I am currently trying to figure out what account that is preventing me from running anonymous access on an IIS 7 website.
The general idea is to have the following folders.
CGI-Data
CGI-Bin
Databases
Docs
Logs
On the "old" IIS 6 it would suffice to have to following ACL:
NT AUTHORITY\INTERACTIVE:(CI)R
IUSR:(OI)(CI)R
FTPUser:(OI)(CI)C
NT AUTHORITY\NETWORK:(CI)R
BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
With IUSR having Modify rights in CGI-Data and Database folders. Home Directory located in Docs...
So when trying to replicate this I bump into this Users group on the IIS 7 which is inherited from parent folder. I am not the biggest fan of user groups when it comes to security on websites. When removing this one I cannot access the web site.
So what user am I missing?
Great thanks :) Got the right users and groups now.
Please note that this is a DC running IIS - I am not sure if this is supported but there is one thing I cannot figure out. I know it isn't the best solution but it is for testing purposes only... :).
There is a built-in account for anonymous access to Internet Information Services:
DCNAME\IUSR_AD01:(OI)(CI)R
I how ever had to add the below account to make it work:
NT AUTHORITY\IUSR:(OI)(CI)R
So I took a look at the Anonymous Authentication Credentials and they were set to IUSR. Fair enough - I would have expected the IIS to set it to the first account (the Domain one) or am I on a detour here?
Note to self:
Add NT AUTHORITY\NETWORK SERVICE:(OI)(CI)R to file security settings as well (Default app pool).
You can run IIS on a domain controller, it's not recommended you run a web server, let alone a internet facing server along on a domain controller. If your system is compremised, they have the keys to the kingdom. The thing you are probably running up
against the local users IUSR or Network service don't have logon on locally permissions since the DC doesn't not have the concept of a 'local SAM' database. I'd recommend creating a app pool account that is used on the DC and grant appropriate permissions.
For my test machine at home, I have a DC running IIS, RRAS with 2 nics. Works fine for most things from a testing perspective,
TO
12 Posts
IIS 7 ACL
Jul 15, 2009 10:22 AM|LINK
I am currently trying to figure out what account that is preventing me from running anonymous access on an IIS 7 website.
The general idea is to have the following folders.
CGI-Data
CGI-Bin
Databases
Docs
Logs
On the "old" IIS 6 it would suffice to have to following ACL:
NT AUTHORITY\INTERACTIVE:(CI)R
IUSR:(OI)(CI)R
FTPUser:(OI)(CI)C
NT AUTHORITY\NETWORK:(CI)R
BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
With IUSR having Modify rights in CGI-Data and Database folders. Home Directory located in Docs...
So when trying to replicate this I bump into this Users group on the IIS 7 which is inherited from parent folder. I am not the biggest fan of user groups when it comes to security on websites. When removing this one I cannot access the web site.
So what user am I missing?
The WWWPS is running under local system.
steve schofi...
5681 Posts
MVP
Moderator
Re: IIS 7 ACL
Jul 15, 2009 02:48 PM|LINK
If you are getting an error, enable auditing and look in the security event log.
http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
TO
12 Posts
Re: IIS 7 ACL
Jul 16, 2009 08:40 AM|LINK
Great thanks :) Got the right users and groups now.
Please note that this is a DC running IIS - I am not sure if this is supported but there is one thing I cannot figure out. I know it isn't the best solution but it is for testing purposes only... :).
There is a built-in account for anonymous access to Internet Information Services:
DCNAME\IUSR_AD01:(OI)(CI)R
I how ever had to add the below account to make it work:
NT AUTHORITY\IUSR:(OI)(CI)R
So I took a look at the Anonymous Authentication Credentials and they were set to IUSR. Fair enough - I would have expected the IIS to set it to the first account (the Domain one) or am I on a detour here?
Note to self:
Add NT AUTHORITY\NETWORK SERVICE:(OI)(CI)R to file security settings as well (Default app pool).
Regards
Thomas Olesen
steve schofi...
5681 Posts
MVP
Moderator
Re: IIS 7 ACL
Jul 16, 2009 06:55 PM|LINK
You can run IIS on a domain controller, it's not recommended you run a web server, let alone a internet facing server along on a domain controller. If your system is compremised, they have the keys to the kingdom. The thing you are probably running up against the local users IUSR or Network service don't have logon on locally permissions since the DC doesn't not have the concept of a 'local SAM' database. I'd recommend creating a app pool account that is used on the DC and grant appropriate permissions.
For my test machine at home, I have a DC running IIS, RRAS with 2 nics. Works fine for most things from a testing perspective,
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget