Re: SCW question.

Hi Dan,

For your detailed questions on the IIS docs relative to minimum required
user rights, and perhaps also for verification of IIS 6's behavior relative
to restoring which user rights to its default-form named IUsr_ and IWam_
accounts I am cross-posting this to the inetserver.iis.security newsgroup.
Hopefully David, Bernard, Ken, or another can clarify your specifc
questions on the doc conflicts.

As to your test, after the build, and before or after the join, but
certainly before use of SCW, it would have been telling if you had
removed the IUsr_machine and IWam_machine accounts from their
user rights grants and then stopped and restarted all IIS services (i.e.
IIS Admin and dependents). At one point during beta the IIS 6 team
was talking about extending the IIS 5 behavior of guaranteeing user
rights grants to all accounts (not just the default named ones), but I
was very vocal against this (as a sys admin I do not want _anything_
touching what rights grants I have defined, even for the default named
accounts) and I think they relented some but did keep the IIS-ish
behavior for the default named accounts. I will check later after
I get to the shop to see if there is something I can infer without tests.
It would be a pretty simple test with a W2k3 virt machine image
around (longhorn has pretty much pushed these out of storage for me).


Roger

"Dan Kyle" wrote in message
news:OcdOnZABHHA.4844@TK2MSFTNGP02.phx.gbl...
> Thanks for the info Roger,
>
> Here is some further testing I have done.
>
> Created a new Server and installed IIS. Looked at the Local security
> policy and saw that the default rights for IUSR and IWAM users are there.
> Added the Server to the domain without and GPO's applied...Local Security
> policy remains the same (obviously). I then moved the Server to the
> required OU which has the Member server GPO applied and rebooted. Looked
> at the Local security policy and the IUSR and IWAM users are no longer in
> any of the User rights (which coincides with my Member server GPO
> settings). I then ran the SCW on the server utilizing only the IIS
> settings, created and applied the policy. Rebooted and found that the
> Default user rights for IUSR and IWAM REAPPEARED in the Local Security
> policy!!
>
> TO test I renamed the winlogon.log file made a small change to the Member
> server GPO and rebooted. Same behaviour. I was not able to make any
> changes to the Local security policy either. Checking the winlogon.log
> file it shows that the IUSR, IWAM and IIS_WPG users are REMOVED from user
> rights, does not show then as being added and yet they remain in the local
> security policy.
>
> This is highly unusual. Thing is..it is more or less what I want but I
> need to understand why this behaviour is happening to document it.
>
> As an aside....I am confused by some conflicting microsoft documentation
> concerning IUSR user rights. the "IIS and Built-in Accounts(IIS)"
> Microsoft document states that the IUSR user requires explicit membership
> in the "allow logon locally", "access this computer from the network" and
> "logon as a batch job". The conflict lies in the IIS Help file which
> states "In IIS 6.0, NETWORK_CLEARTEXT is the default logon type for
> Anonymous Authentication (and for Basic authentication). One result is
> that Anonymous authentication no longer requires the Allow log on locally
> user right". SO...what is the real answer?? Funny thing is...on the new
> server with only the Member server GPO applied with no rights given to
> IUSR user...I am able to browse the static web site on the server with
> only anonymous authentication enabled...very strange. Again..I must be
> missing something obvious..
>
> Look forward to your response.
>
> Is ANYONE else using SCW and noticing this behaviour?
>
> Dan
>
>
> "Roger Abell [MVP]" wrote in message
> news:uldUmz7AHHA.2316@TK2MSFTNGP04.phx.gbl...
>> What you describe that you have done with a uniformly named local group
>> on each machine, which same group is named in the GPO, is precisely what
>> I was also outlining. That gives a "middle ground" stance, where GPO
>> does
>> (somewhat) control the user right, but where per-machine uniqueness is
>> also
>> possible via the per-machine membership in the uniformly named local
>> group.
>>
>> As to the Iusr_ and Iwam_ I would need to check for your version
>> W2k3/IIS6,
>> but I know that W2k/IIS5 had the following behavior, and I think
>> W2k3/IIS6
>> does also (I do not use Iusr_/Iwam_ but always define custom accounts).
>> The behavior that I know was so in IIS 5 is that on startup the IIS
>> binaries
>> verifies that the accounts have the needed user rights if and only if the
>> accounts
>> are the default Iusr_machine and Iwam_machine; but if custom accounts are
>> used for the anonymous browse or the IIS com isolation components these
>> are
>> not populated into the minimum required user rights upon startup if
>> needed.
>> Again, I would have to check if the behavior remains, but it would
>> explain
>> what you see.
>>
>>
>> "Dan Kyle" wrote in message
>> news:%23X%23DLuzAHHA.2328@TK2MSFTNGP02.phx.gbl...
>>> Thank you for the response.
>>>
>>> The interesting thing is..I have made a small change to the GPO (and
>>> deleted the winlogon.log) and rebooted...the new GPO gets applied..but I
>>> still see the IUSR and IWAM users in the local security policy. THe
>>> Winlogon.log shows the SID for the accounts and shows it as "remove
>>> SeNetworkLogonRight, Remove SeInteractiveLogonRight and Remove
>>> SeBatchLogonRight". No where else inthe Winlogon.log file do I see where
>>> it gets added. I must be missing something obvious here (and apologize
>>> if I am) but do not see where these rights are getting applied.
>>>
>>> I am interested in you Administrator+LCLLogin and LCLbatch....but do not
>>> quite understand..can you elaborate? What I have done is created a group
>>> on each of the servers with the same role and named the group the same.
>>> That way when I use the name of the group in the GPO it applies to all
>>> the servers.
>>>
>>> Dan
>>>
>>>
>>> "Roger Abell [MVP]" wrote in message
>>> news:ebNiGGvAHHA.3604@TK2MSFTNGP04.phx.gbl...
>>>>I think that what you are seeing can be explained by the fact that a GPO
>>>> is applied when it has been seen to have changed based on its version
>>>> number. Once applied, if defaults for policy application are still in
>>>> effect,
>>>> then it will not be reapplied until/unless it is seen as changed.
>>>> So, when the accounts were added directly in the local policy into the
>>>> user rights due to your application of the SCW results, and you are
>>>> then
>>>> concerned that the GPO is not redefining these, this may be the reason.
>>>> You could for example make a minor, insignificant change to some
>>>> setting in the GPO, and then later reverse this, in order to increase
>>>> the
>>>> version number of the GPO, and you should see the machine later
>>>> noticing
>>>> this and reapplying the GPO.
>>>>
>>>> On another note, your approach of defining a group to use in the GPO
>>>> for the user rights is one way that I handle this issue. Basically,
>>>> where
>>>> you have a GPO applying something like these user rights that very
>>>> often
>>>> need to be quite unique per machine, if one lists the actual machine
>>>> local
>>>> accounts (you can do this, you just need to type them in rather than
>>>> expecting
>>>> to pick them via the user interface) then one ends up with a GPO per
>>>> unique
>>>> machine. That is not so convenient. Instead, I use such as LclLogin,
>>>> LclBatch,
>>>> etc. and then set the user right in the GPO to Administrators+LclLogin,
>>>> or to
>>>> LclBatch, etc. and the one GPO can apply to a number of machines where
>>>> each machine defines its own LclLogin, LclBatch etc membership (again,
>>>> one
>>>> needs to type in the group names).
>>>>
>>>>
>>>> "Dan Kyle" wrote in message
>>>> news:OZlCDhoAHHA.3604@TK2MSFTNGP04.phx.gbl...
>>>>> Hello,
>>>>>
>>>>> I am noticing some interesting results when using the SCW and Group
>>>>> Policies combined. I am wondering if someone can enlighten me on the
>>>>> GPO processing. I am following the Microsoft Windows 2003 security
>>>>> guide and have a Member server GPO (using Security templates) and
>>>>> below that I have an OU for an SMS Server (but the question here is
>>>>> more for the IIS services of the Management point.) I have created a
>>>>> GPO for the SMS and had issues with the Management point requiring
>>>>> IUSR_COMPUTERNAME and IWAM_COMPUTERNAME requiring logon locally,
>>>>> Access this computer from the Network, Log on as a Batch job and such.
>>>>> In the GPO's I created I cannot add these local computer user accounts
>>>>> to the User Rights assignments portion. I ended up creating a new SMS
>>>>> GPO which overrode the Member server settings for those User Rights
>>>>> and set them to not defined. This worked and the MP work fine. I
>>>>> revisited and created a local group for the IUSR and IWAM user
>>>>> accoutns and referenced it in the GPO...this worked and everything was
>>>>> working fine. Then I decided to play with SCW and see if it had any
>>>>> gains for me.
>>>>>
>>>>> Here is where I am confused...I ran the SCW wizard and used the XML
>>>>> file to create a GPO. Prior to applying the GPO I ran the SCW and
>>>>> applied the Policy to the local computer. Upon reboot I noticed that
>>>>> the local IUSR and IWAM users were in the appropriate user rights for
>>>>> IIS to function. I rebooted again and lo and behold there they were
>>>>> again. Now I ran RSOP and they do not show up in there
>>>>> (obviously..since they are not referenced in the GPO that is being
>>>>> applied to the Computer).
>>>>>
>>>>> SO my question is...where are these settings coming from? If they
>>>>> reside in the local policy...why aren't they overwritten by the OU GPO
>>>>> which has different settings? I understood that the Local policy will
>>>>> be overwritten by an AD policy. It seems that the AD Policy is used bu
>>>>> the IUSR and IWAM users are added to the specific rights. I am just
>>>>> trying to find out why and where this setting and functionality
>>>>> resides on the local Computer.
>>>>>
>>>>> I hope I have explained with enough detail..if not..I will check back
>>>>> and provide any information required. It is great that the SCW
>>>>> provided me what I needed...but I need to understand why so I can
>>>>> document it.
>>>>>
>>>>> Dan
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: SCW question.

Thanks again for the information. I can also perform the test you suggest
and post the results.

I do have more to add. I left the Server for a bit and returned to it and
checked the Local Security policy...and found the IUSR and IWAM users to NOT
be there.

SO..I rebooted and looked at the Local Security Policy and foun them to be
there (even though the winlogon.log showed them as being removed). I then
ran a GPUPDATE /FORCE ..looked at the Local Security Policy and they were
GONE! CHecked the winlogon.log and again it showed them as being
removed...only this time they WERE removed. It looks like this is only an
issue at boot time and once the GPO's apply for a second time..the GPO
hierarchy takes precedence.

So..why do the SCW settings take precedence at boot and then have to wait
for the first GPO refresh to occur before being taken out?

Dan



"Roger Abell [MVP]" wrote in message
news:%23ycMjTBBHHA.992@TK2MSFTNGP03.phx.gbl...
> Hi Dan,
>
> For your detailed questions on the IIS docs relative to minimum required
> user rights, and perhaps also for verification of IIS 6's behavior
> relative
> to restoring which user rights to its default-form named IUsr_ and IWam_
> accounts I am cross-posting this to the inetserver.iis.security newsgroup.
> Hopefully David, Bernard, Ken, or another can clarify your specifc
> questions on the doc conflicts.
>
> As to your test, after the build, and before or after the join, but
> certainly before use of SCW, it would have been telling if you had
> removed the IUsr_machine and IWam_machine accounts from their
> user rights grants and then stopped and restarted all IIS services (i.e.
> IIS Admin and dependents). At one point during beta the IIS 6 team
> was talking about extending the IIS 5 behavior of guaranteeing user
> rights grants to all accounts (not just the default named ones), but I
> was very vocal against this (as a sys admin I do not want _anything_
> touching what rights grants I have defined, even for the default named
> accounts) and I think they relented some but did keep the IIS-ish
> behavior for the default named accounts. I will check later after
> I get to the shop to see if there is something I can infer without tests.
> It would be a pretty simple test with a W2k3 virt machine image
> around (longhorn has pretty much pushed these out of storage for me).
>
>
> Roger
>
> "Dan Kyle" wrote in message
> news:OcdOnZABHHA.4844@TK2MSFTNGP02.phx.gbl...
>> Thanks for the info Roger,
>>
>> Here is some further testing I have done.
>>
>> Created a new Server and installed IIS. Looked at the Local security
>> policy and saw that the default rights for IUSR and IWAM users are there.
>> Added the Server to the domain without and GPO's applied...Local Security
>> policy remains the same (obviously). I then moved the Server to the
>> required OU which has the Member server GPO applied and rebooted. Looked
>> at the Local security policy and the IUSR and IWAM users are no longer in
>> any of the User rights (which coincides with my Member server GPO
>> settings). I then ran the SCW on the server utilizing only the IIS
>> settings, created and applied the policy. Rebooted and found that the
>> Default user rights for IUSR and IWAM REAPPEARED in the Local Security
>> policy!!
>>
>> TO test I renamed the winlogon.log file made a small change to the Member
>> server GPO and rebooted. Same behaviour. I was not able to make any
>> changes to the Local security policy either. Checking the winlogon.log
>> file it shows that the IUSR, IWAM and IIS_WPG users are REMOVED from user
>> rights, does not show then as being added and yet they remain in the
>> local security policy.
>>
>> This is highly unusual. Thing is..it is more or less what I want but I
>> need to understand why this behaviour is happening to document it.
>>
>> As an aside....I am confused by some conflicting microsoft documentation
>> concerning IUSR user rights. the "IIS and Built-in Accounts(IIS)"
>> Microsoft document states that the IUSR user requires explicit membership
>> in the "allow logon locally", "access this computer from the network" and
>> "logon as a batch job". The conflict lies in the IIS Help file which
>> states "In IIS 6.0, NETWORK_CLEARTEXT is the default logon type for
>> Anonymous Authentication (and for Basic authentication). One result is
>> that Anonymous authentication no longer requires the Allow log on locally
>> user right". SO...what is the real answer?? Funny thing is...on the new
>> server with only the Member server GPO applied with no rights given to
>> IUSR user...I am able to browse the static web site on the server with
>> only anonymous authentication enabled...very strange. Again..I must be
>> missing something obvious..
>>
>> Look forward to your response.
>>
>> Is ANYONE else using SCW and noticing this behaviour?
>>
>> Dan
>>
>>
>> "Roger Abell [MVP]" wrote in message
>> news:uldUmz7AHHA.2316@TK2MSFTNGP04.phx.gbl...
>>> What you describe that you have done with a uniformly named local group
>>> on each machine, which same group is named in the GPO, is precisely what
>>> I was also outlining. That gives a "middle ground" stance, where GPO
>>> does
>>> (somewhat) control the user right, but where per-machine uniqueness is
>>> also
>>> possible via the per-machine membership in the uniformly named local
>>> group.
>>>
>>> As to the Iusr_ and Iwam_ I would need to check for your version
>>> W2k3/IIS6,
>>> but I know that W2k/IIS5 had the following behavior, and I think
>>> W2k3/IIS6
>>> does also (I do not use Iusr_/Iwam_ but always define custom accounts).
>>> The behavior that I know was so in IIS 5 is that on startup the IIS
>>> binaries
>>> verifies that the accounts have the needed user rights if and only if
>>> the accounts
>>> are the default Iusr_machine and Iwam_machine; but if custom accounts
>>> are
>>> used for the anonymous browse or the IIS com isolation components these
>>> are
>>> not populated into the minimum required user rights upon startup if
>>> needed.
>>> Again, I would have to check if the behavior remains, but it would
>>> explain
>>> what you see.
>>>
>>>
>>> "Dan Kyle" wrote in message
>>> news:%23X%23DLuzAHHA.2328@TK2MSFTNGP02.phx.gbl...
>>>> Thank you for the response.
>>>>
>>>> The interesting thing is..I have made a small change to the GPO (and
>>>> deleted the winlogon.log) and rebooted...the new GPO gets applied..but
>>>> I still see the IUSR and IWAM users in the local security policy. THe
>>>> Winlogon.log shows the SID for the accounts and shows it as "remove
>>>> SeNetworkLogonRight, Remove SeInteractiveLogonRight and Remove
>>>> SeBatchLogonRight". No where else inthe Winlogon.log file do I see
>>>> where it gets added. I must be missing something obvious here (and
>>>> apologize if I am) but do not see where these rights are getting
>>>> applied.
>>>>
>>>> I am interested in you Administrator+LCLLogin and LCLbatch....but do
>>>> not quite understand..can you elaborate? What I have done is created a
>>>> group on each of the servers with the same role and named the group the
>>>> same. That way when I use the name of the group in the GPO it applies
>>>> to all the servers.
>>>>
>>>> Dan
>>>>
>>>>
>>>> "Roger Abell [MVP]" wrote in message
>>>> news:ebNiGGvAHHA.3604@TK2MSFTNGP04.phx.gbl...
>>>>>I think that what you are seeing can be explained by the fact that a
>>>>>GPO
>>>>> is applied when it has been seen to have changed based on its version
>>>>> number. Once applied, if defaults for policy application are still in
>>>>> effect,
>>>>> then it will not be reapplied until/unless it is seen as changed.
>>>>> So, when the accounts were added directly in the local policy into the
>>>>> user rights due to your application of the SCW results, and you are
>>>>> then
>>>>> concerned that the GPO is not redefining these, this may be the
>>>>> reason.
>>>>> You could for example make a minor, insignificant change to some
>>>>> setting in the GPO, and then later reverse this, in order to increase
>>>>> the
>>>>> version number of the GPO, and you should see the machine later
>>>>> noticing
>>>>> this and reapplying the GPO.
>>>>>
>>>>> On another note, your approach of defining a group to use in the GPO
>>>>> for the user rights is one way that I handle this issue. Basically,
>>>>> where
>>>>> you have a GPO applying something like these user rights that very
>>>>> often
>>>>> need to be quite unique per machine, if one lists the actual machine
>>>>> local
>>>>> accounts (you can do this, you just need to type them in rather than
>>>>> expecting
>>>>> to pick them via the user interface) then one ends up with a GPO per
>>>>> unique
>>>>> machine. That is not so convenient. Instead, I use such as LclLogin,
>>>>> LclBatch,
>>>>> etc. and then set the user right in the GPO to
>>>>> Administrators+LclLogin, or to
>>>>> LclBatch, etc. and the one GPO can apply to a number of machines
>>>>> where
>>>>> each machine defines its own LclLogin, LclBatch etc membership (again,
>>>>> one
>>>>> needs to type in the group names).
>>>>>
>>>>>
>>>>> "Dan Kyle" wrote in message
>>>>> news:OZlCDhoAHHA.3604@TK2MSFTNGP04.phx.gbl...
>>>>>> Hello,
>>>>>>
>>>>>> I am noticing some interesting results when using the SCW and Group
>>>>>> Policies combined. I am wondering if someone can enlighten me on the
>>>>>> GPO processing. I am following the Microsoft Windows 2003 security
>>>>>> guide and have a Member server GPO (using Security templates) and
>>>>>> below that I have an OU for an SMS Server (but the question here is
>>>>>> more for the IIS services of the Management point.) I have created a
>>>>>> GPO for the SMS and had issues with the Management point requiring
>>>>>> IUSR_COMPUTERNAME and IWAM_COMPUTERNAME requiring logon locally,
>>>>>> Access this computer from the Network, Log on as a Batch job and
>>>>>> such. In the GPO's I created I cannot add these local computer user
>>>>>> accounts to the User Rights assignments portion. I ended up creating
>>>>>> a new SMS GPO which overrode the Member server settings for those
>>>>>> User Rights and set them to not defined. This worked and the MP work
>>>>>> fine. I revisited and created a local group for the IUSR and IWAM
>>>>>> user accoutns and referenced it in the GPO...this worked and
>>>>>> everything was working fine. Then I decided to play with SCW and see
>>>>>> if it had any gains for me.
>>>>>>
>>>>>> Here is where I am confused...I ran the SCW wizard and used the XML
>>>>>> file to create a GPO. Prior to applying the GPO I ran the SCW and
>>>>>> applied the Policy to the local computer. Upon reboot I noticed that
>>>>>> the local IUSR and IWAM users were in the appropriate user rights for
>>>>>> IIS to function. I rebooted again and lo and behold there they were
>>>>>> again. Now I ran RSOP and they do not show up in there
>>>>>> (obviously..since they are not referenced in the GPO that is being
>>>>>> applied to the Computer).
>>>>>>
>>>>>> SO my question is...where are these settings coming from? If they
>>>>>> reside in the local policy...why aren't they overwritten by the OU
>>>>>> GPO which has different settings? I understood that the Local policy
>>>>>> will be overwritten by an AD policy. It seems that the AD Policy is
>>>>>> used bu the IUSR and IWAM users are added to the specific rights. I
>>>>>> am just trying to find out why and where this setting and
>>>>>> functionality resides on the local Computer.
>>>>>>
>>>>>> I hope I have explained with enough detail..if not..I will check back
>>>>>> and provide any information required. It is great that the SCW
>>>>>> provided me what I needed...but I need to understand why so I can
>>>>>> document it.
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: SCW question.

OK..so I created a new W2K3 server...installed IIS with the defaults. The
IUSR and IWAM users were added to the required groups. I opened the Local
Security policy and deleted them from the groups...and rebooted. Lo and
behold...they were BACK. It looks like this is not an SCW issue.

Now...again..what is causing this. Looks like you may have not been vocal
enough to have them not add user rights for the IIS users.

Let me know what you find.

Thanks

Dan



"Dan Kyle" wrote in message
news:%23hRszACBHHA.3540@TK2MSFTNGP03.phx.gbl...
> Thanks again for the information. I can also perform the test you suggest
> and post the results.
>
> I do have more to add. I left the Server for a bit and returned to it and
> checked the Local Security policy...and found the IUSR and IWAM users to
> NOT be there.
>
> SO..I rebooted and looked at the Local Security Policy and foun them to be
> there (even though the winlogon.log showed them as being removed). I then
> ran a GPUPDATE /FORCE ..looked at the Local Security Policy and they were
> GONE! CHecked the winlogon.log and again it showed them as being
> removed...only this time they WERE removed. It looks like this is only an
> issue at boot time and once the GPO's apply for a second time..the GPO
> hierarchy takes precedence.
>
> So..why do the SCW settings take precedence at boot and then have to wait
> for the first GPO refresh to occur before being taken out?
>
> Dan
>
>
>
> "Roger Abell [MVP]" wrote in message
> news:%23ycMjTBBHHA.992@TK2MSFTNGP03.phx.gbl...
>> Hi Dan,
>>
>> For your detailed questions on the IIS docs relative to minimum required
>> user rights, and perhaps also for verification of IIS 6's behavior
>> relative
>> to restoring which user rights to its default-form named IUsr_ and IWam_
>> accounts I am cross-posting this to the inetserver.iis.security
>> newsgroup.
>> Hopefully David, Bernard, Ken, or another can clarify your specifc
>> questions on the doc conflicts.
>>
>> As to your test, after the build, and before or after the join, but
>> certainly before use of SCW, it would have been telling if you had
>> removed the IUsr_machine and IWam_machine accounts from their
>> user rights grants and then stopped and restarted all IIS services (i.e.
>> IIS Admin and dependents). At one point during beta the IIS 6 team
>> was talking about extending the IIS 5 behavior of guaranteeing user
>> rights grants to all accounts (not just the default named ones), but I
>> was very vocal against this (as a sys admin I do not want _anything_
>> touching what rights grants I have defined, even for the default named
>> accounts) and I think they relented some but did keep the IIS-ish
>> behavior for the default named accounts. I will check later after
>> I get to the shop to see if there is something I can infer without tests.
>> It would be a pretty simple test with a W2k3 virt machine image
>> around (longhorn has pretty much pushed these out of storage for me).
>>
>>
>> Roger
>>
>> "Dan Kyle" wrote in message
>> news:OcdOnZABHHA.4844@TK2MSFTNGP02.phx.gbl...
>>> Thanks for the info Roger,
>>>
>>> Here is some further testing I have done.
>>>
>>> Created a new Server and installed IIS. Looked at the Local security
>>> policy and saw that the default rights for IUSR and IWAM users are
>>> there. Added the Server to the domain without and GPO's applied...Local
>>> Security policy remains the same (obviously). I then moved the Server to
>>> the required OU which has the Member server GPO applied and rebooted.
>>> Looked at the Local security policy and the IUSR and IWAM users are no
>>> longer in any of the User rights (which coincides with my Member server
>>> GPO settings). I then ran the SCW on the server utilizing only the IIS
>>> settings, created and applied the policy. Rebooted and found that the
>>> Default user rights for IUSR and IWAM REAPPEARED in the Local Security
>>> policy!!
>>>
>>> TO test I renamed the winlogon.log file made a small change to the
>>> Member server GPO and rebooted. Same behaviour. I was not able to make
>>> any changes to the Local security policy either. Checking the
>>> winlogon.log file it shows that the IUSR, IWAM and IIS_WPG users are
>>> REMOVED from user rights, does not show then as being added and yet they
>>> remain in the local security policy.
>>>
>>> This is highly unusual. Thing is..it is more or less what I want but I
>>> need to understand why this behaviour is happening to document it.
>>>
>>> As an aside....I am confused by some conflicting microsoft documentation
>>> concerning IUSR user rights. the "IIS and Built-in Accounts(IIS)"
>>> Microsoft document states that the IUSR user requires explicit
>>> membership in the "allow logon locally", "access this computer from the
>>> network" and "logon as a batch job". The conflict lies in the IIS Help
>>> file which states "In IIS 6.0, NETWORK_CLEARTEXT is the default logon
>>> type for Anonymous Authentication (and for Basic authentication). One
>>> result is that Anonymous authentication no longer requires the Allow log
>>> on locally user right". SO...what is the real answer?? Funny thing
>>> is...on the new server with only the Member server GPO applied with no
>>> rights given to IUSR user...I am able to browse the static web site on
>>> the server with only anonymous authentication enabled...very strange.
>>> Again..I must be missing something obvious..
>>>
>>> Look forward to your response.
>>>
>>> Is ANYONE else using SCW and noticing this behaviour?
>>>
>>> Dan
>>>
>>>
>>> "Roger Abell [MVP]" wrote in message
>>> news:uldUmz7AHHA.2316@TK2MSFTNGP04.phx.gbl...
>>>> What you describe that you have done with a uniformly named local group
>>>> on each machine, which same group is named in the GPO, is precisely
>>>> what
>>>> I was also outlining. That gives a "middle ground" stance, where GPO
>>>> does
>>>> (somewhat) control the user right, but where per-machine uniqueness is
>>>> also
>>>> possible via the per-machine membership in the uniformly named local
>>>> group.
>>>>
>>>> As to the Iusr_ and Iwam_ I would need to check for your version
>>>> W2k3/IIS6,
>>>> but I know that W2k/IIS5 had the following behavior, and I think
>>>> W2k3/IIS6
>>>> does also (I do not use Iusr_/Iwam_ but always define custom accounts).
>>>> The behavior that I know was so in IIS 5 is that on startup the IIS
>>>> binaries
>>>> verifies that the accounts have the needed user rights if and only if
>>>> the accounts
>>>> are the default Iusr_machine and Iwam_machine; but if custom accounts
>>>> are
>>>> used for the anonymous browse or the IIS com isolation components these
>>>> are
>>>> not populated into the minimum required user rights upon startup if
>>>> needed.
>>>> Again, I would have to check if the behavior remains, but it would
>>>> explain
>>>> what you see.
>>>>
>>>>
>>>> "Dan Kyle" wrote in message
>>>> news:%23X%23DLuzAHHA.2328@TK2MSFTNGP02.phx.gbl...
>>>>> Thank you for the response.
>>>>>
>>>>> The interesting thing is..I have made a small change to the GPO (and
>>>>> deleted the winlogon.log) and rebooted...the new GPO gets applied..but
>>>>> I still see the IUSR and IWAM users in the local security policy. THe
>>>>> Winlogon.log shows the SID for the accounts and shows it as "remove
>>>>> SeNetworkLogonRight, Remove SeInteractiveLogonRight and Remove
>>>>> SeBatchLogonRight". No where else inthe Winlogon.log file do I see
>>>>> where it gets added. I must be missing something obvious here (and
>>>>> apologize if I am) but do not see where these rights are getting
>>>>> applied.
>>>>>
>>>>> I am interested in you Administrator+LCLLogin and LCLbatch....but do
>>>>> not quite understand..can you elaborate? What I have done is created a
>>>>> group on each of the servers with the same role and named the group
>>>>> the same. That way when I use the name of the group in the GPO it
>>>>> applies to all the servers.
>>>>>
>>>>> Dan
>>>>>
>>>>>
>>>>> "Roger Abell [MVP]" wrote in message
>>>>> news:ebNiGGvAHHA.3604@TK2MSFTNGP04.phx.gbl...
>>>>>>I think that what you are seeing can be explained by the fact that a
>>>>>>GPO
>>>>>> is applied when it has been seen to have changed based on its version
>>>>>> number. Once applied, if defaults for policy application are still
>>>>>> in effect,
>>>>>> then it will not be reapplied until/unless it is seen as changed.
>>>>>> So, when the accounts were added directly in the local policy into
>>>>>> the
>>>>>> user rights due to your application of the SCW results, and you are
>>>>>> then
>>>>>> concerned that the GPO is not redefining these, this may be the
>>>>>> reason.
>>>>>> You could for example make a minor, insignificant change to some
>>>>>> setting in the GPO, and then later reverse this, in order to increase
>>>>>> the
>>>>>> version number of the GPO, and you should see the machine later
>>>>>> noticing
>>>>>> this and reapplying the GPO.
>>>>>>
>>>>>> On another note, your approach of defining a group to use in the GPO
>>>>>> for the user rights is one way that I handle this issue. Basically,
>>>>>> where
>>>>>> you have a GPO applying something like these user rights that very
>>>>>> often
>>>>>> need to be quite unique per machine, if one lists the actual machine
>>>>>> local
>>>>>> accounts (you can do this, you just need to type them in rather than
>>>>>> expecting
>>>>>> to pick them via the user interface) then one ends up with a GPO per
>>>>>> unique
>>>>>> machine. That is not so convenient. Instead, I use such as
>>>>>> LclLogin, LclBatch,
>>>>>> etc. and then set the user right in the GPO to
>>>>>> Administrators+LclLogin, or to
>>>>>> LclBatch, etc. and the one GPO can apply to a number of machines
>>>>>> where
>>>>>> each machine defines its own LclLogin, LclBatch etc membership
>>>>>> (again, one
>>>>>> needs to type in the group names).
>>>>>>
>>>>>>
>>>>>> "Dan Kyle" wrote in message
>>>>>> news:OZlCDhoAHHA.3604@TK2MSFTNGP04.phx.gbl...
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am noticing some interesting results when using the SCW and Group
>>>>>>> Policies combined. I am wondering if someone can enlighten me on the
>>>>>>> GPO processing. I am following the Microsoft Windows 2003 security
>>>>>>> guide and have a Member server GPO (using Security templates) and
>>>>>>> below that I have an OU for an SMS Server (but the question here is
>>>>>>> more for the IIS services of the Management point.) I have created a
>>>>>>> GPO for the SMS and had issues with the Management point requiring
>>>>>>> IUSR_COMPUTERNAME and IWAM_COMPUTERNAME requiring logon locally,
>>>>>>> Access this computer from the Network, Log on as a Batch job and
>>>>>>> such. In the GPO's I created I cannot add these local computer user
>>>>>>> accounts to the User Rights assignments portion. I ended up creating
>>>>>>> a new SMS GPO which overrode the Member server settings for those
>>>>>>> User Rights and set them to not defined. This worked and the MP work
>>>>>>> fine. I revisited and created a local group for the IUSR and IWAM
>>>>>>> user accoutns and referenced it in the GPO...this worked and
>>>>>>> everything was working fine. Then I decided to play with SCW and see
>>>>>>> if it had any gains for me.
>>>>>>>
>>>>>>> Here is where I am confused...I ran the SCW wizard and used the XML
>>>>>>> file to create a GPO. Prior to applying the GPO I ran the SCW and
>>>>>>> applied the Policy to the local computer. Upon reboot I noticed that
>>>>>>> the local IUSR and IWAM users were in the appropriate user rights
>>>>>>> for IIS to function. I rebooted again and lo and behold there they
>>>>>>> were again. Now I ran RSOP and they do not show up in there
>>>>>>> (obviously..since they are not referenced in the GPO that is being
>>>>>>> applied to the Computer).
>>>>>>>
>>>>>>> SO my question is...where are these settings coming from? If they
>>>>>>> reside in the local policy...why aren't they overwritten by the OU
>>>>>>> GPO which has different settings? I understood that the Local policy
>>>>>>> will be overwritten by an AD policy. It seems that the AD Policy is
>>>>>>> used bu the IUSR and IWAM users are added to the specific rights. I
>>>>>>> am just trying to find out why and where this setting and
>>>>>>> functionality resides on the local Computer.
>>>>>>>
>>>>>>> I hope I have explained with enough detail..if not..I will check
>>>>>>> back and provide any information required. It is great that the SCW
>>>>>>> provided me what I needed...but I need to understand why so I can
>>>>>>> document it.
>>>>>>>
>>>>>>> Dan
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: SCW question.

Like I have been saying I think this may well be an IIS behavior.
It certainly was in IIS 5. I attempted today to test with a staging
server that was not today staging. The predefined IUsr_ and IWam_
still existed, disabled; so I enabled, and restarted the "Default Website"
for which they were still defined to be used, then stopped and restarted
IIS Admin (and dependents), but to no effect on IUsr_/IWam_ in the
user right grants for local, network, or batch login.

By the way, as far as I know, SCW does not leave anything in place
that is active, reapplying, except in so far as it is used to modify GPO,
or IPsec policy, or the firewall definitions.

Roger
"Dan Kyle" wrote in message
news:OcQA$DDBHHA.144@TK2MSFTNGP02.phx.gbl...
> OK..so I created a new W2K3 server...installed IIS with the defaults. The
> IUSR and IWAM users were added to the required groups. I opened the Local
> Security policy and deleted them from the groups...and rebooted. Lo and
> behold...they were BACK. It looks like this is not an SCW issue.
>
> Now...again..what is causing this. Looks like you may have not been vocal
> enough to have them not add user rights for the IIS users.
>
> Let me know what you find.
>
> Thanks
>
> Dan
>
>
>
> "Dan Kyle" wrote in message
> news:%23hRszACBHHA.3540@TK2MSFTNGP03.phx.gbl...
>> Thanks again for the information. I can also perform the test you suggest
>> and post the results.
>>
>> I do have more to add. I left the Server for a bit and returned to it and
>> checked the Local Security policy...and found the IUSR and IWAM users to
>> NOT be there.
>>
>> SO..I rebooted and looked at the Local Security Policy and foun them to
>> be there (even though the winlogon.log showed them as being removed). I
>> then ran a GPUPDATE /FORCE ..looked at the Local Security Policy and they
>> were GONE! CHecked the winlogon.log and again it showed them as being
>> removed...only this time they WERE removed. It looks like this is only an
>> issue at boot time and once the GPO's apply for a second time..the GPO
>> hierarchy takes precedence.
>>
>> So..why do the SCW settings take precedence at boot and then have to wait
>> for the first GPO refresh to occur before being taken out?
>>
>> Dan
>>
>>
>>
>> "Roger Abell [MVP]" wrote in message
>> news:%23ycMjTBBHHA.992@TK2MSFTNGP03.phx.gbl...
>>> Hi Dan,
>>>
>>> For your detailed questions on the IIS docs relative to minimum required
>>> user rights, and perhaps also for verification of IIS 6's behavior
>>> relative
>>> to restoring which user rights to its default-form named IUsr_ and IWam_
>>> accounts I am cross-posting this to the inetserver.iis.security
>>> newsgroup.
>>> Hopefully David, Bernard, Ken, or another can clarify your specifc
>>> questions on the doc conflicts.
>>>
>>> As to your test, after the build, and before or after the join, but
>>> certainly before use of SCW, it would have been telling if you had
>>> removed the IUsr_machine and IWam_machine accounts from their
>>> user rights grants and then stopped and restarted all IIS services (i.e.
>>> IIS Admin and dependents). At one point during beta the IIS 6 team
>>> was talking about extending the IIS 5 behavior of guaranteeing user
>>> rights grants to all accounts (not just the default named ones), but I
>>> was very vocal against this (as a sys admin I do not want _anything_
>>> touching what rights grants I have defined, even for the default named
>>> accounts) and I think they relented some but did keep the IIS-ish
>>> behavior for the default named accounts. I will check later after
>>> I get to the shop to see if there is something I can infer without
>>> tests.
>>> It would be a pretty simple test with a W2k3 virt machine image
>>> around (longhorn has pretty much pushed these out of storage for me).
>>>
>>>
>>> Roger
>>>
>>> "Dan Kyle" wrote in message
>>> news:OcdOnZABHHA.4844@TK2MSFTNGP02.phx.gbl...
>>>> Thanks for the info Roger,
>>>>
>>>> Here is some further testing I have done.
>>>>
>>>> Created a new Server and installed IIS. Looked at the Local security
>>>> policy and saw that the default rights for IUSR and IWAM users are
>>>> there. Added the Server to the domain without and GPO's applied...Local
>>>> Security policy remains the same (obviously). I then moved the Server
>>>> to the required OU which has the Member server GPO applied and
>>>> rebooted. Looked at the Local security policy and the IUSR and IWAM
>>>> users are no longer in any of the User rights (which coincides with my
>>>> Member server GPO settings). I then ran the SCW on the server
>>>> utilizing only the IIS settings, created and applied the policy.
>>>> Rebooted and found that the Default user rights for IUSR and IWAM
>>>> REAPPEARED in the Local Security policy!!
>>>>
>>>> TO test I renamed the winlogon.log file made a small change to the
>>>> Member server GPO and rebooted. Same behaviour. I was not able to make
>>>> any changes to the Local security policy either. Checking the
>>>> winlogon.log file it shows that the IUSR, IWAM and IIS_WPG users are
>>>> REMOVED from user rights, does not show then as being added and yet
>>>> they remain in the local security policy.
>>>>
>>>> This is highly unusual. Thing is..it is more or less what I want but I
>>>> need to understand why this behaviour is happening to document it.
>>>>
>>>> As an aside....I am confused by some conflicting microsoft
>>>> documentation concerning IUSR user rights. the "IIS and Built-in
>>>> Accounts(IIS)" Microsoft document states that the IUSR user requires
>>>> explicit membership in the "allow logon locally", "access this computer
>>>> from the network" and "logon as a batch job". The conflict lies in the
>>>> IIS Help file which states "In IIS 6.0, NETWORK_CLEARTEXT is the
>>>> default logon type for Anonymous Authentication (and for Basic
>>>> authentication). One result is that Anonymous authentication no longer
>>>> requires the Allow log on locally user right". SO...what is the real
>>>> answer?? Funny thing is...on the new server with only the Member server
>>>> GPO applied with no rights given to IUSR user...I am able to browse the
>>>> static web site on the server with only anonymous authentication
>>>> enabled...very strange. Again..I must be missing something obvious..
>>>>
>>>> Look forward to your response.
>>>>
>>>> Is ANYONE else using SCW and noticing this behaviour?
>>>>
>>>> Dan
>>>>
>>>>
>>>> "Roger Abell [MVP]" wrote in message
>>>> news:uldUmz7AHHA.2316@TK2MSFTNGP04.phx.gbl...
>>>>> What you describe that you have done with a uniformly named local
>>>>> group
>>>>> on each machine, which same group is named in the GPO, is precisely
>>>>> what
>>>>> I was also outlining. That gives a "middle ground" stance, where GPO
>>>>> does
>>>>> (somewhat) control the user right, but where per-machine uniqueness is
>>>>> also
>>>>> possible via the per-machine membership in the uniformly named local
>>>>> group.
>>>>>
>>>>> As to the Iusr_ and Iwam_ I would need to check for your version
>>>>> W2k3/IIS6,
>>>>> but I know that W2k/IIS5 had the following behavior, and I think
>>>>> W2k3/IIS6
>>>>> does also (I do not use Iusr_/Iwam_ but always define custom
>>>>> accounts).
>>>>> The behavior that I know was so in IIS 5 is that on startup the IIS
>>>>> binaries
>>>>> verifies that the accounts have the needed user rights if and only if
>>>>> the accounts
>>>>> are the default Iusr_machine and Iwam_machine; but if custom accounts
>>>>> are
>>>>> used for the anonymous browse or the IIS com isolation components
>>>>> these are
>>>>> not populated into the minimum required user rights upon startup if
>>>>> needed.
>>>>> Again, I would have to check if the behavior remains, but it would
>>>>> explain
>>>>> what you see.
>>>>>
>>>>>
>>>>> "Dan Kyle" wrote in message
>>>>> news:%23X%23DLuzAHHA.2328@TK2MSFTNGP02.phx.gbl...
>>>>>> Thank you for the response.
>>>>>>
>>>>>> The interesting thing is..I have made a small change to the GPO (and
>>>>>> deleted the winlogon.log) and rebooted...the new GPO gets
>>>>>> applied..but I still see the IUSR and IWAM users in the local
>>>>>> security policy. THe Winlogon.log shows the SID for the accounts and
>>>>>> shows it as "remove SeNetworkLogonRight, Remove
>>>>>> SeInteractiveLogonRight and Remove SeBatchLogonRight". No where else
>>>>>> inthe Winlogon.log file do I see where it gets added. I must be
>>>>>> missing something obvious here (and apologize if I am) but do not see
>>>>>> where these rights are getting applied.
>>>>>>
>>>>>> I am interested in you Administrator+LCLLogin and LCLbatch....but do
>>>>>> not quite understand..can you elaborate? What I have done is created
>>>>>> a group on each of the servers with the same role and named the group
>>>>>> the same. That way when I use the name of the group in the GPO it
>>>>>> applies to all the servers.
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>>
>>>>>> "Roger Abell [MVP]" wrote in message
>>>>>> news:ebNiGGvAHHA.3604@TK2MSFTNGP04.phx.gbl...
>>>>>>>I think that what you are seeing can be explained by the fact that a
>>>>>>>GPO
>>>>>>> is applied when it has been seen to have changed based on its
>>>>>>> version
>>>>>>> number. Once applied, if defaults for policy application are still
>>>>>>> in effect,
>>>>>>> then it will not be reapplied until/unless it is seen as changed.
>>>>>>> So, when the accounts were added directly in the local policy into
>>>>>>> the
>>>>>>> user rights due to your application of the SCW results, and you are
>>>>>>> then
>>>>>>> concerned that the GPO is not redefining these, this may be the
>>>>>>> reason.
>>>>>>> You could for example make a minor, insignificant change to some
>>>>>>> setting in the GPO, and then later reverse this, in order to
>>>>>>> increase the
>>>>>>> version number of the GPO, and you should see the machine later
>>>>>>> noticing
>>>>>>> this and reapplying the GPO.
>>>>>>>
>>>>>>> On another note, your approach of defining a group to use in the GPO
>>>>>>> for the user rights is one way that I handle this issue. Basically,
>>>>>>> where
>>>>>>> you have a GPO applying something like these user rights that very
>>>>>>> often
>>>>>>> need to be quite unique per machine, if one lists the actual machine
>>>>>>> local
>>>>>>> accounts (you can do this, you just need to type them in rather than
>>>>>>> expecting
>>>>>>> to pick them via the user interface) then one ends up with a GPO per
>>>>>>> unique
>>>>>>> machine. That is not so convenient. Instead, I use such as
>>>>>>> LclLogin, LclBatch,
>>>>>>> etc. and then set the user right in the GPO to
>>>>>>> Administrators+LclLogin, or to
>>>>>>> LclBatch, etc. and the one GPO can apply to a number of machines
>>>>>>> where
>>>>>>> each machine defines its own LclLogin, LclBatch etc membership
>>>>>>> (again, one
>>>>>>> needs to type in the group names).
>>>>>>>
>>>>>>>
>>>>>>> "Dan Kyle" wrote in message
>>>>>>> news:OZlCDhoAHHA.3604@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I am noticing some interesting results when using the SCW and Group
>>>>>>>> Policies combined. I am wondering if someone can enlighten me on
>>>>>>>> the GPO processing. I am following the Microsoft Windows 2003
>>>>>>>> security guide and have a Member server GPO (using Security
>>>>>>>> templates) and below that I have an OU for an SMS Server (but the
>>>>>>>> question here is more for the IIS services of the Management
>>>>>>>> point.) I have created a GPO for the SMS and had issues with the
>>>>>>>> Management point requiring IUSR_COMPUTERNAME and IWAM_COMPUTERNAME
>>>>>>>> requiring logon locally, Access this computer from the Network, Log
>>>>>>>> on as a Batch job and such. In the GPO's I created I cannot add
>>>>>>>> these local computer user accounts to the User Rights assignments
>>>>>>>> portion. I ended up creating a new SMS GPO which overrode the
>>>>>>>> Member server settings for those User Rights and set them to not
>>>>>>>> defined. This worked and the MP work fine. I revisited and created
>>>>>>>> a local group for the IUSR and IWAM user accoutns and referenced it
>>>>>>>> in the GPO...this worked and everything was working fine. Then I
>>>>>>>> decided to play with SCW and see if it had any gains for me.
>>>>>>>>
>>>>>>>> Here is where I am confused...I ran the SCW wizard and used the XML
>>>>>>>> file to create a GPO. Prior to applying the GPO I ran the SCW and
>>>>>>>> applied the Policy to the local computer. Upon reboot I noticed
>>>>>>>> that the local IUSR and IWAM users were in the appropriate user
>>>>>>>> rights for IIS to function. I rebooted again and lo and behold
>>>>>>>> there they were again. Now I ran RSOP and they do not show up in
>>>>>>>> there (obviously..since they are not referenced in the GPO that is
>>>>>>>> being applied to the Computer).
>>>>>>>>
>>>>>>>> SO my question is...where are these settings coming from? If they
>>>>>>>> reside in the local policy...why aren't they overwritten by the OU
>>>>>>>> GPO which has different settings? I understood that the Local
>>>>>>>> policy will be overwritten by an AD policy. It seems that the AD
>>>>>>>> Policy is used bu the IUSR and IWAM users are added to the specific
>>>>>>>> rights. I am just trying to find out why and where this setting and
>>>>>>>> functionality resides on the local Computer.
>>>>>>>>
>>>>>>>> I hope I have explained with enough detail..if not..I will check
>>>>>>>> back and provide any information required. It is great that the SCW
>>>>>>>> provided me what I needed...but I need to understand why so I can
>>>>>>>> document it.
>>>>>>>>
>>>>>>>> Dan
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: SCW question.

> Roger Abell [MVP]" wrote in message
> news:eBhVeNHBHHA.1196@TK2MSFTNGP03.phx.gbl...
>
> By the way, as far as I know, SCW does not leave anything in place
> that is active, reapplying, except in so far as it is used to modify GPO,
> or IPsec policy, or the firewall definitions.
>

small correction
.. . . except in so far as it is used to modify GPO, or IPsec policy, or the
firewall definitions, or as applied to Services' startmodes and security.

Roger

Re: SCW question.

"Roger Abell [MVP]" wrote in message
news:%23ycMjTBBHHA.992@TK2MSFTNGP03.phx.gbl...
synoptically isolating Dan's 2nd ?? about the docs
>>
>> As an aside....I am confused by some conflicting microsoft documentation
>> concerning IUSR user rights. the "IIS and Built-in Accounts(IIS)"
>> Microsoft document states that the IUSR user requires explicit membership
>> in the "allow logon locally", "access this computer from the network" and
>> "logon as a batch job". The conflict lies in the IIS Help file which
>> states "In IIS 6.0, NETWORK_CLEARTEXT is the default logon type for
>> Anonymous Authentication (and for Basic authentication). One result is
>> that Anonymous authentication no longer requires the Allow log on locally
>> user right". SO...what is the real answer?? Funny thing is...on the new
>> server with only the Member server GPO applied with no rights given to
>> IUSR user...I am able to browse the static web site on the server with
>> only anonymous authentication enabled...very strange. Again..I must be
>> missing something obvious..
>>