IIS anonymous user is a domain user

Discussion in 'Computer Security' started by Henry Splatt, Sep 4, 2003.

  1. Henry Splatt

    Henry Splatt Guest

    What are the security rammifications of having an IIS 5.0 box, where the
    anonymous user is a domain user as opposed to the normail IUSR_Machine
    account?

    How would this be amplified, if at all, by having the default Everyone group
    with full control on the file system? The box is behind a good firewall.

    Thanks for your time,

    Henry
     
    Henry Splatt, Sep 4, 2003
    #1
    1. Advertisements

  2. Henry Splatt

    Mike Guest

    I will take a quick stab at this but by running your website as a domain
    user it is basically giving permission to your web server to access anything
    that the Everyone group on your entire DOMAIN can access. That means that
    if someone manages to take advantage of one of the many IIS vulnerabilities
    they very well may have access to information all over your network instead
    of just the one machine.

    Mike
     
    Mike, Sep 5, 2003
    #2
    1. Advertisements

  3. Henry Splatt

    Leythos Guest

    That's why you learn how to lock your IIS server down - there are many
    easy ways to secure IIS so that if someone does compromise it that they
    won't be able to run CMD.COM and other things necessary to do damage.

    Please follow NORMAL/STANDARD usenet etiquette and BOTTOM post.

    Mark
     
    Leythos, Sep 5, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.