IIS 7 and Above
IUSR Built-in Account Associated with Users Group?
Last post Aug 29, 2008 05:32 PM by kazutsugu
Nov 27, 2007 09:29 PM|Switche|LINK
From my understanding, the default anonymous user for IIS is now named "NT AUTHORITY\IUSR", is now a built-in Windows account, and thusly can no longer be managed as a normal Windows user could.
I found that there is some kind of unlisted association of this account with the "Users" Windows group. For example, if I keep default Anonymous Authentication as "IUSR" for a new Web site, the Web site can be accessed with no file system security changes.
I guessed that this access was associated with the "Users" Windows group based on the ACL of the home directory, and wanted to test that theory. The "Users" group does not contain the "NT AUTHORITY\IUSR" built-in account in the members collection, and temporarily
removing all users from the group's members collection still allows access. However, if I temporarily remove "Users" entirely from the ACL of the Web site home directory itself, I receive a "401 - Unauthorized" error. This suggests some permanent, built-in
association of "IUSR" account to the "Users" group.
Can someone explain this association to me, and explain in further detail what the "IUSR" account has access to, and if/how this access can be changed?
Nov 27, 2007 09:51 PM|anilr|LINK
By default, "BUILTIN\Users" contains "NT Authority\Authenticated Users" and all tokens (except null session token) contain "NT Authority\Authenticated Users" - this is how giving access to BUILTIN\Users gives access to "NT Authority\IUSR"
Nov 28, 2007 12:30 AM|Switche|LINK
Thanks for your reply, anilr.
If this is the case, why does removing the "NT Authority\Authenticated Users" from "BUILTIN\Users" group not produce the same 401 error as removing the "BUILTIN\Users" group from the Web site home directory's ACL?
Nov 28, 2007 12:47 AM|anilr|LINK
You would have to restart IIS (iisreset or net stop was /y & net start w3svc) to get a new token since the cached token would still reflect the old group memberships.
Nov 29, 2007 08:06 PM|Switche|LINK
I verified all my settings were still in place, then performed an iisreset. After ther reset, I was indeed receiving the same 401 error denying access. I verified this in a new browser process as well. I re-added "NT Authority\Authenticated Users" back to
the Users group and iisreset again, but I was still being denied access.
I performed a few more iisreset's and test hits to the site in confusion, and suddenly I was receiving a generic "page not found" error. I checked IIS and my test Web site was gone. applicationHost.config had no entries pertaining to the site.
I rebooted the machine, re-created the Web site from scratch, including a new physical home directory, and performed these tests again from step 1.
Now I'm not able to reproduce the behavior you mentioned. I am granted access to the site even after removing "NT Authority\Authenticated Users" from the Users group and performing an iisreset. Removing the Users group from the home directory ACL still
denies access without an iisreset, and can be undone also without an iisreset. I verified the authentication is still anonymous/"IUSR" on the site.
Any ideas what's going on?
Dec 08, 2007 12:16 AM|anilr|LINK
Hmm, seems like IUSR token is always member of Users group (even when authenticated users is removed from users group) - maybe something to do with the fact that it is a builtin account with service logon - investigating this more.
Aug 29, 2008 05:32 PM|kazutsugu|LINK
I want to remove the "NT Authority\Authenticated Users" group from the local Users group.
I did, and exactly as you explain, I get 401 error.
Is there a workaround? I mean a way to run ASP, and ASPX without having the "NT Authority\Authenticated Users" group in the local Users group?
Thanks a lot in advance,