Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   question about IUSR_server and security (http://www.velocityreviews.com/forums/t769314-question-about-iusr_server-and-security.html)

Dan 02-13-2007 08:43 PM

question about IUSR_server and security
 
Hi,

I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
I have an asp.net application which is accessible for anonymous users.
IIS-configuration is set on Anonymous allowed (IUSR_server). No other
authentification.
The windows account ASP.NET has READ permissions for the directory
containing the application and R/W for the database directory.
The account ASP.NET is only member of the USERS group.
The account IUSR_server exists, is only member of the GUESTs group but has
no permissions anywhere (so no permission for the directory with the
application).

Now, i access from another computer (in our LAN without any domain) the
application by typing it's IP (10.0.0.60) and .. i have access to the whole
application. And this without any authentification (normal because anonymous
access).

My question is: what is the purpose of account IUSR_server, because it's
obviously not used here? Or did i configure something wrongly?

Thanks
Dan



Ken Schaefer 02-13-2007 09:11 PM

Re: question about IUSR_server and security
 
The account IUSR_<machinename> is impersonated by IIS, and is used to access
files off the hard disk (not ASP.NET related files though) and other tasks
when requests come through. Effectively the thread in the dllhost.exe
process that is handling your request impersonates the IUSR account.

So, when you request default.htm (for example), IIS needs to make a request
to Windows to get this file off the hard disk. It must do that under some
security context. The security context is (by default) the
IUSR_<machinename> (but can be configured via IIS Manager).

On Windows XP, ASP.NET requests are handled a little bit differently. There
is a separate aspnet_wp.exe process, and the process identity here is the
ASPNET account that you noticed. This is used for ASP.NET related requests
(e.g for ASPX files)

Cheers
Ken

"Dan" <d@d.d> wrote in message
news:eYACh%236THHA.3592@TK2MSFTNGP06.phx.gbl...
> Hi,
>
> I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
> I have an asp.net application which is accessible for anonymous users.
> IIS-configuration is set on Anonymous allowed (IUSR_server). No other
> authentification.
> The windows account ASP.NET has READ permissions for the directory
> containing the application and R/W for the database directory.
> The account ASP.NET is only member of the USERS group.
> The account IUSR_server exists, is only member of the GUESTs group but has
> no permissions anywhere (so no permission for the directory with the
> application).
>
> Now, i access from another computer (in our LAN without any domain) the
> application by typing it's IP (10.0.0.60) and .. i have access to the
> whole application. And this without any authentification (normal because
> anonymous access).
>
> My question is: what is the purpose of account IUSR_server, because it's
> obviously not used here? Or did i configure something wrongly?
>
> Thanks
> Dan
>



Dan 02-13-2007 10:23 PM

Re: question about IUSR_server and security
 
Thanks.
Suppose i run the same application on a windows 2003 with IIS 6, do i have
to give READ (and Write?) permissions to the directory of the application to
IUSR_server or onlt ASP.NET is necessary?




"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> schreef in bericht
news:Oao7$N7THHA.4796@TK2MSFTNGP05.phx.gbl...
> The account IUSR_<machinename> is impersonated by IIS, and is used to
> access files off the hard disk (not ASP.NET related files though) and
> other tasks when requests come through. Effectively the thread in the
> dllhost.exe process that is handling your request impersonates the IUSR
> account.
>
> So, when you request default.htm (for example), IIS needs to make a
> request to Windows to get this file off the hard disk. It must do that
> under some security context. The security context is (by default) the
> IUSR_<machinename> (but can be configured via IIS Manager).
>
> On Windows XP, ASP.NET requests are handled a little bit differently.
> There is a separate aspnet_wp.exe process, and the process identity here
> is the ASPNET account that you noticed. This is used for ASP.NET related
> requests (e.g for ASPX files)
>
> Cheers
> Ken
>
> "Dan" <d@d.d> wrote in message
> news:eYACh%236THHA.3592@TK2MSFTNGP06.phx.gbl...
>> Hi,
>>
>> I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
>> I have an asp.net application which is accessible for anonymous users.
>> IIS-configuration is set on Anonymous allowed (IUSR_server). No other
>> authentification.
>> The windows account ASP.NET has READ permissions for the directory
>> containing the application and R/W for the database directory.
>> The account ASP.NET is only member of the USERS group.
>> The account IUSR_server exists, is only member of the GUESTs group but
>> has no permissions anywhere (so no permission for the directory with the
>> application).
>>
>> Now, i access from another computer (in our LAN without any domain) the
>> application by typing it's IP (10.0.0.60) and .. i have access to the
>> whole application. And this without any authentification (normal because
>> anonymous access).
>>
>> My question is: what is the purpose of account IUSR_server, because it's
>> obviously not used here? Or did i configure something wrongly?
>>
>> Thanks
>> Dan
>>

>




Ken Schaefer 02-14-2007 01:51 AM

Re: question about IUSR_server and security
 
Hi,

When using IIS 6.0 in Worker Process Isolation mode (i.e. native IIS 6 mode,
and not the IIS 5 compatibility mode) then:
a) IUSR_<machinename> is still the default identity that is impersonated for
non-ASP.NET requests (HTML pages, images, CSS files etc)
b) The worker process identity (default is Network Service) is used for
ASP.NET related requests

Cheers
Ken

"Dan" <d@d.d> wrote in message news:O7Gtl27THHA.5012@TK2MSFTNGP04.phx.gbl...
> Thanks.
> Suppose i run the same application on a windows 2003 with IIS 6, do i have
> to give READ (and Write?) permissions to the directory of the application
> to IUSR_server or onlt ASP.NET is necessary?
>
>
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> schreef in bericht
> news:Oao7$N7THHA.4796@TK2MSFTNGP05.phx.gbl...
>> The account IUSR_<machinename> is impersonated by IIS, and is used to
>> access files off the hard disk (not ASP.NET related files though) and
>> other tasks when requests come through. Effectively the thread in the
>> dllhost.exe process that is handling your request impersonates the IUSR
>> account.
>>
>> So, when you request default.htm (for example), IIS needs to make a
>> request to Windows to get this file off the hard disk. It must do that
>> under some security context. The security context is (by default) the
>> IUSR_<machinename> (but can be configured via IIS Manager).
>>
>> On Windows XP, ASP.NET requests are handled a little bit differently.
>> There is a separate aspnet_wp.exe process, and the process identity here
>> is the ASPNET account that you noticed. This is used for ASP.NET related
>> requests (e.g for ASPX files)
>>
>> Cheers
>> Ken
>>
>> "Dan" <d@d.d> wrote in message
>> news:eYACh%236THHA.3592@TK2MSFTNGP06.phx.gbl...
>>> Hi,
>>>
>>> I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
>>> I have an asp.net application which is accessible for anonymous users.
>>> IIS-configuration is set on Anonymous allowed (IUSR_server). No other
>>> authentification.
>>> The windows account ASP.NET has READ permissions for the directory
>>> containing the application and R/W for the database directory.
>>> The account ASP.NET is only member of the USERS group.
>>> The account IUSR_server exists, is only member of the GUESTs group but
>>> has no permissions anywhere (so no permission for the directory with the
>>> application).
>>>
>>> Now, i access from another computer (in our LAN without any domain) the
>>> application by typing it's IP (10.0.0.60) and .. i have access to the
>>> whole application. And this without any authentification (normal because
>>> anonymous access).
>>>
>>> My question is: what is the purpose of account IUSR_server, because
>>> it's obviously not used here? Or did i configure something wrongly?
>>>
>>> Thanks
>>> Dan
>>>

>>

>
>



Dan 02-14-2007 07:20 AM

Re: question about IUSR_server and security
 
Thanks

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> schreef in bericht
news:OUic2q9THHA.3316@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> When using IIS 6.0 in Worker Process Isolation mode (i.e. native IIS 6
> mode, and not the IIS 5 compatibility mode) then:
> a) IUSR_<machinename> is still the default identity that is impersonated
> for non-ASP.NET requests (HTML pages, images, CSS files etc)
> b) The worker process identity (default is Network Service) is used for
> ASP.NET related requests
>
> Cheers
> Ken
>
> "Dan" <d@d.d> wrote in message
> news:O7Gtl27THHA.5012@TK2MSFTNGP04.phx.gbl...
>> Thanks.
>> Suppose i run the same application on a windows 2003 with IIS 6, do i
>> have to give READ (and Write?) permissions to the directory of the
>> application to IUSR_server or onlt ASP.NET is necessary?
>>
>>
>>
>>
>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> schreef in bericht
>> news:Oao7$N7THHA.4796@TK2MSFTNGP05.phx.gbl...
>>> The account IUSR_<machinename> is impersonated by IIS, and is used to
>>> access files off the hard disk (not ASP.NET related files though) and
>>> other tasks when requests come through. Effectively the thread in the
>>> dllhost.exe process that is handling your request impersonates the IUSR
>>> account.
>>>
>>> So, when you request default.htm (for example), IIS needs to make a
>>> request to Windows to get this file off the hard disk. It must do that
>>> under some security context. The security context is (by default) the
>>> IUSR_<machinename> (but can be configured via IIS Manager).
>>>
>>> On Windows XP, ASP.NET requests are handled a little bit differently.
>>> There is a separate aspnet_wp.exe process, and the process identity here
>>> is the ASPNET account that you noticed. This is used for ASP.NET related
>>> requests (e.g for ASPX files)
>>>
>>> Cheers
>>> Ken
>>>
>>> "Dan" <d@d.d> wrote in message
>>> news:eYACh%236THHA.3592@TK2MSFTNGP06.phx.gbl...
>>>> Hi,
>>>>
>>>> I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
>>>> I have an asp.net application which is accessible for anonymous users.
>>>> IIS-configuration is set on Anonymous allowed (IUSR_server). No other
>>>> authentification.
>>>> The windows account ASP.NET has READ permissions for the directory
>>>> containing the application and R/W for the database directory.
>>>> The account ASP.NET is only member of the USERS group.
>>>> The account IUSR_server exists, is only member of the GUESTs group but
>>>> has no permissions anywhere (so no permission for the directory with
>>>> the application).
>>>>
>>>> Now, i access from another computer (in our LAN without any domain) the
>>>> application by typing it's IP (10.0.0.60) and .. i have access to the
>>>> whole application. And this without any authentification (normal
>>>> because anonymous access).
>>>>
>>>> My question is: what is the purpose of account IUSR_server, because
>>>> it's obviously not used here? Or did i configure something wrongly?
>>>>
>>>> Thanks
>>>> Dan
>>>>
>>>

>>
>>

>





All times are GMT. The time now is 06:39 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.