Full
Users (Read)
if I remove "Users" from wwwroot and IUSER cannot see the files, I added
"Users" back and IUSER can see the files again, even though it's not a
member of the "Users" group.
IUSER is only a member of
Guests
The Users groups has
ASPNET
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE Users
are any of these permitting IUSER access to files and folders with "Users"
permissions.
How can I stop IUSER seeing files and folder unless explicitly granted
NTFS
permissions. I'd rather not have to remove the "Users" permissions
granted
across the whole file system.
Why has NTFS file and folder permission gone down hill since NT4? use to
be
so simple, now there so much implicit granting of permissions you may as
well have it set to Everyone (Full). :o(
In brief, I want to stop IUSER see files and folders unless granted
permissions to...
D:\MyFile (Access denied)
D:\Inetpub\wwwroot (Access granted)
Thanks
Pritchie
|
|
|
| Back to top |
|
|
Pritchie
Guest
|
| Posted:
Tue Oct 18, 2005 12:50 pm Post subject:
Re: Securing IIS IUSER |
|
|
| Quote: | "Pritchie" <info2005@remove-this-including-dot.bigbunker.com> wrote in
message news:dpO4f.3413$sm1.224@newsfe5-win.ntli.net...
Hi,
I want to restrict IUSER access to the server file system. I removed it
from the "Users" group and added it to the "Guest" group. Thinking that
if
I then explicitly granted it read permissions to the wwwroot, that would
work fine. Before granting IUSER permission to read the files/folder, I
test access was denied.. it wasn't.
The wwwroot has the following permissions
Administrators (Full)
CREATOR OWNER (Special)
SYSTEM (Full
Users (Read)
if I remove "Users" from wwwroot and IUSER cannot see the files, I added
"Users" back and IUSER can see the files again, even though it's not a
member of the "Users" group.
IUSER is only a member of
Guests
The Users groups has
ASPNET
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE Users
are any of these permitting IUSER access to files and folders with
"Users"
permissions.
How can I stop IUSER seeing files and folder unless explicitly granted
NTFS
permissions. I'd rather not have to remove the "Users" permissions
granted
across the whole file system.
Why has NTFS file and folder permission gone down hill since NT4? use
to
be
so simple, now there so much implicit granting of permissions you may as
well have it set to Everyone (Full). :o(
In brief, I want to stop IUSER see files and folders unless granted
permissions to...
D:\MyFile (Access denied)
D:\Inetpub\wwwroot (Access granted)
Thanks
Pritchie
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:uN#nh600FHA.3000@TK2MSFTNGP12.phx.gbl...
Hi,
IUSER account is also "member of group" (it is "added" to the group
dynamically) called "Authenticated Users" and that is the reason why it
worked when the Users group had Read permission on the folder.
You might also want to post this question in
"microsoft.public.inetserver.iis.security"
--
Mike
Microsoft MVP - Windows Security
|
Thanks Mike,
What is the Purpose of "Authenticated Users"? if you're not Authenticated,
then shouldn't you not have access at all? so why added this implicit
entry... and make people guess as to how authorisation is granted? Sorry, I
am not complaining at you... I am trying to find reason, and therefore
understanding... typing aloud you might say... :o)
What impact is removing "Authenticated Users" from users going to have on
the server?
I don't want IUSER to have implicit access to the whole file system.
Does this mean the guest account is also added to users if it's used? |
|
| Back to top |
|
|
Miha Pihler [MVP]
Guest
|
| Posted:
Tue Oct 18, 2005 8:51 pm Post subject:
Re: Securing IIS IUSER |
|
|
<snip>
| Quote: | What is the Purpose of "Authenticated Users"? if you're not Authenticated,
then shouldn't you not have access at all?
|
There are two accounts that are not members of Authenticated Users group and
these are Guest and Anonymous. All other accounts will be members od
Authenticated Users group.
so why added this implicit
| Quote: | entry... and make people guess as to how authorisation is granted? Sorry,
I
am not complaining at you... I am trying to find reason, and therefore
understanding... typing aloud you might say... :o)
|
You don't have to guess. There are quite a few books out there that explain
this quite well. One of them would be Windows Security Resource Kit :-)
| Quote: | What impact is removing "Authenticated Users" from users going to have on
the server?
|
Probablly not very good idea. Many things will probaly break...
| Quote: | I don't want IUSER to have implicit access to the whole file system.
|
What are you trying to prevent here?
You could always change IUSER account to some other account name (or even
create another user account). You can then set the password for this account
to some more or less random 127 character long password.
Note: this account will need the permission of "Log on Locally"
| Quote: | Does this mean the guest account is also added to users if it's used?
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Wed Oct 19, 2005 4:51 pm Post subject:
Re: Securing IIS IUSER |
|
|
You do not mention the version of Windows, but for recent version
I have found that Iusr_/Iwam_ need to be Users group members for
them to be able to do all the things they may be called on to do.
In default install, they get login rights by being in Users, and they are
in Users in case you outline due to both Authenticated Users and
Interactive being in the Users Group.
When I have accounted for login rights, and adjusted group memberships
so that these account are not effectively Users members, then one will
see things fail in accessing some things in system32 and using some
COM component support, etc..
The solution is to ACL the machine using other than Users in areas
that are of concern, where you specifically want to make sure that the
accounts cannot go.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Pritchie" <info2005@remove-this-including-dot.bigbunker.com> wrote in
message news:dpO4f.3413$sm1.224@newsfe5-win.ntli.net...
| Quote: | Hi,
I want to restrict IUSER access to the server file system. I removed it
from the "Users" group and added it to the "Guest" group. Thinking that
if
I then explicitly granted it read permissions to the wwwroot, that would
work fine. Before granting IUSER permission to read the files/folder, I
test access was denied.. it wasn't.
The wwwroot has the following permissions
Administrators (Full)
CREATOR OWNER (Special)
SYSTEM (Full
Users (Read)
if I remove "Users" from wwwroot and IUSER cannot see the files, I added
"Users" back and IUSER can see the files again, even though it's not a
member of the "Users" group.
IUSER is only a member of
Guests
The Users groups has
ASPNET
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE Users
are any of these permitting IUSER access to files and folders with "Users"
permissions.
How can I stop IUSER seeing files and folder unless explicitly granted
NTFS
permissions. I'd rather not have to remove the "Users" permissions
granted
across the whole file system.
Why has NTFS file and folder permission gone down hill since NT4? use to
be
so simple, now there so much implicit granting of permissions you may as
well have it set to Everyone (Full). :o(
In brief, I want to stop IUSER see files and folders unless granted
permissions to...
D:\MyFile (Access denied)
D:\Inetpub\wwwroot (Access granted)
Thanks
Pritchie
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in