IIS 6 and the Authenticated Users group

IIS 6 and the Authenticated Users group

am 26.06.2007 11:38:11 von Stuart Mullen

I've recently been setting up a new Windows 2003 web server and I had
a problem with PHP being able to write to files even though there
weren't any write permissions set. The pages were even accessible
without the IUSR_XXXXXX account setup on the web directory!

After some investigation it seems the "Authenticated Users" group was
allowing PHP to read and write to files. The only way I was able to
stop this was to set the IUSR_XXXXXX to deny permissions to write - I
understand that you shouldn't really need to use the deny permissions
if the allow permissions are set correctly.

I've now figured out that the following accounts on my web directories
solve the problem (without the need for deny permissions):

Administrators
SYSTEM
IUSR_XXXXXX

Is this a valid setup for my web directories?
Is the "Authenticated Users" needed on a web directory?

Thanks for any help in advance.

Re: IIS 6 and the Authenticated Users group

am 27.06.2007 05:19:50 von Bernard

iusr_computername account after authentication and been used as anonymous
account is considered an authenticated users.

if this is a pure read only site, just grant iusr read access.


--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"Stuart Mullen" wrote in message
news:1182850691.330438.209810@w5g2000hsg.googlegroups.com...
> I've recently been setting up a new Windows 2003 web server and I had
> a problem with PHP being able to write to files even though there
> weren't any write permissions set. The pages were even accessible
> without the IUSR_XXXXXX account setup on the web directory!
>
> After some investigation it seems the "Authenticated Users" group was
> allowing PHP to read and write to files. The only way I was able to
> stop this was to set the IUSR_XXXXXX to deny permissions to write - I
> understand that you shouldn't really need to use the deny permissions
> if the allow permissions are set correctly.
>
> I've now figured out that the following accounts on my web directories
> solve the problem (without the need for deny permissions):
>
> Administrators
> SYSTEM
> IUSR_XXXXXX
>
> Is this a valid setup for my web directories?
> Is the "Authenticated Users" needed on a web directory?
>
> Thanks for any help in advance.
>