« Previous Next »

• 11-18-2008, 3:28 PM

  dwheeler Joined on 11-18-2008, 3:26 PM Posts 3	Guest account Reply Contact to add to the security of our web server it has been recommended that the guest account be removed from the guest group, since annonymous is not allowed. Does anyone see any issues in IIS 6.0 if this is done?
  	Tags: Guest accountIIS 6.0security risks

• 11-18-2008, 4:23 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,791	Re: Guest account Reply Contact No that should be fine. http://www.iisportal.com

• 11-19-2008, 4:26 AM

  In reply to

  Paul Lynch Joined on 05-24-2006, 5:41 AM UK Posts 1,247	Re: Guest account Reply Contact Hi, IIS doesn't use the Guest account, it uses the IUSR_MACHINENAME (which is a member of the local Guests group by default) for anonymous access. If you are definitely not using anonymous access it would be better to disable the IUSR account. Regards,  Paul Lynch | www.iisadmin.co.uk

• 11-19-2008, 9:05 AM

  In reply to

  dwheeler Joined on 11-18-2008, 3:26 PM Posts 3	Re: Guest account Reply Contact thanks for the response, I have nine sites on the server and three do not allow anonymous, but the others do so it must remain.

• 11-19-2008, 9:08 AM

  In reply to

  jeff@zina.com Joined on 09-26-2003, 10:43 AM Naples, FL, USA Posts 2,103	Re: Guest account Reply Contact  I leave the Guest account, give it a complicated password and deny acces to everything.  Then you can audit the account for attempted hacking.  But removal works too.  In Server 2003, nothing uses the Guest account and it is disabled by default. Jeff Look for Wrox's new book Professional IIS 7 in your local bookstore, or order now at Amazon.com

• 11-19-2008, 9:14 AM

  In reply to

  dwheeler Joined on 11-18-2008, 3:26 PM Posts 3

  Re: Guest account Reply Contact I am looking more at the guest group and the IUSR_Machinename account. new security best pratices that have been published say to remove all acounts and groups from the guest group which on web server contains the IUSR so if you remove it will it disrupt anonymous access and if you do not then depending upon your employer you could be out of policy. Risk justification or acceptibility becomes the issue at this point it would seem.