Security templates and IUSR account log on locally

Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain. Everything
standard.

1) The Microsoft security guide for IIS6.0 says that the IUSR account needs
Log on Locally rights.
2) The Microsoft group policy Enterprise security template for Member
Servers removes this right. When the policy is applied, anonymous access is
broken.
3) The Member Server template is a baseline for all servers. You are
supposed to ADD a Web Server template on top for web servers.
4) The Security Policy guide specifies that if you apply the more
restrictive Limited Functionality template to Member Servers, then you need
to move the web server out of that OU so the policy is not applied. By
inference you don't do this for the standard Enterprise policy template.
5) Question: do the policy templates contradict the security guide?
6) Question: I read somewhere that if you enable Basic authentication, you
no longer need the Log on Locally right for anon. Is that correct?
7) Question: I have enabled Advanced Digest authentication with the
UseDigestSSP property set in the metabase. This works fine. I read something
about this disabling subauthentication, and I recognise that
subauthentication is something to do with the way IIS handles the IUSR
account. Could it be that with Advanced Digest enabled, the IUSR account no
longer works unless it has Log on Locally rights?

Thanks very much,
Anthony

Re: Security templates and IUSR account log on locally

http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Secu rity_Templates_and_Anonymous_Authentication.aspx

Your questions actually had non-causal assumptions. I clarified them in the
blog entry

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Anthony" wrote in message
news:eSWWFlOnGHA.964@TK2MSFTNGP05.phx.gbl...
> Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain. Everything
> standard.
>
> 1) The Microsoft security guide for IIS6.0 says that the IUSR account
> needs Log on Locally rights.
> 2) The Microsoft group policy Enterprise security template for Member
> Servers removes this right. When the policy is applied, anonymous access
> is broken.
> 3) The Member Server template is a baseline for all servers. You are
> supposed to ADD a Web Server template on top for web servers.
> 4) The Security Policy guide specifies that if you apply the more
> restrictive Limited Functionality template to Member Servers, then you
> need to move the web server out of that OU so the policy is not applied.
> By inference you don't do this for the standard Enterprise policy
> template.
> 5) Question: do the policy templates contradict the security guide?
> 6) Question: I read somewhere that if you enable Basic authentication, you
> no longer need the Log on Locally right for anon. Is that correct?
> 7) Question: I have enabled Advanced Digest authentication with the
> UseDigestSSP property set in the metabase. This works fine. I read
> something about this disabling subauthentication, and I recognise that
> subauthentication is something to do with the way IIS handles the IUSR
> account. Could it be that with Advanced Digest enabled, the IUSR account
> no longer works unless it has Log on Locally rights?
>
> Thanks very much,
> Anthony
>

Re: Security templates and IUSR account log on locally

Maybe you have a WebDAV link in your "My Network Places" special folder
(available from the Start Menu) to your webserver that the virus scanner
unknowningly traverses during scanning.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Anthony" wrote in message
news:eSWWFlOnGHA.964@TK2MSFTNGP05.phx.gbl...
> Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain. Everything
> standard.
>
> 1) The Microsoft security guide for IIS6.0 says that the IUSR account
> needs Log on Locally rights.
> 2) The Microsoft group policy Enterprise security template for Member
> Servers removes this right. When the policy is applied, anonymous access
> is broken.
> 3) The Member Server template is a baseline for all servers. You are
> supposed to ADD a Web Server template on top for web servers.
> 4) The Security Policy guide specifies that if you apply the more
> restrictive Limited Functionality template to Member Servers, then you
> need to move the web server out of that OU so the policy is not applied.
> By inference you don't do this for the standard Enterprise policy
> template.
> 5) Question: do the policy templates contradict the security guide?
> 6) Question: I read somewhere that if you enable Basic authentication, you
> no longer need the Log on Locally right for anon. Is that correct?
> 7) Question: I have enabled Advanced Digest authentication with the
> UseDigestSSP property set in the metabase. This works fine. I read
> something about this disabling subauthentication, and I recognise that
> subauthentication is something to do with the way IIS handles the IUSR
> account. Could it be that with Advanced Digest enabled, the IUSR account
> no longer works unless it has Log on Locally rights?
>
> Thanks very much,
> Anthony
>

Re: Security templates and IUSR account log on locally

Hmm, weird newsgroup reader behavior. Don't remember sending this one
because it's not relevant to your question. :-) . The blog entry is all
about your question, though.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"David Wang [Msft]" wrote in message
news:OsmylDWnGHA.3436@TK2MSFTNGP02.phx.gbl...
> Maybe you have a WebDAV link in your "My Network Places" special folder
> (available from the Start Menu) to your webserver that the virus scanner
> unknowningly traverses during scanning.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "Anthony" wrote in message
> news:eSWWFlOnGHA.964@TK2MSFTNGP05.phx.gbl...
>> Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain.
>> Everything standard.
>>
>> 1) The Microsoft security guide for IIS6.0 says that the IUSR account
>> needs Log on Locally rights.
>> 2) The Microsoft group policy Enterprise security template for Member
>> Servers removes this right. When the policy is applied, anonymous access
>> is broken.
>> 3) The Member Server template is a baseline for all servers. You are
>> supposed to ADD a Web Server template on top for web servers.
>> 4) The Security Policy guide specifies that if you apply the more
>> restrictive Limited Functionality template to Member Servers, then you
>> need to move the web server out of that OU so the policy is not applied.
>> By inference you don't do this for the standard Enterprise policy
>> template.
>> 5) Question: do the policy templates contradict the security guide?
>> 6) Question: I read somewhere that if you enable Basic authentication,
>> you no longer need the Log on Locally right for anon. Is that correct?
>> 7) Question: I have enabled Advanced Digest authentication with the
>> UseDigestSSP property set in the metabase. This works fine. I read
>> something about this disabling subauthentication, and I recognise that
>> subauthentication is something to do with the way IIS handles the IUSR
>> account. Could it be that with Advanced Digest enabled, the IUSR account
>> no longer works unless it has Log on Locally rights?
>>
>> Thanks very much,
>> Anthony
>>
>
>

Re: Security templates and IUSR account log on locally

Anthony,

You may also want to revisit the download for the W2k3 Security Guide as
it had a minor revision posted to web 6/29, the main impact of which was
updates to the inf files, not to the doc text.

The issue with using the templates out-of-the-box for situations like the
one you outline is that there is no standard name that would be suited
for use, in this case, for the grant of Logon on locally user right.
I circumvent the problem by defining a practice that each IIS will have
standard named groups that collect all IUsr_ and all IWam_ accounts
defined on the IIS box. Then, at domain level I can use this to grant the
needed user rights, since by convention it will exist on each IIS box.

Roger
"Anthony" wrote in message
news:eSWWFlOnGHA.964@TK2MSFTNGP05.phx.gbl...
> Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain. Everything
> standard.
>
> 1) The Microsoft security guide for IIS6.0 says that the IUSR account
> needs Log on Locally rights.
> 2) The Microsoft group policy Enterprise security template for Member
> Servers removes this right. When the policy is applied, anonymous access
> is broken.
> 3) The Member Server template is a baseline for all servers. You are
> supposed to ADD a Web Server template on top for web servers.
> 4) The Security Policy guide specifies that if you apply the more
> restrictive Limited Functionality template to Member Servers, then you
> need to move the web server out of that OU so the policy is not applied.
> By inference you don't do this for the standard Enterprise policy
> template.
> 5) Question: do the policy templates contradict the security guide?
> 6) Question: I read somewhere that if you enable Basic authentication, you
> no longer need the Log on Locally right for anon. Is that correct?
> 7) Question: I have enabled Advanced Digest authentication with the
> UseDigestSSP property set in the metabase. This works fine. I read
> something about this disabling subauthentication, and I recognise that
> subauthentication is something to do with the way IIS handles the IUSR
> account. Could it be that with Advanced Digest enabled, the IUSR account
> no longer works unless it has Log on Locally rights?
>
> Thanks very much,
> Anthony
>

Re: Security templates and IUSR account log on locally

Thanks Roger and David for these replies.
My questions are exclusively about the default behaviour of IIS6 in a
Windows 2003 domain. It does seem that:
1) anon authentication requires the Log on Locally right for the IUSR
account, as the IIS guide says.
2) the Enterprise security template for Member Servers breaks IIS6 anon
authentication. The Windows 2003 Security Guide is wrong on this point, as
the guideline is to apply the member servers baseline policy and then the
web servers policy. It only says you can't do this for the Restricted
Functionality template:
http://www.microsoft.com/technet/security/prodtech/windowsse rver2003/w2003hg/s3sgch09.mspx#EAF.
Evidently you need to do the same for the Enterprise template as well. The
reason is obvious once you accept that 1) is correct.
3) Advanced Digest and Subauthentication is a red-herring in this context.
I can see that Roger's solution is the only way to control the Log on
Locally right for IUSR accounts in group policy,
Regards,
Anthony



"Roger Abell [MVP]" wrote in message
news:OOI9rHfnGHA.1668@TK2MSFTNGP05.phx.gbl...
> Anthony,
>
> You may also want to revisit the download for the W2k3 Security Guide as
> it had a minor revision posted to web 6/29, the main impact of which was
> updates to the inf files, not to the doc text.
>
> The issue with using the templates out-of-the-box for situations like the
> one you outline is that there is no standard name that would be suited
> for use, in this case, for the grant of Logon on locally user right.
> I circumvent the problem by defining a practice that each IIS will have
> standard named groups that collect all IUsr_ and all IWam_ accounts
> defined on the IIS box. Then, at domain level I can use this to grant the
> needed user rights, since by convention it will exist on each IIS box.
>
> Roger
> "Anthony" wrote in message
> news:eSWWFlOnGHA.964@TK2MSFTNGP05.phx.gbl...
>> Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain.
>> Everything standard.
>>
>> 1) The Microsoft security guide for IIS6.0 says that the IUSR account
>> needs Log on Locally rights.
>> 2) The Microsoft group policy Enterprise security template for Member
>> Servers removes this right. When the policy is applied, anonymous access
>> is broken.
>> 3) The Member Server template is a baseline for all servers. You are
>> supposed to ADD a Web Server template on top for web servers.
>> 4) The Security Policy guide specifies that if you apply the more
>> restrictive Limited Functionality template to Member Servers, then you
>> need to move the web server out of that OU so the policy is not applied.
>> By inference you don't do this for the standard Enterprise policy
>> template.
>> 5) Question: do the policy templates contradict the security guide?
>> 6) Question: I read somewhere that if you enable Basic authentication,
>> you no longer need the Log on Locally right for anon. Is that correct?
>> 7) Question: I have enabled Advanced Digest authentication with the
>> UseDigestSSP property set in the metabase. This works fine. I read
>> something about this disabling subauthentication, and I recognise that
>> subauthentication is something to do with the way IIS handles the IUSR
>> account. Could it be that with Advanced Digest enabled, the IUSR account
>> no longer works unless it has Log on Locally rights?
>>
>> Thanks very much,
>> Anthony
>>
>
>

Re: Security templates and IUSR account log on locally

Hi Anthony,

Thank you for your summation.

I am not so sure the route I outlined is the only resolution, but it is one
I have found of use. Alternatively one can let the machine local Users
group carry the load of granting local logon user right, and institute shop
standards/practices that minimize Users membership for example.

As you may have noticed, I was involved in edit review of the W2k3
guidance, and I am passing along your astute observations relative to
the discussions of the templates that future revision to the text might
be clarified.

Roger

"Anthony Yates" wrote in message
news:urrtRtpnGHA.780@TK2MSFTNGP04.phx.gbl...
> Thanks Roger and David for these replies.
> My questions are exclusively about the default behaviour of IIS6 in a
> Windows 2003 domain. It does seem that:
> 1) anon authentication requires the Log on Locally right for the IUSR
> account, as the IIS guide says.
> 2) the Enterprise security template for Member Servers breaks IIS6 anon
> authentication. The Windows 2003 Security Guide is wrong on this point, as
> the guideline is to apply the member servers baseline policy and then the
> web servers policy. It only says you can't do this for the Restricted
> Functionality template:
> http://www.microsoft.com/technet/security/prodtech/windowsse rver2003/w2003hg/s3sgch09.mspx#EAF.
> Evidently you need to do the same for the Enterprise template as well. The
> reason is obvious once you accept that 1) is correct.
> 3) Advanced Digest and Subauthentication is a red-herring in this context.
> I can see that Roger's solution is the only way to control the Log on
> Locally right for IUSR accounts in group policy,
> Regards,
> Anthony
>
>
>
> "Roger Abell [MVP]" wrote in message
> news:OOI9rHfnGHA.1668@TK2MSFTNGP05.phx.gbl...
>> Anthony,
>>
>> You may also want to revisit the download for the W2k3 Security Guide as
>> it had a minor revision posted to web 6/29, the main impact of which was
>> updates to the inf files, not to the doc text.
>>
>> The issue with using the templates out-of-the-box for situations like the
>> one you outline is that there is no standard name that would be suited
>> for use, in this case, for the grant of Logon on locally user right.
>> I circumvent the problem by defining a practice that each IIS will have
>> standard named groups that collect all IUsr_ and all IWam_ accounts
>> defined on the IIS box. Then, at domain level I can use this to grant
>> the
>> needed user rights, since by convention it will exist on each IIS box.
>>
>> Roger
>> "Anthony" wrote in message
>> news:eSWWFlOnGHA.964@TK2MSFTNGP05.phx.gbl...
>>> Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain.
>>> Everything standard.
>>>
>>> 1) The Microsoft security guide for IIS6.0 says that the IUSR account
>>> needs Log on Locally rights.
>>> 2) The Microsoft group policy Enterprise security template for Member
>>> Servers removes this right. When the policy is applied, anonymous access
>>> is broken.
>>> 3) The Member Server template is a baseline for all servers. You are
>>> supposed to ADD a Web Server template on top for web servers.
>>> 4) The Security Policy guide specifies that if you apply the more
>>> restrictive Limited Functionality template to Member Servers, then you
>>> need to move the web server out of that OU so the policy is not applied.
>>> By inference you don't do this for the standard Enterprise policy
>>> template.
>>> 5) Question: do the policy templates contradict the security guide?
>>> 6) Question: I read somewhere that if you enable Basic authentication,
>>> you no longer need the Log on Locally right for anon. Is that correct?
>>> 7) Question: I have enabled Advanced Digest authentication with the
>>> UseDigestSSP property set in the metabase. This works fine. I read
>>> something about this disabling subauthentication, and I recognise that
>>> subauthentication is something to do with the way IIS handles the IUSR
>>> account. Could it be that with Advanced Digest enabled, the IUSR account
>>> no longer works unless it has Log on Locally rights?
>>>
>>> Thanks very much,
>>> Anthony
>>>
>>
>>
>
>

Re: Security templates and IUSR account log on locally

Another strange aspect of the security templates. If you enable them for
member servers but not web servers, you can't connect from a member server
to a web server because of the Signing requirements. If you do enable the
template for web servers, anon authentication breaks.
Anthony


"Roger Abell [MVP]" wrote in message
news:eLH9ZD0nGHA.4124@TK2MSFTNGP03.phx.gbl...
> Hi Anthony,
>
> Thank you for your summation.
>
> I am not so sure the route I outlined is the only resolution, but it is
> one
> I have found of use. Alternatively one can let the machine local Users
> group carry the load of granting local logon user right, and institute
> shop
> standards/practices that minimize Users membership for example.
>
> As you may have noticed, I was involved in edit review of the W2k3
> guidance, and I am passing along your astute observations relative to
> the discussions of the templates that future revision to the text might
> be clarified.
>
> Roger
>
> "Anthony Yates" wrote in message
> news:urrtRtpnGHA.780@TK2MSFTNGP04.phx.gbl...
>> Thanks Roger and David for these replies.
>> My questions are exclusively about the default behaviour of IIS6 in a
>> Windows 2003 domain. It does seem that:
>> 1) anon authentication requires the Log on Locally right for the IUSR
>> account, as the IIS guide says.
>> 2) the Enterprise security template for Member Servers breaks IIS6 anon
>> authentication. The Windows 2003 Security Guide is wrong on this point,
>> as the guideline is to apply the member servers baseline policy and then
>> the web servers policy. It only says you can't do this for the Restricted
>> Functionality template:
>> http://www.microsoft.com/technet/security/prodtech/windowsse rver2003/w2003hg/s3sgch09.mspx#EAF.
>> Evidently you need to do the same for the Enterprise template as well.
>> The reason is obvious once you accept that 1) is correct.
>> 3) Advanced Digest and Subauthentication is a red-herring in this
>> context.
>> I can see that Roger's solution is the only way to control the Log on
>> Locally right for IUSR accounts in group policy,
>> Regards,
>> Anthony
>>
>>
>>
>> "Roger Abell [MVP]" wrote in message
>> news:OOI9rHfnGHA.1668@TK2MSFTNGP05.phx.gbl...
>>> Anthony,
>>>
>>> You may also want to revisit the download for the W2k3 Security Guide as
>>> it had a minor revision posted to web 6/29, the main impact of which was
>>> updates to the inf files, not to the doc text.
>>>
>>> The issue with using the templates out-of-the-box for situations like
>>> the
>>> one you outline is that there is no standard name that would be suited
>>> for use, in this case, for the grant of Logon on locally user right.
>>> I circumvent the problem by defining a practice that each IIS will have
>>> standard named groups that collect all IUsr_ and all IWam_ accounts
>>> defined on the IIS box. Then, at domain level I can use this to grant
>>> the
>>> needed user rights, since by convention it will exist on each IIS box.
>>>
>>> Roger
>>> "Anthony" wrote in message
>>> news:eSWWFlOnGHA.964@TK2MSFTNGP05.phx.gbl...
>>>> Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain.
>>>> Everything standard.
>>>>
>>>> 1) The Microsoft security guide for IIS6.0 says that the IUSR account
>>>> needs Log on Locally rights.
>>>> 2) The Microsoft group policy Enterprise security template for Member
>>>> Servers removes this right. When the policy is applied, anonymous
>>>> access is broken.
>>>> 3) The Member Server template is a baseline for all servers. You are
>>>> supposed to ADD a Web Server template on top for web servers.
>>>> 4) The Security Policy guide specifies that if you apply the more
>>>> restrictive Limited Functionality template to Member Servers, then you
>>>> need to move the web server out of that OU so the policy is not
>>>> applied. By inference you don't do this for the standard Enterprise
>>>> policy template.
>>>> 5) Question: do the policy templates contradict the security guide?
>>>> 6) Question: I read somewhere that if you enable Basic authentication,
>>>> you no longer need the Log on Locally right for anon. Is that correct?
>>>> 7) Question: I have enabled Advanced Digest authentication with the
>>>> UseDigestSSP property set in the metabase. This works fine. I read
>>>> something about this disabling subauthentication, and I recognise that
>>>> subauthentication is something to do with the way IIS handles the IUSR
>>>> account. Could it be that with Advanced Digest enabled, the IUSR
>>>> account no longer works unless it has Log on Locally rights?
>>>>
>>>> Thanks very much,
>>>> Anthony
>>>>
>>>
>>>
>>
>>
>
>