Sigh... security is never black and white, is it? :-)
Environment: IIS6.0 Windows 2003 R2, Windows 2003 level domain. Everything standard.
1) The Microsoft security guide for IIS6.0 says that the IUSR account needs Log on Locally rights.2) The Microsoft group policy Enterprise security template for Member Servers removes this right. When the policy is applied, anonymous access is broken.3) The Member Server template is a baseline for all servers. You are supposed to ADD a Web Server template on top for web servers.4) The Security Policy guide specifies that if you apply the more restrictive Limited Functionality template to Member Servers, then you need to move the web server out of that OU so the policy is not applied. By inference you don't do this for the standard Enterprise policy template.5) Question: do the policy templates contradict the security guide?6) Question: I read somewhere that if you enable Basic authentication, you no longer need the Log on Locally right for anon. Is that correct?7) Question: I have enabled Advanced Digest authentication with the UseDigestSSP property set in the metabase. This works fine. I read something about this disabling subauthentication, and I recognise that subauthentication is something to do with the way IIS handles the IUSR account. Could it be that with Advanced Digest enabled, the IUSR account no longer works unless it has Log on Locally rights?
Thanks very much,
Yup, the security guide and policy template appear to contradict, but it is perfectly alright because security is relative, not absolute. This subtle point is often overlooked. If security was absolute, then any monkey can apply rules to achieve security... but then what would you and I be doing? :-)
Put it another way (extreme example for illustration):
Enablement of authentication protocols does not have direct correlation with required user privileges. Likewise, enablement of SubAuthentication does not have direct correlation with required user privileges. The LogonMethod used to obtain the user token has direct correlation with the "Log on Locally" user privilege.
See these links for more information:
Yes, that's a lot of information. What do you really need to know between Anonymous, Basic, Advanced Digest, "Log on locally" privilege, and SubAuthentication?
All of these boil down to security improvements in IIS6 vs IIS5:
These changes allow Anonymous, Basic, and Advanced Digest Authentication protocols to function while requiring fewer privileges of the user and process, but there are caveats - you now have to synchronize anonymous user credentials (see this blog entry for a common failure pattern), and legacy applications that require INTERACTIVE may fail.
As always, the choice is up to you as to which is preferable. :-)