|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Flaw in default permissionsThe documentation states that the IUSR account by default has Read, Execute
NTFS permissions to the web site folders: http://support.microsoft.com/?kbid=812614 I have done many default installations and it does not. It just has a Deny Write. Any comments? Is that just a straightforward documentation error? Anthony Furthermore, the document says that Anon also requires the Logon Locally
right. However another document: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true explains that in IIS6 basic and anon authentication by default use the NETWORK_CLEARTEXT method which does not require Logon Locally rights. Any comments on that one? Anthony Show quoteHide quote "Anthony Yates" <anthony.yates@nospam.com> wrote in message news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl... > The documentation states that the IUSR account by default has Read, > Execute NTFS permissions to the web site folders: > http://support.microsoft.com/?kbid=812614 > I have done many default installations and it does not. It just has a Deny > Write. Any comments? Is that just a straightforward documentation error? > Anthony > Mixture of Documentation errors and "backwards compatibility" cruft.
This is how basic/anon authentication, network_cleartext, and "Logon Locally" all fit together. http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Security_Templates_and_Anonymous_Authentication.aspx -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Anthony Yates" <anthony.yates@nospam.com> wrote in message news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl... > Furthermore, the document says that Anon also requires the Logon Locally > right. However another document: > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true > explains that in IIS6 basic and anon authentication by default use the > NETWORK_CLEARTEXT method which does not require Logon Locally rights. > Any comments on that one? > Anthony > > > > "Anthony Yates" <anthony.yates@nospam.com> wrote in message > news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl... >> The documentation states that the IUSR account by default has Read, >> Execute NTFS permissions to the web site folders: >> http://support.microsoft.com/?kbid=812614 >> I have done many default installations and it does not. It just has a >> Deny Write. Any comments? Is that just a straightforward documentation >> error? >> Anthony >> > > Its really quite an important documentation error. When something is not
working, I look to go back to the defaults. If the documentation about the defaults is wrong, troubleshooting becomes much more difficult. Anthony Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl... > Mixture of Documentation errors and "backwards compatibility" cruft. > > This is how basic/anon authentication, network_cleartext, and "Logon > Locally" all fit together. > > http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Security_Templates_and_Anonymous_Authentication.aspx > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > > "Anthony Yates" <anthony.yates@nospam.com> wrote in message > news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl... >> Furthermore, the document says that Anon also requires the Logon Locally >> right. However another document: >> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true >> explains that in IIS6 basic and anon authentication by default use the >> NETWORK_CLEARTEXT method which does not require Logon Locally rights. >> Any comments on that one? >> Anthony >> >> >> >> "Anthony Yates" <anthony.yates@nospam.com> wrote in message >> news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl... >>> The documentation states that the IUSR account by default has Read, >>> Execute NTFS permissions to the web site folders: >>> http://support.microsoft.com/?kbid=812614 >>> I have done many default installations and it does not. It just has a >>> Deny Write. Any comments? Is that just a straightforward documentation >>> error? >>> Anthony >>> >> >> > > That is not good about the documentation.
If you really want to be sure, I suppose you can check the secsetup.inf security template that secedit uses to configure the NTFS permissions when Windows Server 2003 is setup. See: http://support.microsoft.com/?kbid=313222 Cheers Ken Show quoteHide quote "Anthony" <anthony.spam@spammedout.com> wrote in message news:ehgfT0kpGHA.524@TK2MSFTNGP05.phx.gbl... > Its really quite an important documentation error. When something is not > working, I look to go back to the defaults. If the documentation about the > defaults is wrong, troubleshooting becomes much more difficult. > Anthony > > > > > "David Wang [Msft]" <some***@online.microsoft.com> wrote in message > news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl... >> Mixture of Documentation errors and "backwards compatibility" cruft. >> >> This is how basic/anon authentication, network_cleartext, and "Logon >> Locally" all fit together. >> >> http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Security_Templates_and_Anonymous_Authentication.aspx >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> >> "Anthony Yates" <anthony.yates@nospam.com> wrote in message >> news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl... >>> Furthermore, the document says that Anon also requires the Logon Locally >>> right. However another document: >>> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true >>> explains that in IIS6 basic and anon authentication by default use the >>> NETWORK_CLEARTEXT method which does not require Logon Locally rights. >>> Any comments on that one? >>> Anthony >>> >>> >>> >>> "Anthony Yates" <anthony.yates@nospam.com> wrote in message >>> news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl... >>>> The documentation states that the IUSR account by default has Read, >>>> Execute NTFS permissions to the web site folders: >>>> http://support.microsoft.com/?kbid=812614 >>>> I have done many default installations and it does not. It just has a >>>> Deny Write. Any comments? Is that just a straightforward documentation >>>> error? >>>> Anthony >>>> >>> >>> >> >> > > I do not think we ever definitively document what the "defaults" are because
it really depends with such a flexible system involved with IIS. Hence it is sitting in a KB and not Technet/MSDN documentation. I know how that KB's information came about - it is not definitive and probably out of date already. It takes but one setup change to invalidate the article, and people making those changes are often not aware of the KB consequences. The meaning of "default" can vary, depending on whether the system is upgraded or clean installed, whether the machine is a DC or not, etc. The KB only represents *one* working configuration; it definitely does not represent the minimal/optimal configuration; it may not work for all situations, and there may be other working configurations. In other words, I don't bother returning to the defaults because it is not guaranteed to make things work and hence cannot function the way you are expecting and useless for troubleshooting. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Anthony" <anthony.spam@spammedout.com> wrote in message news:ehgfT0kpGHA.524@TK2MSFTNGP05.phx.gbl... > Its really quite an important documentation error. When something is not > working, I look to go back to the defaults. If the documentation about the > defaults is wrong, troubleshooting becomes much more difficult. > Anthony > > > > > "David Wang [Msft]" <some***@online.microsoft.com> wrote in message > news:Obp6pXhpGHA.2256@TK2MSFTNGP03.phx.gbl... >> Mixture of Documentation errors and "backwards compatibility" cruft. >> >> This is how basic/anon authentication, network_cleartext, and "Logon >> Locally" all fit together. >> >> http://blogs.msdn.com/david.wang/archive/2006/07/01/IIS_Security_Templates_and_Anonymous_Authentication.aspx >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> >> "Anthony Yates" <anthony.yates@nospam.com> wrote in message >> news:%237Ql$DdpGHA.1140@TK2MSFTNGP05.phx.gbl... >>> Furthermore, the document says that Anon also requires the Logon Locally >>> right. However another document: >>> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true >>> explains that in IIS6 basic and anon authentication by default use the >>> NETWORK_CLEARTEXT method which does not require Logon Locally rights. >>> Any comments on that one? >>> Anthony >>> >>> >>> >>> "Anthony Yates" <anthony.yates@nospam.com> wrote in message >>> news:%233lV49cpGHA.1440@TK2MSFTNGP03.phx.gbl... >>>> The documentation states that the IUSR account by default has Read, >>>> Execute NTFS permissions to the web site folders: >>>> http://support.microsoft.com/?kbid=812614 >>>> I have done many default installations and it does not. It just has a >>>> Deny Write. Any comments? Is that just a straightforward documentation >>>> error? >>>> Anthony >>>> >>> >>> >> >> > > 
Other interesting topics
AD & ADAM together in harmony
IIS passing server credentials rather than user credentials Security templates and IUSR account log on locally Basic Authentication for only one special user Web Server Type Secure SFTP Server Exception from HRESULT: 0x800A0046 Credentials not passed on when using ASP.NET SelfSSL and multiple sites in IIS6? how can I stop attempted logons by hackers through IIS? |
|||||||||||||||||||||||
