Click here to get back home

Securing IIS IUSER
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Securing IIS IUSER Pritchie 10-17-2005
---> Re: Securing IIS IUSER Miha Pihler [MV...10-17-2005
`--> Re: Securing IIS IUSER Roger Abell [MV...10-19-2005
Posted by Pritchie on October 17, 2005, 2:18 pm
Please log in for more thread options
 Hi,
I want to restrict IUSER access to the server file system. I removed it
from the "Users" group and added it to the "Guest" group. Thinking that if
I then explicitly granted it read permissions to the wwwroot, that would
work fine. Before granting IUSER permission to read the files/folder, I
test access was denied.. it wasn't.

The wwwroot has the following permissions
Administrators (Full)
CREATOR OWNER (Special)
SYSTEM (Full
Users (Read)

if I remove "Users" from wwwroot and IUSER cannot see the files, I added
"Users" back and IUSER can see the files again, even though it's not a
member of the "Users" group.

IUSER is only a member of
Guests

The Users groups has
ASPNET
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE Users

are any of these permitting IUSER access to files and folders with "Users"
permissions.

How can I stop IUSER seeing files and folder unless explicitly granted NTFS
permissions. I'd rather not have to remove the "Users" permissions granted
across the whole file system.

Why has NTFS file and folder permission gone down hill since NT4? use to be
so simple, now there so much implicit granting of permissions you may as
well have it set to Everyone (Full). :o(

In brief, I want to stop IUSER see files and folders unless granted
permissions to...
D:\MyFile (Access denied)
D:\Inetpub\wwwroot (Access granted)

Thanks
Pritchie




Posted by Miha Pihler [MVP] on October 17, 2005, 9:11 pm
Please log in for more thread options
 Hi,

IUSER account is also "member of group" (it is "added" to the group
dynamically) called "Authenticated Users" and that is the reason why it
worked when the Users group had Read permission on the folder.

You might also want to post this question in
"microsoft.public.inetserver.iis.security"

--
Mike
Microsoft MVP - Windows Security

> Hi,
> I want to restrict IUSER access to the server file system. I removed it
> from the "Users" group and added it to the "Guest" group. Thinking that
> if
> I then explicitly granted it read permissions to the wwwroot, that would
> work fine. Before granting IUSER permission to read the files/folder, I
> test access was denied.. it wasn't.
>
> The wwwroot has the following permissions
> Administrators (Full)
> CREATOR OWNER (Special)
> SYSTEM (Full
> Users (Read)
>
> if I remove "Users" from wwwroot and IUSER cannot see the files, I added
> "Users" back and IUSER can see the files again, even though it's not a
> member of the "Users" group.
>
> IUSER is only a member of
> Guests
>
> The Users groups has
> ASPNET
> NT AUTHORITY\Authenticated Users
> NT AUTHORITY\INTERACTIVE Users
>
> are any of these permitting IUSER access to files and folders with "Users"
> permissions.
>
> How can I stop IUSER seeing files and folder unless explicitly granted
> NTFS
> permissions. I'd rather not have to remove the "Users" permissions
> granted
> across the whole file system.
>
> Why has NTFS file and folder permission gone down hill since NT4? use to
> be
> so simple, now there so much implicit granting of permissions you may as
> well have it set to Everyone (Full). :o(
>
> In brief, I want to stop IUSER see files and folders unless granted
> permissions to...
> D:\MyFile (Access denied)
> D:\Inetpub\wwwroot (Access granted)
>
> Thanks
> Pritchie
>
>




Posted by Pritchie on October 18, 2005, 9:31 am
Please log in for more thread options
> > Hi,
> > I want to restrict IUSER access to the server file system. I removed it
> > from the "Users" group and added it to the "Guest" group. Thinking that
> > if
> > I then explicitly granted it read permissions to the wwwroot, that would
> > work fine. Before granting IUSER permission to read the files/folder, I
> > test access was denied.. it wasn't.
> >
> > The wwwroot has the following permissions
> > Administrators (Full)
> > CREATOR OWNER (Special)
> > SYSTEM (Full
> > Users (Read)
> >
> > if I remove "Users" from wwwroot and IUSER cannot see the files, I added
> > "Users" back and IUSER can see the files again, even though it's not a
> > member of the "Users" group.
> >
> > IUSER is only a member of
> > Guests
> >
> > The Users groups has
> > ASPNET
> > NT AUTHORITY\Authenticated Users
> > NT AUTHORITY\INTERACTIVE Users
> >
> > are any of these permitting IUSER access to files and folders with
"Users"
> > permissions.
> >
> > How can I stop IUSER seeing files and folder unless explicitly granted
> > NTFS
> > permissions. I'd rather not have to remove the "Users" permissions
> > granted
> > across the whole file system.
> >
> > Why has NTFS file and folder permission gone down hill since NT4? use
to
> > be
> > so simple, now there so much implicit granting of permissions you may as
> > well have it set to Everyone (Full). :o(
> >
> > In brief, I want to stop IUSER see files and folders unless granted
> > permissions to...
> > D:\MyFile (Access denied)
> > D:\Inetpub\wwwroot (Access granted)
> >
> > Thanks
> > Pritchie
> >
> >

>
> Hi,
>
> IUSER account is also "member of group" (it is "added" to the group
> dynamically) called "Authenticated Users" and that is the reason why it
> worked when the Users group had Read permission on the folder.
>
> You might also want to post this question in
> "microsoft.public.inetserver.iis.security"
>
> --
> Mike
> Microsoft MVP - Windows Security
>

Thanks Mike,

What is the Purpose of "Authenticated Users"? if you're not Authenticated,
then shouldn't you not have access at all? so why added this implicit
entry... and make people guess as to how authorisation is granted? Sorry, I
am not complaining at you... I am trying to find reason, and therefore
understanding... typing aloud you might say... :o)

What impact is removing "Authenticated Users" from users going to have on
the server?
I don't want IUSER to have implicit access to the whole file system.

Does this mean the guest account is also added to users if it's used?







Posted by Miha Pihler [MVP] on October 18, 2005, 8:52 pm
Please log in for more thread options
<snip>

> What is the Purpose of "Authenticated Users"? if you're not Authenticated,
> then shouldn't you not have access at all?

There are two accounts that are not members of Authenticated Users group and
these are Guest and Anonymous. All other accounts will be members od
Authenticated Users group.

so why added this implicit
> entry... and make people guess as to how authorisation is granted? Sorry,
> I
> am not complaining at you... I am trying to find reason, and therefore
> understanding... typing aloud you might say... :o)

You don't have to guess. There are quite a few books out there that explain
this quite well. One of them would be Windows Security Resource Kit :-)

> What impact is removing "Authenticated Users" from users going to have on
> the server?

Probablly not very good idea. Many things will probaly break...

> I don't want IUSER to have implicit access to the whole file system.

What are you trying to prevent here?

You could always change IUSER account to some other account name (or even
create another user account). You can then set the password for this account
to some more or less random 127 character long password.
Note: this account will need the permission of "Log on Locally"

> Does this mean the guest account is also added to users if it's used?
>
>
>
>
>




Posted by Roger Abell [MVP] on October 19, 2005, 7:49 am
Please log in for more thread options
You do not mention the version of Windows, but for recent version
I have found that Iusr_/Iwam_ need to be Users group members for
them to be able to do all the things they may be called on to do.
In default install, they get login rights by being in Users, and they are
in Users in case you outline due to both Authenticated Users and
Interactive being in the Users Group.
When I have accounted for login rights, and adjusted group memberships
so that these account are not effectively Users members, then one will
see things fail in accessing some things in system32 and using some
COM component support, etc..
The solution is to ACL the machine using other than Users in areas
that are of concern, where you specifically want to make sure that the
accounts cannot go.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
> Hi,
> I want to restrict IUSER access to the server file system. I removed it
> from the "Users" group and added it to the "Guest" group. Thinking that
> if
> I then explicitly granted it read permissions to the wwwroot, that would
> work fine. Before granting IUSER permission to read the files/folder, I
> test access was denied.. it wasn't.
>
> The wwwroot has the following permissions
> Administrators (Full)
> CREATOR OWNER (Special)
> SYSTEM (Full
> Users (Read)
>
> if I remove "Users" from wwwroot and IUSER cannot see the files, I added
> "Users" back and IUSER can see the files again, even though it's not a
> member of the "Users" group.
>
> IUSER is only a member of
> Guests
>
> The Users groups has
> ASPNET
> NT AUTHORITY\Authenticated Users
> NT AUTHORITY\INTERACTIVE Users
>
> are any of these permitting IUSER access to files and folders with "Users"
> permissions.
>
> How can I stop IUSER seeing files and folder unless explicitly granted
> NTFS
> permissions. I'd rather not have to remove the "Users" permissions
> granted
> across the whole file system.
>
> Why has NTFS file and folder permission gone down hill since NT4? use to
> be
> so simple, now there so much implicit granting of permissions you may as
> well have it set to Everyone (Full). :o(
>
> In brief, I want to stop IUSER see files and folders unless granted
> permissions to...
> D:\MyFile (Access denied)
> D:\Inetpub\wwwroot (Access granted)
>
> Thanks
> Pritchie
>
>




Similar ThreadsPosted
Re: Securing SQL November 29, 2005, 3:27 pm
Securing FTP October 16, 2007, 7:22 pm
Securing with templates November 16, 2005, 3:58 am
Securing a DC with firewall? January 26, 2006, 9:36 am
Securing Network January 31, 2008, 10:53 pm
Securing management access? February 16, 2008, 7:52 am
Solution for securing VPN/IAS using 2-factor SMS Authentication June 11, 2005, 1:37 pm
Securing Remote Desktop To Server August 11, 2005, 10:30 am
Strategy for securing user account February 26, 2006, 11:36 am
securing mobile users at hotspots October 5, 2006, 8:45 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap