"wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
news:43291DA9-6053-4288-B9D2-DC05E270834F@microsoft.com...
> I installed WSUS on an idle win2k domain controller and for some reason I
> can
> access the WSUS amin console using any authenticated domain user account
> without being prompted for a user name and password, if I use Internet
> Explorer.
>
> According to the WSUS documentation, only a member of the WSUSadmin group
> or
> the administrators group should be able to access this console. If I use
> Firefox a prompt is displayed asking for user ID and password, which is
> the
> correct behavior.
>
> While it did not appear to be the issue, I disabled anonymous access in
> the
> default IIS5.0 web site (being used to support WSUS admin) and restarted
> the
> www service, but no help. Since most of our workstations are still win2k
> pro
> sp4, IE6 is the version being used. FWIW, the xp machines running IE7 act
> the
> same way.
>
> Is this a known issue with IE? Another factor that may play into this is
> that the previous IT guy made the mistake of using 'companyname.com' as
> the
> internal Windows domain name instead of 'companyname.local' - would that
> trigger this sort of behavior?
>
>

"Ken Schaefer" wrote:

> Hi,
>
> IE will automatically send the current user's credentials if:
> a) the website is in the local "Intranet" security zone
> and
> b) the authentication mechanism is set to "Integrated Windows
> Authentication"
> see: http://support.microsoft.com/?id=258063
>
> However, that doesn't explain why all users have access to the website.
> Instead IE should attempt to send the current user's credentials, which
> should be rejected by the server (unless the user is an appropriate WSUS
> admin) and then IE will put a prompt in front of the user to supply
> alternate credentials.
>
> Do you see this behavior on all workstations? Or just one? Do you see this
> behavior for all users? or just one?
>
> If the website is secured properly (presumably with NTFS permissions), then
> it's possible that someone ticked the "remember password" option when
> accessing the site...
>
> Cheers
> Ken
>
> "wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
> news:43291DA9-6053-4288-B9D2-DC05E270834F@microsoft.com...
> > I installed WSUS on an idle win2k domain controller and for some reason I
> > can
> > access the WSUS amin console using any authenticated domain user account
> > without being prompted for a user name and password, if I use Internet
> > Explorer.
> >
> > According to the WSUS documentation, only a member of the WSUSadmin group
> > or
> > the administrators group should be able to access this console. If I use
> > Firefox a prompt is displayed asking for user ID and password, which is
> > the
> > correct behavior.
> >
> > While it did not appear to be the issue, I disabled anonymous access in
> > the
> > default IIS5.0 web site (being used to support WSUS admin) and restarted
> > the
> > www service, but no help. Since most of our workstations are still win2k
> > pro
> > sp4, IE6 is the version being used. FWIW, the xp machines running IE7 act
> > the
> > same way.
> >
> > Is this a known issue with IE? Another factor that may play into this is
> > that the previous IT guy made the mistake of using 'companyname.com' as
> > the
> > internal Windows domain name instead of 'companyname.local' - would that
> > trigger this sort of behavior?
> >
> >
>

"wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
news:4463311B-2814-47CE-BD05-8962DC6AFAC9@microsoft.com...
> Ken,
>
> This happens on three different workstations, and I have tried under 2
> different non-privileged domain accounts (authenticated users group). I
> was
> aware of points a) and b) which made me think it was a lax permissions
> issue
> on the server but the Firefox was prompting. Since I posted, I tried
> logging
> on with Firefox and it fails to authenticate with admin credentials, so
> that
> part looks like apples and oranges.
>
> None of the user accounts I tried belong to the server or WSUS admin
> groups,
> and since I am the only admin and had not previously used IE (and never
> save
> passwords) I am suspecting that the NTFS permissions aren't set correctly.
> I
> did run the IIS lockdown tool prior to installing WSUS, but it is hard to
> imagine how that could have caused this problem.
>
> Assuming that it is permissions, any idea on which ones I need to look at?
> I'd rather flip a few bits it if avoids a reinstall.
>
> Thanks,
>
> Jerry
>
> "Ken Schaefer" wrote:
>
>> Hi,
>>
>> IE will automatically send the current user's credentials if:
>> a) the website is in the local "Intranet" security zone
>> and
>> b) the authentication mechanism is set to "Integrated Windows
>> Authentication"
>> see: http://support.microsoft.com/?id=258063
>>
>> However, that doesn't explain why all users have access to the website.
>> Instead IE should attempt to send the current user's credentials, which
>> should be rejected by the server (unless the user is an appropriate WSUS
>> admin) and then IE will put a prompt in front of the user to supply
>> alternate credentials.
>>
>> Do you see this behavior on all workstations? Or just one? Do you see
>> this
>> behavior for all users? or just one?
>>
>> If the website is secured properly (presumably with NTFS permissions),
>> then
>> it's possible that someone ticked the "remember password" option when
>> accessing the site...
>>
>> Cheers
>> Ken
>>
>> "wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
>> news:43291DA9-6053-4288-B9D2-DC05E270834F@microsoft.com...
>> > I installed WSUS on an idle win2k domain controller and for some reason
>> > I
>> > can
>> > access the WSUS amin console using any authenticated domain user
>> > account
>> > without being prompted for a user name and password, if I use Internet
>> > Explorer.
>> >
>> > According to the WSUS documentation, only a member of the WSUSadmin
>> > group
>> > or
>> > the administrators group should be able to access this console. If I
>> > use
>> > Firefox a prompt is displayed asking for user ID and password, which is
>> > the
>> > correct behavior.
>> >
>> > While it did not appear to be the issue, I disabled anonymous access in
>> > the
>> > default IIS5.0 web site (being used to support WSUS admin) and
>> > restarted
>> > the
>> > www service, but no help. Since most of our workstations are still
>> > win2k
>> > pro
>> > sp4, IE6 is the version being used. FWIW, the xp machines running IE7
>> > act
>> > the
>> > same way.
>> >
>> > Is this a known issue with IE? Another factor that may play into this
>> > is
>> > that the previous IT guy made the mistake of using 'companyname.com' as
>> > the
>> > internal Windows domain name instead of 'companyname.local' - would
>> > that
>> > trigger this sort of behavior?
>> >
>> >
>>

"Ken Schaefer" wrote:

> What version of WSUS are you using? WSUS v3 is the current version and
> doesn't use a website anymore. WSUS v2 - I think I've killed any memory that
> I've had of that due to beer consumption over the past 6-7 years :-)
>
> You could always just run up Win2k + WSUS v2 in Virtual PC, and see what the
> default settings are, and then replicate those in your production setup.
>
> Cheers
> Ken
>
> "wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
> news:4463311B-2814-47CE-BD05-8962DC6AFAC9@microsoft.com...
> > Ken,
> >
> > This happens on three different workstations, and I have tried under 2
> > different non-privileged domain accounts (authenticated users group). I
> > was
> > aware of points a) and b) which made me think it was a lax permissions
> > issue
> > on the server but the Firefox was prompting. Since I posted, I tried
> > logging
> > on with Firefox and it fails to authenticate with admin credentials, so
> > that
> > part looks like apples and oranges.
> >
> > None of the user accounts I tried belong to the server or WSUS admin
> > groups,
> > and since I am the only admin and had not previously used IE (and never
> > save
> > passwords) I am suspecting that the NTFS permissions aren't set correctly.
> > I
> > did run the IIS lockdown tool prior to installing WSUS, but it is hard to
> > imagine how that could have caused this problem.
> >
> > Assuming that it is permissions, any idea on which ones I need to look at?
> > I'd rather flip a few bits it if avoids a reinstall.
> >
> > Thanks,
> >
> > Jerry
> >
> > "Ken Schaefer" wrote:
> >
> >> Hi,
> >>
> >> IE will automatically send the current user's credentials if:
> >> a) the website is in the local "Intranet" security zone
> >> and
> >> b) the authentication mechanism is set to "Integrated Windows
> >> Authentication"
> >> see: http://support.microsoft.com/?id=258063
> >>
> >> However, that doesn't explain why all users have access to the website.
> >> Instead IE should attempt to send the current user's credentials, which
> >> should be rejected by the server (unless the user is an appropriate WSUS
> >> admin) and then IE will put a prompt in front of the user to supply
> >> alternate credentials.
> >>
> >> Do you see this behavior on all workstations? Or just one? Do you see
> >> this
> >> behavior for all users? or just one?
> >>
> >> If the website is secured properly (presumably with NTFS permissions),
> >> then
> >> it's possible that someone ticked the "remember password" option when
> >> accessing the site...
> >>
> >> Cheers
> >> Ken
> >>
> >> "wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
> >> news:43291DA9-6053-4288-B9D2-DC05E270834F@microsoft.com...
> >> > I installed WSUS on an idle win2k domain controller and for some reason
> >> > I
> >> > can
> >> > access the WSUS amin console using any authenticated domain user
> >> > account
> >> > without being prompted for a user name and password, if I use Internet
> >> > Explorer.
> >> >
> >> > According to the WSUS documentation, only a member of the WSUSadmin
> >> > group
> >> > or
> >> > the administrators group should be able to access this console. If I
> >> > use
> >> > Firefox a prompt is displayed asking for user ID and password, which is
> >> > the
> >> > correct behavior.
> >> >
> >> > While it did not appear to be the issue, I disabled anonymous access in
> >> > the
> >> > default IIS5.0 web site (being used to support WSUS admin) and
> >> > restarted
> >> > the
> >> > www service, but no help. Since most of our workstations are still
> >> > win2k
> >> > pro
> >> > sp4, IE6 is the version being used. FWIW, the xp machines running IE7
> >> > act
> >> > the
> >> > same way.
> >> >
> >> > Is this a known issue with IE? Another factor that may play into this
> >> > is
> >> > that the previous IT guy made the mistake of using 'companyname.com' as
> >> > the
> >> > internal Windows domain name instead of 'companyname.local' - would
> >> > that
> >> > trigger this sort of behavior?
> >> >
> >> >
> >>
>

"wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
news:8069F80F-EC3C-4B4D-BC07-37F6FC3AC3F3@microsoft.com...
> I'm running v2 - v3 is not supported on win2k server (2003 & higher only).
>
> I don't have a VM setup, so I would have to install it on the main file
> server, which requires first installing MSDE and sp1 for that, then
> installing WSUS..... so I think I'll play around with the IIS permissions
> first, since this is really an IIS issue.
>
> "Ken Schaefer" wrote:
>
>> What version of WSUS are you using? WSUS v3 is the current version and
>> doesn't use a website anymore. WSUS v2 - I think I've killed any memory
>> that
>> I've had of that due to beer consumption over the past 6-7 years :-)
>>
>> You could always just run up Win2k + WSUS v2 in Virtual PC, and see what
>> the
>> default settings are, and then replicate those in your production setup.
>>
>> Cheers
>> Ken
>>
>> "wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
>> news:4463311B-2814-47CE-BD05-8962DC6AFAC9@microsoft.com...
>> > Ken,
>> >
>> > This happens on three different workstations, and I have tried under 2
>> > different non-privileged domain accounts (authenticated users group). I
>> > was
>> > aware of points a) and b) which made me think it was a lax permissions
>> > issue
>> > on the server but the Firefox was prompting. Since I posted, I tried
>> > logging
>> > on with Firefox and it fails to authenticate with admin credentials, so
>> > that
>> > part looks like apples and oranges.
>> >
>> > None of the user accounts I tried belong to the server or WSUS admin
>> > groups,
>> > and since I am the only admin and had not previously used IE (and never
>> > save
>> > passwords) I am suspecting that the NTFS permissions aren't set
>> > correctly.
>> > I
>> > did run the IIS lockdown tool prior to installing WSUS, but it is hard
>> > to
>> > imagine how that could have caused this problem.
>> >
>> > Assuming that it is permissions, any idea on which ones I need to look
>> > at?
>> > I'd rather flip a few bits it if avoids a reinstall.
>> >
>> > Thanks,
>> >
>> > Jerry
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> Hi,
>> >>
>> >> IE will automatically send the current user's credentials if:
>> >> a) the website is in the local "Intranet" security zone
>> >> and
>> >> b) the authentication mechanism is set to "Integrated Windows
>> >> Authentication"
>> >> see: http://support.microsoft.com/?id=258063
>> >>
>> >> However, that doesn't explain why all users have access to the
>> >> website.
>> >> Instead IE should attempt to send the current user's credentials,
>> >> which
>> >> should be rejected by the server (unless the user is an appropriate
>> >> WSUS
>> >> admin) and then IE will put a prompt in front of the user to supply
>> >> alternate credentials.
>> >>
>> >> Do you see this behavior on all workstations? Or just one? Do you see
>> >> this
>> >> behavior for all users? or just one?
>> >>
>> >> If the website is secured properly (presumably with NTFS permissions),
>> >> then
>> >> it's possible that someone ticked the "remember password" option when
>> >> accessing the site...
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >> "wyocowboy" <wyocow***@discussions.microsoft.com> wrote in message
>> >> news:43291DA9-6053-4288-B9D2-DC05E270834F@microsoft.com...
>> >> > I installed WSUS on an idle win2k domain controller and for some
>> >> > reason
>> >> > I
>> >> > can
>> >> > access the WSUS amin console using any authenticated domain user
>> >> > account
>> >> > without being prompted for a user name and password, if I use
>> >> > Internet
>> >> > Explorer.
>> >> >
>> >> > According to the WSUS documentation, only a member of the WSUSadmin
>> >> > group
>> >> > or
>> >> > the administrators group should be able to access this console. If I
>> >> > use
>> >> > Firefox a prompt is displayed asking for user ID and password, which
>> >> > is
>> >> > the
>> >> > correct behavior.
>> >> >
>> >> > While it did not appear to be the issue, I disabled anonymous access
>> >> > in
>> >> > the
>> >> > default IIS5.0 web site (being used to support WSUS admin) and
>> >> > restarted
>> >> > the
>> >> > www service, but no help. Since most of our workstations are still
>> >> > win2k
>> >> > pro
>> >> > sp4, IE6 is the version being used. FWIW, the xp machines running
>> >> > IE7
>> >> > act
>> >> > the
>> >> > same way.
>> >> >
>> >> > Is this a known issue with IE? Another factor that may play into
>> >> > this
>> >> > is
>> >> > that the previous IT guy made the mistake of using 'companyname.com'
>> >> > as
>> >> > the
>> >> > internal Windows domain name instead of 'companyname.local' - would
>> >> > that
>> >> > trigger this sort of behavior?
>> >> >
>> >> >
>> >>
>>