|
Posted by Spin on December 21, 2005, 7:17 pm
Please log in for more thread options Thank you for your reply Roger. I do not have a telnet server installed (at
least I think I don't). At least I do not see it listed under the
components of "Application Server" in Control panel and a telnet to my
server's IP showed it wasn't listening at port 23.
E:\>telnet localhost 23
Connecting To localhost...Could not open connection to the host, on port 23:
Connect failed
--
Spin
> You say having permissions explicitly granted to Telnet clients scares
> you, while having MS telnet installed on a production server scares me.
>
> The Internet Guest and Launch IIS Process entries are for the two
> default accounts used by IIS. Without this grant it would be necessary
> to make sure that these accounts (either/or/or-both depending on config
> of the webs in IIS) would need grants for the specific components that
> they are using.
>
> Support_388945a0 is the support account you will find in all XP and
> later installs, which is normally pretty completely crippled through the
> user rights settings and through being disabled. Apparently you are
> showing settings as viewed on a DC as this is for you a domain account,
> whereas other than on a DC this is a machine local account.
>
> Keep in mind that what you are looking at is only the default settings
> used with components that do not have any component specific
> settings, and that these are not the least values used when the
> component uses programmatic overrides.
>
> Basically (with exception of telnet for which I cannot speak) what
> you are seeing is pretty much the out-of-the-box settings.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
>> Experts,
>>
>> I looked at the properties of the "My Computer" object in DCOMcnfg > COM
>> Security tab and under the "Launch and Activation Permissions" button I
>> see some weird entries and wanted to know if you have these too. Here is
>> the whole ACL.
>>
>> Administrators...Allow for: Local Launch, Remote Launch, Local
>> Activation, Remote Activation
>> Interactive...Allow for: Local Launch, Remote Launch, Local Activation,
>> Remote Activation
>> Internet Guest Account...Allow for: Local Launch, Remote Launch, Local
>> Activation, Remote Activation
>> Launch IIS Process Account...Allow for: Local Launch, Remote Launch,
>> Local Activation, Remote Activation
>> TelnetClients...Allow for: Local Launch, Remote Launch, Local Activation,
>> Remote Activation
>> CN=Microsoft Corporation,L=Redmond,S=Washington,C=US
>> (EBIZ\Support_388945a0)...Allow for: Local Launch, Remote Launch, Local
>> Activation, Remote Activation
>>
>> Now, I can understand the presence of Administrators and Interactive.
>> But what is this account --> CN=Microsoft
>> Corporation,L=Redmond,S=Washington,C=US (EBIZ\Support_388945a0)? Note
>> that EBIZ is my AD domain name. And why is the Internet Guest Account in
>> there? Even TelnetClients scare me by being in there. I haven't removed
>> anything yet, I am sending out this post to see if anyone else out there
>> has these listings in there.
>>
>> I am running Windows Server 2003 SP1. Exchange SP2 and IIS 6.0. Running
>> about 10 small public web sites on it. It is behind a hardware firewall
>> with only port 80 and port 25 allowed through. This is a single-server
>> pointing to itself for DNS and running Active Directory. The AD zone is
>> standard primary with "Secure and Non-secure" updates set to 'Yes'. All
>> other zones have dynamic updates turned "off".
>>
>> --
>> Spin
>>
>>
>
>
| 
XML Sitemap