Welcome to MSDN Blogs Sign in | Join | Help

SECURE WORLD-Know your threats

Know your threats
IIS and WINDOWS built-in Accounts and Default privileges

From Security stand I thought it will be great if know IIS & built in windows account and default privileges. I started looking around, here I came with findings. I tried to define them and a table followed by their default privileges

It can be a high risk to change the identity of a worker process so that it runs as an account with a high level of access, such as the LocalSystem user account.

IIS uses a ~ 7 built-in Windows accounts/groups, as well as accounts that are specific to IIS 6 & IIS 5.

IIS 7.0 we have couple of new accounts and we get rid of some.  New Accounts are IUSR which replace IUSR_MachineName account. The IIS_IUSRS built-in group replaces the IIS_WPG group.

Local system Account-Full permission = it is the member of Admin group. If a worker process identity runs as the LocalSystem user account, that worker process has full access to the entire system. When IIS 6.0 is running in IIS 5.0 isolation mode, this is the default user account for worker process identities. However, running an application pool under an account with increased user rights presents a high security risk.

Network Service. By default, application pools run under the Network Service user account, which has low-level user access rights, so it provides better security against attackers or malicious users who might attempt to take over the computer on which the WWW service is running.

Local Service. The Local Service user account also has low-level access rights, and is useful when you want to configure application pools to run as the Local Service user account in situations that do not require access to resources on remote computers.

IIS_WPG user group is new in IIS 6.0. It provides the minimum set of privileges and permissions required to start and run a worker process on a Web server

IUSR_ComputerName :- Anonymous access, the most common Web site access control method, allows anyone to visit the public areas of your Web sites. In IIS 6.0, anonymous users are assigned to the IUSR_ComputerName account, which is created when IIS is installed

IWAM_ComputerName user account is for starting out-of-process applications in IIS 5.0 isolation mode.

ASPNET user account is for running the ASP.NET worker process in IIS 5.0 iso. mode.

Fig 1.

IIS

 
Posted: Monday, August 10, 2009 2:25 PM by Mahavir Sancheti

Comments

Ron said:

Mahavir,

What account does IIS use (impersonation turned off) when an anonymous user requests an ASP.net page running under the network service app pool? Does it use the network service account or IUSR_COMPUTERNAME (IUSR in IIS7)?

Thanks!

Ron

# August 11, 2009 7:12 AM

Mahavir Sancheti said:

Ron,

In IIS 6.0, anonymous users are assigned by default to the IUSR_computername account, which is a valid Windows account that is a member of the Guests group.

Assign the appropriate NTFS permissions on the Web site directory for the anonymous account. When setting permissions on a Web site, be aware that all subfolders and files inherit these permissions by default.

In IIS 6.0, the IUSR_COMPUTERNAME account has been denied write access to Web content by default.

hope this answers your query.

# August 14, 2009 4:28 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

  
Enter Code Here: Required

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker