IIS prompt for domain userid after server is hardened

Hi,

I have an issue where the IIS website prompt for domain userid logon after
the server is hardening by setting the users and everyone group to read,
execute and list for the following directories

C:\
C:\winnt
C:\winnt\system
C:\winnt\repair
C:\winnt\system32
C:\winnt\system32\config
C:\winnt\system32\spool

The website is able to work after we add the IUSR_computername account to
the local administrator group.
Any idea what could have cause the above issue and why adding the
IUSR_computername to the administrator group resolve the issue

--
Time 4 a break

Re: IIS prompt for domain userid after server is hardened

Because with local admin rights - the iusr has sufficient permissions to
access the resource.
You should remove the iusr from admin group, then get filemon / regmon to
trace where iusr is facing access issue.

--
Regards,
Bernard Cheah
http://www.iis.net/
http://msmvps.com/blogs/bernard/


"newbie@work" wrote in message
news:4460E060-94F8-4A57-A969-7664D40FCD80@microsoft.com...
> Hi,
>
> I have an issue where the IIS website prompt for domain userid logon after
> the server is hardening by setting the users and everyone group to read,
> execute and list for the following directories
>
> C:\
> C:\winnt
> C:\winnt\system
> C:\winnt\repair
> C:\winnt\system32
> C:\winnt\system32\config
> C:\winnt\system32\spool
>
> The website is able to work after we add the IUSR_computername account to
> the local administrator group.
> Any idea what could have cause the above issue and why adding the
> IUSR_computername to the administrator group resolve the issue
>
> --
> Time 4 a break

Re: IIS prompt for domain userid after server is hardened

Thanks..

I am wondering if I revert back the security settings, would it help to fix
the problem.


--
Time 4 a break


"Bernard Cheah [MVP]" wrote:

> Because with local admin rights - the iusr has sufficient permissions to
> access the resource.
> You should remove the iusr from admin group, then get filemon / regmon to
> trace where iusr is facing access issue.
>
> --
> Regards,
> Bernard Cheah
> http://www.iis.net/
> http://msmvps.com/blogs/bernard/
>
>
> "newbie@work" wrote in message
> news:4460E060-94F8-4A57-A969-7664D40FCD80@microsoft.com...
> > Hi,
> >
> > I have an issue where the IIS website prompt for domain userid logon after
> > the server is hardening by setting the users and everyone group to read,
> > execute and list for the following directories
> >
> > C:\
> > C:\winnt
> > C:\winnt\system
> > C:\winnt\repair
> > C:\winnt\system32
> > C:\winnt\system32\config
> > C:\winnt\system32\spool
> >
> > The website is able to work after we add the IUSR_computername account to
> > the local administrator group.
> > Any idea what could have cause the above issue and why adding the
> > IUSR_computername to the administrator group resolve the issue
> >
> > --
> > Time 4 a break
>
>
>

Re: IIS prompt for domain userid after server is hardened

"newbie@work" wrote in message
news:38F52FFA-DB3F-42B1-82CC-C7DD9279E7EF@microsoft.com...
> Thanks..
>
> I am wondering if I revert back the security settings, would it help to
> fix
> the problem.
>

Well, if it worked before and you really did revert (actually get back
to where it was) then one would expect it to work again.

However, you will likely have a very hard time actually reverting, at
least if you did force the permissions you outlined on those directories
and their content. For example, the settings within C:\winnt in a default
setup are rather varied, not uniform.
Also, I do not know where you got the idea that setting permissions as
indicated on the folders listed, but it was not a good idea, and in the case
of repair and config actually would have weakened rather than hardened
a post NT4 system (since you have winnt dir I must assume this is older
or upgrade newer, so your changes may have been for the better but all
depending on what the initial values were).


>
> "Bernard Cheah [MVP]" wrote:
>
>> Because with local admin rights - the iusr has sufficient permissions to
>> access the resource.
>> You should remove the iusr from admin group, then get filemon / regmon to
>> trace where iusr is facing access issue.
>>
>> --
>> Regards,
>> Bernard Cheah
>> http://www.iis.net/
>> http://msmvps.com/blogs/bernard/
>>
>>
>> "newbie@work" wrote in message
>> news:4460E060-94F8-4A57-A969-7664D40FCD80@microsoft.com...
>> > Hi,
>> >
>> > I have an issue where the IIS website prompt for domain userid logon
>> > after
>> > the server is hardening by setting the users and everyone group to
>> > read,
>> > execute and list for the following directories
>> >
>> > C:\
>> > C:\winnt
>> > C:\winnt\system
>> > C:\winnt\repair
>> > C:\winnt\system32
>> > C:\winnt\system32\config
>> > C:\winnt\system32\spool
>> >
>> > The website is able to work after we add the IUSR_computername account
>> > to
>> > the local administrator group.
>> > Any idea what could have cause the above issue and why adding the
>> > IUSR_computername to the administrator group resolve the issue
>> >
>> > --
>> > Time 4 a break
>>
>>
>>