Miniimum Permissions for IUSR Account

Miniimum Permissions for IUSR Account

am 06.04.2008 01:00:47 von Will

By default, IIS 6 puts the special IUSR_ account into the
local Guests group. Unfortunately our standard installation environment
for Windows 2003 has a number of settings that are hostile to guest
accounts. Does anyone have a list of which of the following the special
IUSR account needs?

- Windows user privileges
- registry key access
- file system object access

If I could enumerate these I could make sure that the Guests group has
access to just the minimum set of objects and privileges needed for IIS to
use this account to run a web site, or alternately I could create a new
local group, assign it the required permissions, and move IUSR over to that
local group.

--
Will

Re: Miniimum Permissions for IUSR Account

am 06.04.2008 06:39:24 von Ken Schaefer

Hi,

See:
http://support.microsoft.com/?kbid=812614

Cheers
Ken

--
My IIS blog: http://adopenstatic.com/blog

"Will" wrote in message
news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
> By default, IIS 6 puts the special IUSR_ account into the
> local Guests group. Unfortunately our standard installation environment
> for Windows 2003 has a number of settings that are hostile to guest
> accounts. Does anyone have a list of which of the following the special
> IUSR account needs?
>
> - Windows user privileges
> - registry key access
> - file system object access
>
> If I could enumerate these I could make sure that the Guests group has
> access to just the minimum set of objects and privileges needed for IIS to
> use this account to run a web site, or alternately I could create a new
> local group, assign it the required permissions, and move IUSR over to
> that
> local group.
>
> --
> Will
>
>

Re: Miniimum Permissions for IUSR Account

am 06.04.2008 06:39:24 von Ken Schaefer

Hi,

See:
http://support.microsoft.com/?kbid=812614

Cheers
Ken

--
My IIS blog: http://adopenstatic.com/blog

"Will" wrote in message
news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
> By default, IIS 6 puts the special IUSR_ account into the
> local Guests group. Unfortunately our standard installation environment
> for Windows 2003 has a number of settings that are hostile to guest
> accounts. Does anyone have a list of which of the following the special
> IUSR account needs?
>
> - Windows user privileges
> - registry key access
> - file system object access
>
> If I could enumerate these I could make sure that the Guests group has
> access to just the minimum set of objects and privileges needed for IIS to
> use this account to run a web site, or alternately I could create a new
> local group, assign it the required permissions, and move IUSR over to
> that
> local group.
>
> --
> Will
>
>

Re: Miniimum Permissions for IUSR Account

am 06.04.2008 15:59:17 von Roger Abell

Hi Will,

You have fallen into a MS trap, use of Guests membership to
make one believe the account is somehow limited. In point of
fact, if you just make your IUsr* accounts members of Users and
give them grants to web content then everything needed is allowed
if you also match for your IUsr* accounts the user rights IIS will
plug in for the default IUsr_ account .
The membership is Guests is just spin. In a default install the IUsr
is a member of Users via Autheticated Users (in cases also via the
Interactive member of Users), and it is this membership in Users
that lets the account do what it needs beyond web content read/exec.

Roger

"Will" wrote in message
news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
> By default, IIS 6 puts the special IUSR_ account into the
> local Guests group. Unfortunately our standard installation environment
> for Windows 2003 has a number of settings that are hostile to guest
> accounts. Does anyone have a list of which of the following the special
> IUSR account needs?
>
> - Windows user privileges
> - registry key access
> - file system object access
>
> If I could enumerate these I could make sure that the Guests group has
> access to just the minimum set of objects and privileges needed for IIS to
> use this account to run a web site, or alternately I could create a new
> local group, assign it the required permissions, and move IUSR over to
> that
> local group.
>
> --
> Will
>
>

Re: Miniimum Permissions for IUSR Account

am 06.04.2008 15:59:17 von Roger Abell

Hi Will,

You have fallen into a MS trap, use of Guests membership to
make one believe the account is somehow limited. In point of
fact, if you just make your IUsr* accounts members of Users and
give them grants to web content then everything needed is allowed
if you also match for your IUsr* accounts the user rights IIS will
plug in for the default IUsr_ account .
The membership is Guests is just spin. In a default install the IUsr
is a member of Users via Autheticated Users (in cases also via the
Interactive member of Users), and it is this membership in Users
that lets the account do what it needs beyond web content read/exec.

Roger

"Will" wrote in message
news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
> By default, IIS 6 puts the special IUSR_ account into the
> local Guests group. Unfortunately our standard installation environment
> for Windows 2003 has a number of settings that are hostile to guest
> accounts. Does anyone have a list of which of the following the special
> IUSR account needs?
>
> - Windows user privileges
> - registry key access
> - file system object access
>
> If I could enumerate these I could make sure that the Guests group has
> access to just the minimum set of objects and privileges needed for IIS to
> use this account to run a web site, or alternately I could create a new
> local group, assign it the required permissions, and move IUSR over to
> that
> local group.
>
> --
> Will
>
>

Re: Miniimum Permissions for IUSR Account

am 06.04.2008 20:14:13 von Will

"Roger Abell [MVP]" wrote in message
news:%23QENr5%23lIHA.4480@TK2MSFTNGP03.phx.gbl...
> You have fallen into a MS trap, use of Guests membership to
> make one believe the account is somehow limited. In point of
> fact, if you just make your IUsr* accounts members of Users and
> give them grants to web content then everything needed is allowed
> if you also match for your IUsr* accounts the user rights IIS will
> plug in for the default IUsr_ account .

Well I did know that adding the IUSR account to Users made everything work
again. But if possible I wanted IUSR to run with *more* restrictive
permissions than local Users group.

I wasn't sure what you meant by the last sentence "if you also match for
your IUsr* accounts the user rights IIS will plug in for the default
IUsr_account." Could you elaborate?


> The membership is Guests is just spin. In a default install the IUsr
> is a member of Users via Autheticated Users (in cases also via the
> Interactive member of Users), and it is this membership in Users
> that lets the account do what it needs beyond web content read/exec.

Unfortunately, in our installations, we take Authenticated Users out of
Users and instead add explicit entities, to give tighter control on server
access. So what was automatic in a default install becomes some detective
work in our case.

--
Will


> "Will" wrote in message
> news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
> > By default, IIS 6 puts the special IUSR_ account into the
> > local Guests group. Unfortunately our standard installation
environment
> > for Windows 2003 has a number of settings that are hostile to guest
> > accounts. Does anyone have a list of which of the following the
special
> > IUSR account needs?
> >
> > - Windows user privileges
> > - registry key access
> > - file system object access
> >
> > If I could enumerate these I could make sure that the Guests group has
> > access to just the minimum set of objects and privileges needed for IIS
to
> > use this account to run a web site, or alternately I could create a new
> > local group, assign it the required permissions, and move IUSR over to
> > that
> > local group.
> >
> > --
> > Will

Re: Miniimum Permissions for IUSR Account

am 06.04.2008 20:14:13 von Will

"Roger Abell [MVP]" wrote in message
news:%23QENr5%23lIHA.4480@TK2MSFTNGP03.phx.gbl...
> You have fallen into a MS trap, use of Guests membership to
> make one believe the account is somehow limited. In point of
> fact, if you just make your IUsr* accounts members of Users and
> give them grants to web content then everything needed is allowed
> if you also match for your IUsr* accounts the user rights IIS will
> plug in for the default IUsr_ account .

Well I did know that adding the IUSR account to Users made everything work
again. But if possible I wanted IUSR to run with *more* restrictive
permissions than local Users group.

I wasn't sure what you meant by the last sentence "if you also match for
your IUsr* accounts the user rights IIS will plug in for the default
IUsr_account." Could you elaborate?


> The membership is Guests is just spin. In a default install the IUsr
> is a member of Users via Autheticated Users (in cases also via the
> Interactive member of Users), and it is this membership in Users
> that lets the account do what it needs beyond web content read/exec.

Unfortunately, in our installations, we take Authenticated Users out of
Users and instead add explicit entities, to give tighter control on server
access. So what was automatic in a default install becomes some detective
work in our case.

--
Will


> "Will" wrote in message
> news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
> > By default, IIS 6 puts the special IUSR_ account into the
> > local Guests group. Unfortunately our standard installation
environment
> > for Windows 2003 has a number of settings that are hostile to guest
> > accounts. Does anyone have a list of which of the following the
special
> > IUSR account needs?
> >
> > - Windows user privileges
> > - registry key access
> > - file system object access
> >
> > If I could enumerate these I could make sure that the Guests group has
> > access to just the minimum set of objects and privileges needed for IIS
to
> > use this account to run a web site, or alternately I could create a new
> > local group, assign it the required permissions, and move IUSR over to
> > that
> > local group.
> >
> > --
> > Will

Re: Miniimum Permissions for IUSR Account

am 07.04.2008 08:15:36 von Roger Abell

"Will" wrote in message
news:6r6dncLLYNFqj2TanZ2dnUVZ_rmjnZ2d@giganews.com...
> "Roger Abell [MVP]" wrote in message
> news:%23QENr5%23lIHA.4480@TK2MSFTNGP03.phx.gbl...
>> You have fallen into a MS trap, use of Guests membership to
>> make one believe the account is somehow limited. In point of
>> fact, if you just make your IUsr* accounts members of Users and
>> give them grants to web content then everything needed is allowed
>> if you also match for your IUsr* accounts the user rights IIS will
>> plug in for the default IUsr_ account .
>
> Well I did know that adding the IUSR account to Users made everything work
> again. But if possible I wanted IUSR to run with *more* restrictive
> permissions than local Users group.
>

Understand, and understood when I posted.
I went down the path once also and ended up with belief that
lacking Users membership lead to some component permissions
that were lacking and I did not have time to track down. On my
IIS boxes, Users equals admins of the server, the IIS backside
accounts, web content authors, and browsing users of non-anonymous
websites. I would love to remove any one of the last three but have
found doing so for each lead to issues I do not get the time to track
down and cure for MS.

> I wasn't sure what you meant by the last sentence "if you also match for
> your IUsr* accounts the user rights IIS will plug in for the default
> IUsr_account." Could you elaborate?
>

If your IIS uses the default Iusr/Iwam, or rather if it still has then
defined whether used or not, then on IIS start these get plugged into
some of the login user rights. I was saying that for your Iusr/Iwam
equivalents you need to grant the same.
>
>> The membership is Guests is just spin. In a default install the IUsr
>> is a member of Users via Autheticated Users (in cases also via the
>> Interactive member of Users), and it is this membership in Users
>> that lets the account do what it needs beyond web content read/exec.
>
> Unfortunately, in our installations, we take Authenticated Users out of
> Users and instead add explicit entities, to give tighter control on server
> access. So what was automatic in a default install becomes some
> detective
> work in our case.
>
Yep, removing it and Interactive from Users has been a standard
practice of mine for servers and clients since MS started doing this
(and they do not seem to listen when I have said it is just a cop-out
config systems as is done - sort of like the old Everyone Full but this
one did not get weeded out in the "security purge")

Roger

>
>> "Will" wrote in message
>> news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
>> > By default, IIS 6 puts the special IUSR_ account into the
>> > local Guests group. Unfortunately our standard installation
> environment
>> > for Windows 2003 has a number of settings that are hostile to guest
>> > accounts. Does anyone have a list of which of the following the
> special
>> > IUSR account needs?
>> >
>> > - Windows user privileges
>> > - registry key access
>> > - file system object access
>> >
>> > If I could enumerate these I could make sure that the Guests group has
>> > access to just the minimum set of objects and privileges needed for IIS
> to
>> > use this account to run a web site, or alternately I could create a new
>> > local group, assign it the required permissions, and move IUSR over to
>> > that
>> > local group.
>> >
>> > --
>> > Will
>
>

Re: Miniimum Permissions for IUSR Account

am 07.04.2008 08:15:36 von Roger Abell

"Will" wrote in message
news:6r6dncLLYNFqj2TanZ2dnUVZ_rmjnZ2d@giganews.com...
> "Roger Abell [MVP]" wrote in message
> news:%23QENr5%23lIHA.4480@TK2MSFTNGP03.phx.gbl...
>> You have fallen into a MS trap, use of Guests membership to
>> make one believe the account is somehow limited. In point of
>> fact, if you just make your IUsr* accounts members of Users and
>> give them grants to web content then everything needed is allowed
>> if you also match for your IUsr* accounts the user rights IIS will
>> plug in for the default IUsr_ account .
>
> Well I did know that adding the IUSR account to Users made everything work
> again. But if possible I wanted IUSR to run with *more* restrictive
> permissions than local Users group.
>

Understand, and understood when I posted.
I went down the path once also and ended up with belief that
lacking Users membership lead to some component permissions
that were lacking and I did not have time to track down. On my
IIS boxes, Users equals admins of the server, the IIS backside
accounts, web content authors, and browsing users of non-anonymous
websites. I would love to remove any one of the last three but have
found doing so for each lead to issues I do not get the time to track
down and cure for MS.

> I wasn't sure what you meant by the last sentence "if you also match for
> your IUsr* accounts the user rights IIS will plug in for the default
> IUsr_account." Could you elaborate?
>

If your IIS uses the default Iusr/Iwam, or rather if it still has then
defined whether used or not, then on IIS start these get plugged into
some of the login user rights. I was saying that for your Iusr/Iwam
equivalents you need to grant the same.
>
>> The membership is Guests is just spin. In a default install the IUsr
>> is a member of Users via Autheticated Users (in cases also via the
>> Interactive member of Users), and it is this membership in Users
>> that lets the account do what it needs beyond web content read/exec.
>
> Unfortunately, in our installations, we take Authenticated Users out of
> Users and instead add explicit entities, to give tighter control on server
> access. So what was automatic in a default install becomes some
> detective
> work in our case.
>
Yep, removing it and Interactive from Users has been a standard
practice of mine for servers and clients since MS started doing this
(and they do not seem to listen when I have said it is just a cop-out
config systems as is done - sort of like the old Everyone Full but this
one did not get weeded out in the "security purge")

Roger

>
>> "Will" wrote in message
>> news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
>> > By default, IIS 6 puts the special IUSR_ account into the
>> > local Guests group. Unfortunately our standard installation
> environment
>> > for Windows 2003 has a number of settings that are hostile to guest
>> > accounts. Does anyone have a list of which of the following the
> special
>> > IUSR account needs?
>> >
>> > - Windows user privileges
>> > - registry key access
>> > - file system object access
>> >
>> > If I could enumerate these I could make sure that the Guests group has
>> > access to just the minimum set of objects and privileges needed for IIS
> to
>> > use this account to run a web site, or alternately I could create a new
>> > local group, assign it the required permissions, and move IUSR over to
>> > that
>> > local group.
>> >
>> > --
>> > Will
>
>

Re: Miniimum Permissions for IUSR Account

am 08.04.2008 07:56:42 von Roger Abell

"Will" wrote in message
news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
> By default, IIS 6 puts the special IUSR_ account into the
> local Guests group. Unfortunately our standard installation environment
> for Windows 2003 has a number of settings that are hostile to guest
> accounts. Does anyone have a list of which of the following the special
> IUSR account needs?
>
> - Windows user privileges
> - registry key access
> - file system object access
>
> If I could enumerate these I could make sure that the Guests group has
> access to just the minimum set of objects and privileges needed for IIS to
> use this account to run a web site, or alternately I could create a new
> local group, assign it the required permissions, and move IUSR over to
> that
> local group.
>

A PS Will

It has been since IIS 4 that you could define a group,
make your IIS use accounts members only of this group
you defined and used nowhere, and have everything
work fine. Lately its not just COM launch/use, or dyn
global system objects, but also now NetFx caspol reqs.

Roger

Re: Miniimum Permissions for IUSR Account

am 08.04.2008 07:56:42 von Roger Abell

"Will" wrote in message
news:A5-dne8Wp8I9mWXanZ2dnUVZ_vShnZ2d@giganews.com...
> By default, IIS 6 puts the special IUSR_ account into the
> local Guests group. Unfortunately our standard installation environment
> for Windows 2003 has a number of settings that are hostile to guest
> accounts. Does anyone have a list of which of the following the special
> IUSR account needs?
>
> - Windows user privileges
> - registry key access
> - file system object access
>
> If I could enumerate these I could make sure that the Guests group has
> access to just the minimum set of objects and privileges needed for IIS to
> use this account to run a web site, or alternately I could create a new
> local group, assign it the required permissions, and move IUSR over to
> that
> local group.
>

A PS Will

It has been since IIS 4 that you could define a group,
make your IIS use accounts members only of this group
you defined and used nowhere, and have everything
work fine. Lately its not just COM launch/use, or dyn
global system objects, but also now NetFx caspol reqs.

Roger

Re: Miniimum Permissions for IUSR Account

am 08.04.2008 09:15:50 von Will

"Roger Abell [MVP]" wrote in message
news:uo%23BObHmIHA.3512@TK2MSFTNGP03.phx.gbl...
> "Will" wrote in message
> news:6r6dncLLYNFqj2TanZ2dnUVZ_rmjnZ2d@giganews.com...
>> "Roger Abell [MVP]" wrote in message
>> news:%23QENr5%23lIHA.4480@TK2MSFTNGP03.phx.gbl...
>>> You have fallen into a MS trap, use of Guests membership to
>>> make one believe the account is somehow limited. In point of
>>> fact, if you just make your IUsr* accounts members of Users and
>>> give them grants to web content then everything needed is allowed
>>> if you also match for your IUsr* accounts the user rights IIS will
>>> plug in for the default IUsr_ account .
>>
>> Well I did know that adding the IUSR account to Users made everything
>> work
>> again. But if possible I wanted IUSR to run with *more* restrictive
>> permissions than local Users group.
>>
>
> Understand, and understood when I posted.
> I went down the path once also and ended up with belief that
> lacking Users membership lead to some component permissions
> that were lacking and I did not have time to track down. On my
> IIS boxes, Users equals admins of the server, the IIS backside
> accounts, web content authors, and browsing users of non-anonymous
> websites. I would love to remove any one of the last three but have
> found doing so for each lead to issues I do not get the time to track
> down and cure for MS.

I created a local user account to use for testing, and a local user group to
represent web anonymous users that has as its only member for now that test
account.

I was able to debug things to the point where I can now successfully login
to the console using that test account *without* making that test account
either explicitly or implicitly a member of the local users group. Believe
me, just getting that far was an accomplishment. :)

Now, what stops me from completing the task and actually getting this test
account to run a web site as the anonymous user in IIS 6 is that the IIS 6
web logs are incredibly poor in their detail. I get 403 Forbidden errors
from IIS, and those get logged, but 403 on what resource?!?!? I understand
not revealing the resource name to the web browser, but what is the point of
hiding such critical information from the web server administrator as well?!

At this point I have rid the eventviewer of failure audits on any file
system or registry resource. But IIS just isn't giving me the detail I
need to go further. Any ideas on how to provoke IIS to give me a more
detailed account of what resources it cannot access as the anonymous user?

My pure guess here is that the eventviewer is incapable of logging these
failures because the IIS process runs as SYSTEM, and the subsystem(s) that
log failures to eventviewer somehow are not able to "see" access failures in
the context of a separate thread within a process that has different
security context from the process itself. Other than that, I cannot explain
why IIS registers a 403 failure but the eventviewer sees no failure.

The test account has identically mirrored permissions on
inetpub\wwwroot\ as does the local Users group, so I really doubt
the resource that is generating the 403 is anywhere in the web site file
tree. It's probably a common system dll, error file, or whatever, that is
silently registering the failure.

Does anyone know if the the IIS in Windows 2008 is going to improve on this
poor detail on failures in the IIS web log? That alone would be a reason
to upgrade.

So close but still so far....

--
Will

Re: Miniimum Permissions for IUSR Account

am 08.04.2008 09:15:50 von Will

"Roger Abell [MVP]" wrote in message
news:uo%23BObHmIHA.3512@TK2MSFTNGP03.phx.gbl...
> "Will" wrote in message
> news:6r6dncLLYNFqj2TanZ2dnUVZ_rmjnZ2d@giganews.com...
>> "Roger Abell [MVP]" wrote in message
>> news:%23QENr5%23lIHA.4480@TK2MSFTNGP03.phx.gbl...
>>> You have fallen into a MS trap, use of Guests membership to
>>> make one believe the account is somehow limited. In point of
>>> fact, if you just make your IUsr* accounts members of Users and
>>> give them grants to web content then everything needed is allowed
>>> if you also match for your IUsr* accounts the user rights IIS will
>>> plug in for the default IUsr_ account .
>>
>> Well I did know that adding the IUSR account to Users made everything
>> work
>> again. But if possible I wanted IUSR to run with *more* restrictive
>> permissions than local Users group.
>>
>
> Understand, and understood when I posted.
> I went down the path once also and ended up with belief that
> lacking Users membership lead to some component permissions
> that were lacking and I did not have time to track down. On my
> IIS boxes, Users equals admins of the server, the IIS backside
> accounts, web content authors, and browsing users of non-anonymous
> websites. I would love to remove any one of the last three but have
> found doing so for each lead to issues I do not get the time to track
> down and cure for MS.

I created a local user account to use for testing, and a local user group to
represent web anonymous users that has as its only member for now that test
account.

I was able to debug things to the point where I can now successfully login
to the console using that test account *without* making that test account
either explicitly or implicitly a member of the local users group. Believe
me, just getting that far was an accomplishment. :)

Now, what stops me from completing the task and actually getting this test
account to run a web site as the anonymous user in IIS 6 is that the IIS 6
web logs are incredibly poor in their detail. I get 403 Forbidden errors
from IIS, and those get logged, but 403 on what resource?!?!? I understand
not revealing the resource name to the web browser, but what is the point of
hiding such critical information from the web server administrator as well?!

At this point I have rid the eventviewer of failure audits on any file
system or registry resource. But IIS just isn't giving me the detail I
need to go further. Any ideas on how to provoke IIS to give me a more
detailed account of what resources it cannot access as the anonymous user?

My pure guess here is that the eventviewer is incapable of logging these
failures because the IIS process runs as SYSTEM, and the subsystem(s) that
log failures to eventviewer somehow are not able to "see" access failures in
the context of a separate thread within a process that has different
security context from the process itself. Other than that, I cannot explain
why IIS registers a 403 failure but the eventviewer sees no failure.

The test account has identically mirrored permissions on
inetpub\wwwroot\ as does the local Users group, so I really doubt
the resource that is generating the 403 is anywhere in the web site file
tree. It's probably a common system dll, error file, or whatever, that is
silently registering the failure.

Does anyone know if the the IIS in Windows 2008 is going to improve on this
poor detail on failures in the IIS web log? That alone would be a reason
to upgrade.

So close but still so far....

--
Will

Re: Miniimum Permissions for IUSR Account

am 09.04.2008 15:15:19 von Roger Abell

"Will" wrote in message
news:jO-dnbFccfs7hmbanZ2dnUVZ_uqvnZ2d@giganews.com...
> "Roger Abell [MVP]" wrote in message
> news:uo%23BObHmIHA.3512@TK2MSFTNGP03.phx.gbl...
>> "Will" wrote in message
>> news:6r6dncLLYNFqj2TanZ2dnUVZ_rmjnZ2d@giganews.com...
>>> "Roger Abell [MVP]" wrote in message
>>> news:%23QENr5%23lIHA.4480@TK2MSFTNGP03.phx.gbl...
>>>> You have fallen into a MS trap, use of Guests membership to
>>>> make one believe the account is somehow limited. In point of
>>>> fact, if you just make your IUsr* accounts members of Users and
>>>> give them grants to web content then everything needed is allowed
>>>> if you also match for your IUsr* accounts the user rights IIS will
>>>> plug in for the default IUsr_ account .
>>>
>>> Well I did know that adding the IUSR account to Users made everything
>>> work
>>> again. But if possible I wanted IUSR to run with *more* restrictive
>>> permissions than local Users group.
>>>
>>
>> Understand, and understood when I posted.
>> I went down the path once also and ended up with belief that
>> lacking Users membership lead to some component permissions
>> that were lacking and I did not have time to track down. On my
>> IIS boxes, Users equals admins of the server, the IIS backside
>> accounts, web content authors, and browsing users of non-anonymous
>> websites. I would love to remove any one of the last three but have
>> found doing so for each lead to issues I do not get the time to track
>> down and cure for MS.
>
> I created a local user account to use for testing, and a local user group
> to represent web anonymous users that has as its only member for now that
> test account.
>
> I was able to debug things to the point where I can now successfully login
> to the console using that test account *without* making that test account
> either explicitly or implicitly a member of the local users group.
> Believe me, just getting that far was an accomplishment. :)
>

I do believe you !!! The last time I touched bases with MS people
on this I was left with the impression those few MS folks thought
local login would be impossible without Users membership. It may
be that you just did not do enough after the console login to start to
run into problems (?). I would be interested in your list of what all
you had to touch/modify. Was the account first allowed one login
as a Users member, or was the first-time login also handled when
not a Users member?

Its all a moot point anyway as the anonymous account only needs
network login for its most common IIS usage. Are you also taking
the IWam into account in your restriction attempts? Its behaviors
and needs vary based on what the web content does.

> Now, what stops me from completing the task and actually getting this test
> account to run a web site as the anonymous user in IIS 6 is that the IIS 6
> web logs are incredibly poor in their detail. I get 403 Forbidden errors
> from IIS, and those get logged, but 403 on what resource?!?!? I
> understand not revealing the resource name to the web browser, but what is
> the point of hiding such critical information from the web server
> administrator as well?!
>
> At this point I have rid the eventviewer of failure audits on any file
> system or registry resource. But IIS just isn't giving me the detail I
> need to go further. Any ideas on how to provoke IIS to give me a more
> detailed account of what resources it cannot access as the anonymous user?
>

That would be nice to know (i.e. I cannot help on that one)

> My pure guess here is that the eventviewer is incapable of logging these
> failures because the IIS process runs as SYSTEM, and the subsystem(s) that
> log failures to eventviewer somehow are not able to "see" access failures
> in the context of a separate thread within a process that has different
> security context from the process itself. Other than that, I cannot
> explain why IIS registers a 403 failure but the eventviewer sees no
> failure.
>

I don't think it is an issue with crossing process boundaries.
There are quite a few things that do log extended info without
issue due to different security contexts. I mean, if the parent
was designed to log the info received from the thread fail and
the thread passed the exception up raw for it to do so . . .

> The test account has identically mirrored permissions on
> inetpub\wwwroot\ as does the local Users group, so I really
> doubt the resource that is generating the 403 is anywhere in the web site
> file tree. It's probably a common system dll, error file, or whatever,
> that is silently registering the failure.
>

That is sort of where I dead-ended / lacked time to push further.
If I recall correctly (with audit recording any access failure, and
having none) I got it chased down to lack of permission on some
dynamic, global system objects.

> Does anyone know if the the IIS in Windows 2008 is going to improve on
> this poor detail on failures in the IIS web log? That alone would be a
> reason to upgrade.
>
> So close but still so far....
>
> --
> Will
>
>

Re: Miniimum Permissions for IUSR Account

am 09.04.2008 15:15:19 von Roger Abell

"Will" wrote in message
news:jO-dnbFccfs7hmbanZ2dnUVZ_uqvnZ2d@giganews.com...
> "Roger Abell [MVP]" wrote in message
> news:uo%23BObHmIHA.3512@TK2MSFTNGP03.phx.gbl...
>> "Will" wrote in message
>> news:6r6dncLLYNFqj2TanZ2dnUVZ_rmjnZ2d@giganews.com...
>>> "Roger Abell [MVP]" wrote in message
>>> news:%23QENr5%23lIHA.4480@TK2MSFTNGP03.phx.gbl...
>>>> You have fallen into a MS trap, use of Guests membership to
>>>> make one believe the account is somehow limited. In point of
>>>> fact, if you just make your IUsr* accounts members of Users and
>>>> give them grants to web content then everything needed is allowed
>>>> if you also match for your IUsr* accounts the user rights IIS will
>>>> plug in for the default IUsr_ account .
>>>
>>> Well I did know that adding the IUSR account to Users made everything
>>> work
>>> again. But if possible I wanted IUSR to run with *more* restrictive
>>> permissions than local Users group.
>>>
>>
>> Understand, and understood when I posted.
>> I went down the path once also and ended up with belief that
>> lacking Users membership lead to some component permissions
>> that were lacking and I did not have time to track down. On my
>> IIS boxes, Users equals admins of the server, the IIS backside
>> accounts, web content authors, and browsing users of non-anonymous
>> websites. I would love to remove any one of the last three but have
>> found doing so for each lead to issues I do not get the time to track
>> down and cure for MS.
>
> I created a local user account to use for testing, and a local user group
> to represent web anonymous users that has as its only member for now that
> test account.
>
> I was able to debug things to the point where I can now successfully login
> to the console using that test account *without* making that test account
> either explicitly or implicitly a member of the local users group.
> Believe me, just getting that far was an accomplishment. :)
>

I do believe you !!! The last time I touched bases with MS people
on this I was left with the impression those few MS folks thought
local login would be impossible without Users membership. It may
be that you just did not do enough after the console login to start to
run into problems (?). I would be interested in your list of what all
you had to touch/modify. Was the account first allowed one login
as a Users member, or was the first-time login also handled when
not a Users member?

Its all a moot point anyway as the anonymous account only needs
network login for its most common IIS usage. Are you also taking
the IWam into account in your restriction attempts? Its behaviors
and needs vary based on what the web content does.

> Now, what stops me from completing the task and actually getting this test
> account to run a web site as the anonymous user in IIS 6 is that the IIS 6
> web logs are incredibly poor in their detail. I get 403 Forbidden errors
> from IIS, and those get logged, but 403 on what resource?!?!? I
> understand not revealing the resource name to the web browser, but what is
> the point of hiding such critical information from the web server
> administrator as well?!
>
> At this point I have rid the eventviewer of failure audits on any file
> system or registry resource. But IIS just isn't giving me the detail I
> need to go further. Any ideas on how to provoke IIS to give me a more
> detailed account of what resources it cannot access as the anonymous user?
>

That would be nice to know (i.e. I cannot help on that one)

> My pure guess here is that the eventviewer is incapable of logging these
> failures because the IIS process runs as SYSTEM, and the subsystem(s) that
> log failures to eventviewer somehow are not able to "see" access failures
> in the context of a separate thread within a process that has different
> security context from the process itself. Other than that, I cannot
> explain why IIS registers a 403 failure but the eventviewer sees no
> failure.
>

I don't think it is an issue with crossing process boundaries.
There are quite a few things that do log extended info without
issue due to different security contexts. I mean, if the parent
was designed to log the info received from the thread fail and
the thread passed the exception up raw for it to do so . . .

> The test account has identically mirrored permissions on
> inetpub\wwwroot\ as does the local Users group, so I really
> doubt the resource that is generating the 403 is anywhere in the web site
> file tree. It's probably a common system dll, error file, or whatever,
> that is silently registering the failure.
>

That is sort of where I dead-ended / lacked time to push further.
If I recall correctly (with audit recording any access failure, and
having none) I got it chased down to lack of permission on some
dynamic, global system objects.

> Does anyone know if the the IIS in Windows 2008 is going to improve on
> this poor detail on failures in the IIS web log? That alone would be a
> reason to upgrade.
>
> So close but still so far....
>
> --
> Will
>
>