[thelist] IUSR_machinename - is it part of 'everyone' group?
Mike King
mike.king at redroom.co.uk
Mon Jun 25 10:03:36 CDT 2001
This may answer your question?
<http://www.google.com/search?sourceid=navclient&q=IUSR%5F+account+part+everyone+group>
----------------
http://support.microsoft.com/support/kb/articles/Q158/2/29.asp
-----------------
<snip>
By default, when IIS is installed, it creates a user account called
IUSR_<servername>, where <servername> is the name of the server on which
IIS is running. This user account is added to the "Guests" group on the
machine, which implies that its access to resources is limited. When an
HTTP request is received by IIS with Anonymous authentication being used,
IIS will impersonate the IUSR_<servername> account in order to execute any
code or access any files that are involved in the request. This allows a
level of security by limiting the accessibility to such things as system
files by an unauthenticated user. IIS is able to impersonate the
IUSR_<servername> account because the username and password credentials for
this account are known by IIS.
You can change the account that is used for anonymous authentication in
Internet Service Manager. You can also change the security privileges for
the IUSR_<servername> account in Windows NT User Manager. Be aware that any
changes will result in changes to every anonymous HTTP request that is
serviced by IIS. Also note that if the anonymous account configured in
Internet Manager does not have the "Log On Locally" right (not a right
given to "Guest" accounts by default on domain controllers), then IIS will
not be able to service any anonymous requests. The IIS installation
specifically gives you the "Log On Locally" right to the IUSR_<servername>
account.
Most resources, such as the IUSR_<servername> account, that allow Guests to
access them, do so by allowing access to the special group "Everyone." You
can set permissions on files and other resources specifically to allow or
disallow the IUSR_<servername> account to access them, but most people end
up managing access by controlling access to the groups "Everyone" or "Guests."
</snip>
------------------
>Interesting idea, which we may decide to implement, but it doesn't answer
>the question: is the IUSR_machinename account part of the NTFS group
>'Everyone' ? I think not, but can't find any hard evidence.
More information about the thelist
mailing list