The documentation states that the IUSR account by default has Read, Execute
NTFS permissions to the web site folders:
http://support.microsoft.com/?kbid=812614
I have done many default installations and it does not. It just has a Deny
Write. Any comments? Is that just a straightforward documentation error?
Anthony
Furthermore, the document says that Anon also requires the Logon Locally
right. However another document:
http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr =true
explains that in IIS6 basic and anon authentication by default use the
NETWORK_CLEARTEXT method which does not require Logon Locally rights.
Any comments on that one?
Anthony
"Anthony Yates"
news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl...
> The documentation states that the IUSR account by default has Read,
> Execute NTFS permissions to the web site folders:
> http://support.microsoft.com/?kbid=812614
> I have done many default installations and it does not. It just has a Deny
> Write. Any comments? Is that just a straightforward documentation error?
> Anthony
>
Mixture of Documentation errors and "backwards compatibility" cruft.
This is how basic/anon authentication, network_cleartext, and "Logon
Locally" all fit together.
http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Secu rity_Templates_and_Anonymous_Authentication.aspx
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Anthony Yates"
news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl...
> Furthermore, the document says that Anon also requires the Logon Locally
> right. However another document:
> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr =true
> explains that in IIS6 basic and anon authentication by default use the
> NETWORK_CLEARTEXT method which does not require Logon Locally rights.
> Any comments on that one?
> Anthony
>
>
>
> "Anthony Yates"
> news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl...
>> The documentation states that the IUSR account by default has Read,
>> Execute NTFS permissions to the web site folders:
>> http://support.microsoft.com/?kbid=812614
>> I have done many default installations and it does not. It just has a
>> Deny Write. Any comments? Is that just a straightforward documentation
>> error?
>> Anthony
>>
>
>
Its really quite an important documentation error. When something is not
working, I look to go back to the defaults. If the documentation about the
defaults is wrong, troubleshooting becomes much more difficult.
Anthony
"David Wang [Msft]"
news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl...
> Mixture of Documentation errors and "backwards compatibility" cruft.
>
> This is how basic/anon authentication, network_cleartext, and "Logon
> Locally" all fit together.
>
> http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Secu rity_Templates_and_Anonymous_Authentication.aspx
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "Anthony Yates"
> news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl...
>> Furthermore, the document says that Anon also requires the Logon Locally
>> right. However another document:
>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr =true
>> explains that in IIS6 basic and anon authentication by default use the
>> NETWORK_CLEARTEXT method which does not require Logon Locally rights.
>> Any comments on that one?
>> Anthony
>>
>>
>>
>> "Anthony Yates"
>> news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl...
>>> The documentation states that the IUSR account by default has Read,
>>> Execute NTFS permissions to the web site folders:
>>> http://support.microsoft.com/?kbid=812614
>>> I have done many default installations and it does not. It just has a
>>> Deny Write. Any comments? Is that just a straightforward documentation
>>> error?
>>> Anthony
>>>
>>
>>
>
>
That is not good about the documentation.
If you really want to be sure, I suppose you can check the secsetup.inf
security template that secedit uses to configure the NTFS permissions when
Windows Server 2003 is setup.
See:
http://support.microsoft.com/?kbid=313222
Cheers
Ken
"Anthony"
news:ehgfT0kpGHA.524@TK2MSFTNGP05.phx.gbl...
> Its really quite an important documentation error. When something is not
> working, I look to go back to the defaults. If the documentation about the
> defaults is wrong, troubleshooting becomes much more difficult.
> Anthony
>
>
>
>
> "David Wang [Msft]"
> news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl...
>> Mixture of Documentation errors and "backwards compatibility" cruft.
>>
>> This is how basic/anon authentication, network_cleartext, and "Logon
>> Locally" all fit together.
>>
>> http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Secu rity_Templates_and_Anonymous_Authentication.aspx
>>
>> --
>> //David
>> IIS
>> http://blogs.msdn.com/David.Wang
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> //
>>
>> "Anthony Yates"
>> news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl...
>>> Furthermore, the document says that Anon also requires the Logon Locally
>>> right. However another document:
>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr =true
>>> explains that in IIS6 basic and anon authentication by default use the
>>> NETWORK_CLEARTEXT method which does not require Logon Locally rights.
>>> Any comments on that one?
>>> Anthony
>>>
>>>
>>>
>>> "Anthony Yates"
>>> news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl...
>>>> The documentation states that the IUSR account by default has Read,
>>>> Execute NTFS permissions to the web site folders:
>>>> http://support.microsoft.com/?kbid=812614
>>>> I have done many default installations and it does not. It just has a
>>>> Deny Write. Any comments? Is that just a straightforward documentation
>>>> error?
>>>> Anthony
>>>>
>>>
>>>
>>
>>
>
>
I do not think we ever definitively document what the "defaults" are because
it really depends with such a flexible system involved with IIS. Hence it is
sitting in a KB and not Technet/MSDN documentation.
I know how that KB's information came about - it is not definitive and
probably out of date already. It takes but one setup change to invalidate
the article, and people making those changes are often not aware of the KB
consequences.
The meaning of "default" can vary, depending on whether the system is
upgraded or clean installed, whether the machine is a DC or not, etc. The KB
only represents *one* working configuration; it definitely does not
represent the minimal/optimal configuration; it may not work for all
situations, and there may be other working configurations.
In other words, I don't bother returning to the defaults because it is not
guaranteed to make things work and hence cannot function the way you are
expecting and useless for troubleshooting.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Anthony"
news:ehgfT0kpGHA.524@TK2MSFTNGP05.phx.gbl...
> Its really quite an important documentation error. When something is not
> working, I look to go back to the defaults. If the documentation about the
> defaults is wrong, troubleshooting becomes much more difficult.
> Anthony
>
>
>
>
> "David Wang [Msft]"
> news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl...
>> Mixture of Documentation errors and "backwards compatibility" cruft.
>>
>> This is how basic/anon authentication, network_cleartext, and "Logon
>> Locally" all fit together.
>>
>> http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Secu rity_Templates_and_Anonymous_Authentication.aspx
>>
>> --
>> //David
>> IIS
>> http://blogs.msdn.com/David.Wang
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> //
>>
>> "Anthony Yates"
>> news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl...
>>> Furthermore, the document says that Anon also requires the Logon Locally
>>> right. However another document:
>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr =true
>>> explains that in IIS6 basic and anon authentication by default use the
>>> NETWORK_CLEARTEXT method which does not require Logon Locally rights.
>>> Any comments on that one?
>>> Anthony
>>>
>>>
>>>
>>> "Anthony Yates"
>>> news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl...
>>>> The documentation states that the IUSR account by default has Read,
>>>> Execute NTFS permissions to the web site folders:
>>>> http://support.microsoft.com/?kbid=812614
>>>> I have done many default installations and it does not. It just has a
>>>> Deny Write. Any comments? Is that just a straightforward documentation
>>>> error?
>>>> Anthony
>>>>
>>>
>>>
>>
>>
>
>