Cannot Get Anonymous Access to Work

I'm setting up an IIS 6.0 public server, and I've run into problems getting
anonymous access to work. We of course gave read access to the
IUSR_ account to all of the application's files under InetPub,
but we are getting 401.3 errors indicating ACL problems.

If we select the "Windows Authentication" checkbox in the Authentication
settings dialog of IIS, then everything works. As soon as we deselect that
option and leave only Anonymous access, then access breaks again with 401.3.

We did follow the suggested guidelines in the Microsoft Knowledgebase for
both user rights and file system permissions for the IIS users.

--
Will

Re: Cannot Get Anonymous Access to Work

If you get 401.3, then IUSR does not have access to the accessed
resource. If it seems mysterious, remember that anonymous access works
with default IIS6 setup, so your problem is likely due to some machine-
specific user misconfiguration. You have the unfortunate task of
figuring out what was intentionally broken on your server.

Use File Monitor from sysinternals.com to see what file IUSR is being
denied access to.

I would also open up secpol.msc and compare against a clean OS
installation to see if anything has been misconfigured/locked down.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Apr 18, 5:23 pm, "Will" wrote:
> I'm setting up an IIS 6.0 public server, and I've run into problems getting
> anonymous access to work. We of course gave read access to the
> IUSR_ account to all of the application's files under InetPub,
> but we are getting 401.3 errors indicating ACL problems.
>
> If we select the "Windows Authentication" checkbox in the Authentication
> settings dialog of IIS, then everything works. As soon as we deselect that
> option and leave only Anonymous access, then access breaks again with 401.3.
>
> We did follow the suggested guidelines in the Microsoft Knowledgebase for
> both user rights and file system permissions for the IIS users.
>
> --
> Will

Re: Cannot Get Anonymous Access to Work

Will,

Did you take action to effectively remove the Iusr_ or AppPool
accounts from (effective, as via Auth U or Interactive) Users?

Roger

"Will" wrote in message
news:zoydnR-OU5wSK7vbnZ2dnUVZ_rWnnZ2d@giganews.com...
> I'm setting up an IIS 6.0 public server, and I've run into problems
> getting anonymous access to work. We of course gave read access to the
> IUSR_ account to all of the application's files under
> InetPub, but we are getting 401.3 errors indicating ACL problems.
>
> If we select the "Windows Authentication" checkbox in the Authentication
> settings dialog of IIS, then everything works. As soon as we deselect
> that option and leave only Anonymous access, then access breaks again with
> 401.3.
>
> We did follow the suggested guidelines in the Microsoft Knowledgebase for
> both user rights and file system permissions for the IIS users.
>
> --
> Will
>

Re: Cannot Get Anonymous Access to Work

We have explicit grants on the IUSR_ account in the application directory
under InetPub.

We also validated the user security policy and file system permissions
against those recommended for IIS 6.0 on the Microsoft Knowledgebase.

I don't recognize any account or group name that is for an "AppPool". Can
you elaborate on that?

--
Will


"Roger Abell [MVP]" wrote in message
news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl...
> Will,
>
> Did you take action to effectively remove the Iusr_ or AppPool
> accounts from (effective, as via Auth U or Interactive) Users?
>
> Roger
>
> "Will" wrote in message
> news:zoydnR-OU5wSK7vbnZ2dnUVZ_rWnnZ2d@giganews.com...
>> I'm setting up an IIS 6.0 public server, and I've run into problems
>> getting anonymous access to work. We of course gave read access to the
>> IUSR_ account to all of the application's files under
>> InetPub, but we are getting 401.3 errors indicating ACL problems.
>>
>> If we select the "Windows Authentication" checkbox in the Authentication
>> settings dialog of IIS, then everything works. As soon as we deselect
>> that option and leave only Anonymous access, then access breaks again
>> with 401.3.
>>
>> We did follow the suggested guidelines in the Microsoft Knowledgebase for
>> both user rights and file system permissions for the IIS users.
>>
>> --
>> Will

Re: Cannot Get Anonymous Access to Work

"Roger Abell [MVP]" wrote in message
news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl...
> Did you take action to effectively remove the Iusr_ or AppPool
> accounts from (effective, as via Auth U or Interactive) Users?

I read more about the application process pools and somehow overcame the
extremely obscure configuration interface for this Microsoft chose. At
least I see the intent to associate an application to an application pool,
and then run the pool in a separate process with an impersonated user
context.

We were using the default of Network Service, and we gave that user an
explicit grant to the content. I asked the developer to try switching to
the IWAM_Machine user context and give that user explicit grants on content
directories. No change (or so he claims).

I would like to better understand your comment that the AppPool account
needs to be in the Users group. That could well be our problem.

As you know we do remove Auth Users and Interactive from the local Users
group. Leave Auth Users when running IIS?

--
Will

Re: Cannot Get Anonymous Access to Work

On Apr 19, 10:13 pm, "Will" wrote:
> "Roger Abell [MVP]" wrote in messagenews:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl...
>
> > Did you take action to effectively remove the Iusr_ or AppPool
> > accounts from (effective, as via Auth U or Interactive) Users?
>
> I read more about the application process pools and somehow overcame the
> extremely obscure configuration interface for this Microsoft chose. At
> least I see the intent to associate an application to an application pool,
> and then run the pool in a separate process with an impersonated user
> context.
>
> We were using the default of Network Service, and we gave that user an
> explicit grant to the content. I asked the developer to try switching to
> the IWAM_Machine user context and give that user explicit grants on content
> directories. No change (or so he claims).
>
> I would like to better understand your comment that the AppPool account
> needs to be in the Users group. That could well be our problem.
>
> As you know we do remove Auth Users and Interactive from the local Users
> group. Leave Auth Users when running IIS?
>
> --
> Will


Since you are reading the documentation...

What exactly seems obscure to you? The Application Pool Configurable
Identity? Or something else?

Unfortunately, the following point is misunderstood by about 99% of
users, and I am not certain how to make it clear. The configurable
Application Pool identity has no control over the identity used to
execute code in the Application Pool.

Contrary to popular belief, It merely controls the process identity
(NOT impersonated identity), which is not necessarily the same as the
identity used to execute code.

http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User _Identity_to_Run_Code_Part_2.aspx

Now, you should give IIS_WPG (the group which all Application Pool
Identities belong to) List control, along with Read access to the
actual identity executing the URL, on the resource. Just ACLs for the
user is insufficient because in some instances IIS will end up
[inadvertently] probing the file resource with the process identity
(which should be in the IIS_WPG group) prior to actually accessing it
with the impersonated identity.

I still think it may be easier to run File Monitor to see exactly what
user is getting access denied to which resource and use it as a clue.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Cannot Get Anonymous Access to Work

In my experience the accounts must be Users, but that is not
documented in detail as apparently MS assumes no one in
the world would think to remove Authenticated Users and
Interactive (which is likely the missing part for you) from
Users on their machines. Since, like yourself, I routinely
do remove these from Users, and since local groups cannot
be nested (hence one cannot add IIS_WPG to Users) I now
follow practice of making sure all local accounts are Users
if they will have local login activities (login type 2).

Roger


"Will" wrote in message
news:jKqdnRMs_dmc0bXbnZ2dneKdnZydnZ2d@giganews.com...
> "Roger Abell [MVP]" wrote in message
> news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl...
>> Did you take action to effectively remove the Iusr_ or AppPool
>> accounts from (effective, as via Auth U or Interactive) Users?
>
> I read more about the application process pools and somehow overcame the
> extremely obscure configuration interface for this Microsoft chose. At
> least I see the intent to associate an application to an application pool,
> and then run the pool in a separate process with an impersonated user
> context.
>
> We were using the default of Network Service, and we gave that user an
> explicit grant to the content. I asked the developer to try switching to
> the IWAM_Machine user context and give that user explicit grants on
> content directories. No change (or so he claims).
>
> I would like to better understand your comment that the AppPool account
> needs to be in the Users group. That could well be our problem.
>
> As you know we do remove Auth Users and Interactive from the local Users
> group. Leave Auth Users when running IIS?
>
> --
> Will
>
>
>

Re: Cannot Get Anonymous Access to Work

I tend to think that when one alters group membership or login type
that all bets are off.

The nice thing would have been if IIS6 documentation specified the
minimal set of required privileges/permissions for each activity so
that one can deconstruct the OS and its user groups all the way down
and then custom rebuild it.

However, it is not documented in such detail because we honestly do
not know - the product was not designed that way. Most products on
Windows are not designed that way.

The point is not that "apparently MS assumes no one in the world would
think to remove Authenticated Users and Interactive..." -- reality is
that MS most likely assumed and took most of those into consideration,
but due to costs (time/people) constraints, they are not covered...
especially if the option is not mainstream.

In the case of customized user privileges/permissions, the set of
users not caring about this information vastly outweigh the set of
users who want this information, to the point that it is a very tiny
minority for which an on-demand investigation is more appropriate and
cost-effective. MS assumes that if you wanted this information, you
would ask; but obviously, that is not your assumption. Just pointing
this out...


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Apr 20, 4:24 am, "Roger Abell [MVP]" wrote:
> In my experience the accounts must be Users, but that is not
> documented in detail as apparently MS assumes no one in
> the world would think to remove Authenticated Users and
> Interactive (which is likely the missing part for you) from
> Users on their machines. Since, like yourself, I routinely
> do remove these from Users, and since local groups cannot
> be nested (hence one cannot add IIS_WPG to Users) I now
> follow practice of making sure all local accounts are Users
> if they will have local login activities (login type 2).
>
> Roger
>
> "Will" wrote in message
>
> news:jKqdnRMs_dmc0bXbnZ2dneKdnZydnZ2d@giganews.com...
>
>
>
> > "Roger Abell [MVP]" wrote in message
> >news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl...
> >> Did you take action to effectively remove the Iusr_ or AppPool
> >> accounts from (effective, as via Auth U or Interactive) Users?
>
> > I read more about the application process pools and somehow overcame the
> > extremely obscure configuration interface for this Microsoft chose. At
> > least I see the intent to associate an application to an application pool,
> > and then run the pool in a separate process with an impersonated user
> > context.
>
> > We were using the default of Network Service, and we gave that user an
> > explicit grant to the content. I asked the developer to try switching to
> > the IWAM_Machine user context and give that user explicit grants on
> > content directories. No change (or so he claims).
>
> > I would like to better understand your comment that the AppPool account
> > needs to be in the Users group. That could well be our problem.
>
> > As you know we do remove Auth Users and Interactive from the local Users
> > group. Leave Auth Users when running IIS?
>
> > --
> > Will- Hide quoted text -
>
> - Show quoted text -

Re: Cannot Get Anonymous Access to Work

"David Wang" wrote in message
news:1177097864.952427.5430@n76g2000hsh.googlegroups.com...
> In the case of customized user privileges/permissions, the set of
> users not caring about this information vastly outweigh the set of
> users who want this information, to the point that it is a very tiny
> minority for which an on-demand investigation is more appropriate and
> cost-effective.

I think that this is a very perceptive and very true statement. And from
what I have seen I would go a step further and say that most users don't
care when they are hacked, when their networks are overloaded with trojans
and viruses, and most are even worse just blind to the activity entirely.
They assume if they can get past the login prompt and start the application
it is business as usual, no harm done. They only care when the result of
the hack is denial of service at which point they cannot ignore the side
effect of the intrusion. Anything subverted and hidden they absolutely
tolerate and do not care about. To me it is incredible, but I cannot deny
the observation that others do not share my concern about such things.

It's also clear that to secure a Microsoft network requires an almost
superhuman willpower to overcome obstacles at every stage: users do not
care; management does not care; Microsoft does not care about solving the
problem retroactively except by patching the default config. No
documentation to do anything past defaults is usually available. Any
attempt to self-cure the deficiencies results in mountains of catastrophic
and subtle failures, each of which requires unbelievable amounts of time and
personal initiative to overcome. I give Microsoft huge credit for its
forward looking efforts, and the extraordinary efforts it is putting into re
architecting future versions of Windows to better partition functionality,
better secure individual components, and run services in protected security
contexts that minimize the side effects of a buffer overload on a service.
The legacy stuff however is worse than a living hell.

So, yes, the price for stepping outside the box is high, and yes I agree
with you not many people care about stepping outside the box.


> MS assumes that if you wanted this information, you
> would ask; but obviously, that is not your assumption. Just pointing
> this out...

I think it depends on who you are. If you are General Motors or Citibank,
then no doubt you will get world class answers to any question. If you are
Joe Nobody, you will get squat. :)

I will however take my hat off to Microsoft's Shanghai support group, who
have consistently exceeded my every expectation, and I don't give praise
easily.

--
Will

Re: Cannot Get Anonymous Access to Work

Hi David,

Interesting comments. I will just add that, once Interactive was
added into Users (which as I understand it was initially in order
to support local login by the Guest account, if it were enabled
and allowed local login) we got into a situation where everything
was tested with this. As a result, if one attempts to remove the
broad access Users membership grants, many, many things break.
This is most unfortunate, and it all started in order to support an
end case (Guest enabled and allowed local login) that must be
a less than 1% usage case.

I am not sure you remember, but with IIS 4 one could define a
custom group, make all of one's Iusr_ and Iwam_ accounts to
be members only of that custom group (directly or indirectly)
and IIS would still work just fine and server content for site
using anonymous access (any level of process isolation).
Those were the good days as far as effecting site content
isolation on shared hosting IIS webservers at least in that
particular aspect.

I enjoyed your candidly sharing your point of view, once again.
Roger

"David Wang" wrote in message
news:1177097864.952427.5430@n76g2000hsh.googlegroups.com...
>I tend to think that when one alters group membership or login type
> that all bets are off.
>
> The nice thing would have been if IIS6 documentation specified the
> minimal set of required privileges/permissions for each activity so
> that one can deconstruct the OS and its user groups all the way down
> and then custom rebuild it.
>
> However, it is not documented in such detail because we honestly do
> not know - the product was not designed that way. Most products on
> Windows are not designed that way.
>
> The point is not that "apparently MS assumes no one in the world would
> think to remove Authenticated Users and Interactive..." -- reality is
> that MS most likely assumed and took most of those into consideration,
> but due to costs (time/people) constraints, they are not covered...
> especially if the option is not mainstream.
>
> In the case of customized user privileges/permissions, the set of
> users not caring about this information vastly outweigh the set of
> users who want this information, to the point that it is a very tiny
> minority for which an on-demand investigation is more appropriate and
> cost-effective. MS assumes that if you wanted this information, you
> would ask; but obviously, that is not your assumption. Just pointing
> this out...
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> On Apr 20, 4:24 am, "Roger Abell [MVP]" wrote:
>> In my experience the accounts must be Users, but that is not
>> documented in detail as apparently MS assumes no one in
>> the world would think to remove Authenticated Users and
>> Interactive (which is likely the missing part for you) from
>> Users on their machines. Since, like yourself, I routinely
>> do remove these from Users, and since local groups cannot
>> be nested (hence one cannot add IIS_WPG to Users) I now
>> follow practice of making sure all local accounts are Users
>> if they will have local login activities (login type 2).
>>
>> Roger
>>
>> "Will" wrote in message
>>
>> news:jKqdnRMs_dmc0bXbnZ2dneKdnZydnZ2d@giganews.com...
>>
>>
>>
>> > "Roger Abell [MVP]" wrote in message
>> >news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl...
>> >> Did you take action to effectively remove the Iusr_ or AppPool
>> >> accounts from (effective, as via Auth U or Interactive) Users?
>>
>> > I read more about the application process pools and somehow overcame
>> > the
>> > extremely obscure configuration interface for this Microsoft chose.
>> > At
>> > least I see the intent to associate an application to an application
>> > pool,
>> > and then run the pool in a separate process with an impersonated user
>> > context.
>>
>> > We were using the default of Network Service, and we gave that user an
>> > explicit grant to the content. I asked the developer to try switching
>> > to
>> > the IWAM_Machine user context and give that user explicit grants on
>> > content directories. No change (or so he claims).
>>
>> > I would like to better understand your comment that the AppPool account
>> > needs to be in the Users group. That could well be our problem.
>>
>> > As you know we do remove Auth Users and Interactive from the local
>> > Users
>> > group. Leave Auth Users when running IIS?
>>
>> > --
>> > Will- Hide quoted text -
>>
>> - Show quoted text -
>
>

Re: Cannot Get Anonymous Access to Work

"Will" wrote in message
news:e6qdnf6MZuhY2LTbnZ2dnUVZ_ompnZ2d@giganews.com...
> "David Wang" wrote in message
> news:1177097864.952427.5430@n76g2000hsh.googlegroups.com...
>> In the case of customized user privileges/permissions, the set of
>> users not caring about this information vastly outweigh the set of
>> users who want this information, to the point that it is a very tiny
>> minority for which an on-demand investigation is more appropriate and
>> cost-effective.
>
> I think that this is a very perceptive and very true statement. And from
> what I have seen I would go a step further and say that most users don't
> care when they are hacked, when their networks are overloaded with trojans
> and viruses, and most are even worse just blind to the activity entirely.
> They assume if they can get past the login prompt and start the
> application it is business as usual, no harm done. They only care when
> the result of the hack is denial of service at which point they cannot
> ignore the side effect of the intrusion. Anything subverted and hidden
> they absolutely tolerate and do not care about. To me it is incredible,
> but I cannot deny the observation that others do not share my concern
> about such things.
>
> It's also clear that to secure a Microsoft network requires an almost
> superhuman willpower to overcome obstacles at every stage: users do not
> care; management does not care; Microsoft does not care about solving the
> problem retroactively except by patching the default config. No
> documentation to do anything past defaults is usually available. Any
> attempt to self-cure the deficiencies results in mountains of catastrophic
> and subtle failures, each of which requires unbelievable amounts of time
> and personal initiative to overcome. I give Microsoft huge credit for
> its forward looking efforts, and the extraordinary efforts it is putting
> into re architecting future versions of Windows to better partition
> functionality, better secure individual components, and run services in
> protected security contexts that minimize the side effects of a buffer
> overload on a service. The legacy stuff however is worse than a living
> hell.
>
> So, yes, the price for stepping outside the box is high, and yes I agree
> with you not many people care about stepping outside the box.
>
>
>> MS assumes that if you wanted this information, you
>> would ask; but obviously, that is not your assumption. Just pointing
>> this out...
>
> I think it depends on who you are. If you are General Motors or
> Citibank, then no doubt you will get world class answers to any question.
> If you are Joe Nobody, you will get squat. :)
>
> I will however take my hat off to Microsoft's Shanghai support group, who
> have consistently exceeded my every expectation, and I don't give praise
> easily.
>
> --
> Will
>
>
Some gentle, restrained understatement in there Will.
I applaud you on the showing.

Roger

Re: Cannot Get Anonymous Access to Work

Hi.

Nobody will help you.

Becouse Micorosft are bad.
I have installed iis6 and when i try to open php it give

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the
requested resource.
Internet Information Services (IIS)

HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI
application.
Internet Information Services (IIS)
did you see Microsoft,are bad.
This problems are from 2004 and again are coming.

They only can give you information what is that,but they can't give you
answers.
SHAME MICROSOFT.

That is it for now.

Goodbye.