|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Why rename the IUSR account?Some articles/papers seems to recommend you to rename the IUSR account (for
added security). I can however not find any reason why you need to do it (but i can see the reason why you should rename the Administrator account). Can anyone tell me why it would be good to rename the IUSR account? Thanks! "Ben" <Ben@nospam.example.com> wrote in message It's just another layer of security. If someone can guess the IUSR name and news:eLCjfY%23TFHA.3280@TK2MSFTNGP09.phx.gbl... > Some articles/papers seems to recommend you to rename the IUSR account > (for added security). I can however not find any reason why you need to do > it (but i can see the reason why you should rename the Administrator > account). > > Can anyone tell me why it would be good to rename the IUSR account? paasword and you have elevtaed permissions for the account then someone can take advantage of that. As with any security measure, you have to decide how relevant it is in your specific environment. -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS But, if the IUSR account has access _only_ to content that is publicy
available to anonymous users (now, that is another question if the IUSR account is properly configured), it would not harm to not rename it, would it? I mean, if all the content is already available for everyone, there would be no reason to "hack" the account, because you will not gain access to any additional resources. (but of course a "hacked" account is never good) Would it be better to disable the original IUSR account and create a new one (with least privilegies, i'm trying to find a list of necessary permissions for the IUSR account to work)? As mentioned in the IIS Insider article. (This is on a IIS 6.0 server) Thanks! Show quoteHide quote "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message news:udoF8i%23TFHA.2820@tk2msftngp13.phx.gbl... > "Ben" <Ben@nospam.example.com> wrote in message > news:eLCjfY%23TFHA.3280@TK2MSFTNGP09.phx.gbl... >> Some articles/papers seems to recommend you to rename the IUSR account >> (for added security). I can however not find any reason why you need to >> do it (but i can see the reason why you should rename the Administrator >> account). >> >> Can anyone tell me why it would be good to rename the IUSR account? > > It's just another layer of security. If someone can guess the IUSR name > and paasword and you have elevtaed permissions for the account then > someone can take advantage of that. As with any security measure, you > have to decide how relevant it is in your specific environment. > > -- > Tom Kaminski IIS MVP > http://www.microsoft.com/windowsserver2003/community/centers/iis/ > http://mvp.support.microsoft.com/ > http://www.iistoolshed.com/ - tools, scripts, and utilities for running > IIS > "Ben" <Ben@nospam.example.com> wrote in message As I said before ... "with any security measure, you have to decide how news:OgaQOw%23TFHA.4092@TK2MSFTNGP12.phx.gbl... > But, if the IUSR account has access _only_ to content that is publicy > available to anonymous users (now, that is another question if the IUSR > account is properly configured), it would not harm to not rename it, would > it? I mean, if all the content is already available for everyone, there > would be no reason to "hack" the account, because you will not gain access > to any additional resources. (but of course a "hacked" account is never > good) relevant it is in your specific environment." > Would it be better to disable the original IUSR account and create a new http://support.microsoft.com/default.aspx/kb/812614> one (with least privilegies, i'm trying to find a list of necessary > permissions for the IUSR account to work)? As mentioned in the IIS Insider > article. -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS Thanks for the information!
Show quoteHide quote "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message news:OvFfhq$TFHA.2872@TK2MSFTNGP14.phx.gbl... > "Ben" <Ben@nospam.example.com> wrote in message > news:OgaQOw%23TFHA.4092@TK2MSFTNGP12.phx.gbl... >> But, if the IUSR account has access _only_ to content that is publicy >> available to anonymous users (now, that is another question if the IUSR >> account is properly configured), it would not harm to not rename it, >> would it? I mean, if all the content is already available for everyone, >> there would be no reason to "hack" the account, because you will not gain >> access to any additional resources. (but of course a "hacked" account is >> never good) > > As I said before ... "with any security measure, you have to decide how > relevant it is in your specific environment." > >> Would it be better to disable the original IUSR account and create a new >> one (with least privilegies, i'm trying to find a list of necessary >> permissions for the IUSR account to work)? As mentioned in the IIS >> Insider article. > > http://support.microsoft.com/default.aspx/kb/812614 > > -- > Tom Kaminski IIS MVP > http://www.microsoft.com/windowsserver2003/community/centers/iis/ > http://mvp.support.microsoft.com/ > http://www.iistoolshed.com/ - tools, scripts, and utilities for running > IIS > > Here is some good reading:
http://www.microsoft.com/technet/community/columns/insider/iisi1102.mspx Tom Show quoteHide quote "Ben" <Ben@nospam.example.com> wrote in message news:eLCjfY%23TFHA.3280@TK2MSFTNGP09.phx.gbl... | Some articles/papers seems to recommend you to rename the IUSR account (for | added security). I can however not find any reason why you need to do it | (but i can see the reason why you should rename the Administrator account). | | Can anyone tell me why it would be good to rename the IUSR account? | | | Thanks! | | it also makes life a little simpler if you move an existing web and metabase
from one server to another. dlr Show quoteHide quote "Ben" <Ben@nospam.example.com> wrote in message news:eLCjfY%23TFHA.3280@TK2MSFTNGP09.phx.gbl... > Some articles/papers seems to recommend you to rename the IUSR account (for > added security). I can however not find any reason why you need to do it > (but i can see the reason why you should rename the Administrator account). > > Can anyone tell me why it would be good to rename the IUSR account? > > > Thanks! > > 
Other interesting topics
IIS6 ASP Crystal DLL
Digest access to UNC share IIS 5.0 - Create Server Certificate Wizard Client Permissions required for Integrated Authentication? Unable to set up client certificate, error 403.7 why request for cmd.exe had passed UrlScan.dll? Access Denied to share with anonymous access disabled Problem with Integrated Windows authentication on SSL connection - second times Guest book created through Frontpage Switching from Integrated Authentication to Anonymous |
|||||||||||||||||||||||
