IUSR Registry Security

IUSR Registry Security

am 17.01.2008 22:32:01 von smurfman

(Windows 2003 Standard x86 / IIS 6.0 Web Server)

Recently after installing Windows Updates (942763, 941569, 944653, 941568,
943460, 941644, 943485) and IE 7 Updates (942615, 938127) my Web Server came
up broken after a reboot.

In working with our Third Party Software vendor who writes the Web
Application (and is a Microsoft Partner) we found that we needed to modify
the following:

1) The only way the site authentication (RSA crypto) would work was by
changing the IIS DefaultAppPool Identity from Network Service to Local System
and accepting the warning that displayed and bouncing IIS.

2) The solution from the third party was to modify the permissions of this
registry key:

"HKEY_USERS\1-5-20\Software\Microsoft\Windows\Current Version\Internet
Settings\Zones" key permissions to include read rights for the "Everyone"
group - I was uncomfortable allowing too many rights, and audited the folder
to learn that the IUSR_ServerName (Internet Guest Account) was attempting to
read the Zones key and 0-5 as well.

I added the IUSR (Internet Guest Account) to this key - reset the IIS
DefaultAppPool Identity from Local System to Network Service and bounced IIS.

Tested and the website authentication was working again.

- Is there a KB that supports this kind of change?

- What risks might this create?

- Is there another work around that could be used? (other than the local
system as teh DefaultAppPool?

I inquired with my software company they did not have a real reason for
this...
Much appreciated.

RE: IUSR Registry Security

am 18.01.2008 11:43:30 von wjzhang

Hi,

Sounds like this is a machine/system specific issue because our IIS team
haven't heard anybody else reported the same problem so far. I also checked
the following registry key as you stated on my test Windows 2003
server(with all latest patches).

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersio n\Internet
Settings\Zones

The server doesn't encounter the same symptom and there are only 4 entries
in the permission list:

Administrators - Full Control
NETWORK SERVICE - Full Control
RESTRICTED - Read
SYSTEM - Full Control

Therefore, since the problem cannot be reproduced, I wonder if it's
possible for you to uninstall the patches to turn up which one causes the
problem? We should be able to perform some further investigation after
knowing this. Since the registry key is Internet Zones, I just think the
IE7 patches have the bigest suspicion.

Thanks and have a nice weekend.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.