IIS Insider - November 2002
By Brett Hill
Renaming the IUSR Account
Q: What are the consequences if you rename the IUSR account?
A: The IUSR account is often called the Web Anonymous User or Internet Guest account. The IUSR account, as it is commonly referred to using shorthand, is actually of the form, IUSR_<servername> where <servername> is the netbios name of the server when IIS is installed. As you probably know, this is the account that is used when Anonymous authentication is enabled on the IIS server provided the IUSR account has appropriate NTFS permissions for the kind of access requested.
Since this account name is known, it is recommended in some security texts that you change the name of the IUSR account to a different name in order to make it more difficult for a hacker to guess a username and password on the server. This is sound advice for high security servers; however, there are a few things to keep in mind.
When you change the name of the anonymous user account, you must change it in the Internet Information Services Manager and also in Users and Groups for the local computer (presuming you are using a local account for the anonymous user). If you delete the IUSR account or change the name in the Users and Groups and do not assign a new anonymous user account in the Internet Services Manger, the IUSR account will be recreated automatically on the next reboot. I often simply disable the IUSR account and create a new one, then assign the new account for anonymous access in Internet Services Manager. If you've run the IIS Lockdown tool, make the new user a member of the Web Anonymous Users local group.
When you create a new user name and password for the anonymous user, be very, very certain to use a strong password. The anonymous user account on W2K is a randomly generated string of 14 alphanumeric characters. Humans, when creating passwords, tend to create far less effective passwords than the original anonymous user password, so be certain to make the password very strong.
With these things in mind, there are no other ramifications to changing the account, provided that you specify the new anonymous user account in the Internet Information Services Manager.
See the previous column: December 2001: How To Secure the IUSR_account.
FrontPage Server Extensions Manages Your NTFS Permissions
Q: We have loaded FrontPage Server Extensions 2000 on our IIS 4 and IIS 5 servers. Once the extensions were loaded, we noticed that the NTFS permissions on the servers have been modified. The new permissions include the use of the Network and Interactive groups. Can you explain what these groups are and how FrontPage Server Extensions manage NTFS permissions?
A: When you install FrontPage Server Extensions (FPSE) on a web server, you need to choose if you intend to allow FPSE to manage the permissions automatically, or if you intend to manage permissions manually. By default, FPSE will manage permissions for you on the web sites where the extensions are installed. You can disable this automatic management if you'd like by right clicking on the server icon in the Internet Information Services Manager. Select the Server Extensions tab and set the Manage permissions manually box. Note that this is a server-wide setting as is not available on a site-by-site basis. I would strongly encourage you to make a choice between allowing FPSE to automatically manage the permissions or manually managing the permissions, but to not attempt to do both.
The FPSE 2000 Resource Kit which is located at http://officeupdate.microsoft.com/frontpage/wpp/serk/ and contains a detailed accounting of the permissions assigned and maintained by the extensions. These permissions include the use of the Network and Interactive groups you referenced in your question.
The Network group is an automatically maintained local group that consists of all users that have a network logon type. Members of this group typically have logged on over the network. The Interactive group is an automatically maintained local group that consists of all users that have a local logon type. This group consists of users you are logged on at the computer console as well as users who are authenticated using Basic authentication.
Selecting From Multiple Authentication Methods
Q: IIS 5 allows you to select multiple authentication methods for a web site. When you have selected Anonymous, Basic, and Integrated Windows, how does IIS choose which authentication method to use for a user?
A: There's quite a lot of background to this question, but you can sum it up in a few rules. These rules apply to both IIS 4 and IIS 5. The first immutable rule of authentication is if you can be authenticated as the anonymous user, you will be. This requires only that anonymous authentication be enabled for a resource - that the anonymous user has the rights to access the requested resource. The only exception to this rule is if the user is already authenticated as a user other than the anonymous user and some other kind of authentication is allowed besides anonymous.
Given that you have multiple authentication methods selected and the user cannot be the anonymous user, what is the process that determines which authentication method should be used? The answer is that IIS offers a list of authentication methods to the client and the client chooses which method is the most secure. Therefore, when you select Basic and Integrated Windows (or Windows NT Challenge Response in IIS 4), Netscape will choose Basic because it is unable to perform Integrated Windows authentication. Internet Explorer, however, when offered these same choices, will choose Integrated Windows. On an IIS 5 server, IIS and IE will further determine if Kerberos is possible and if so, will use Kerberos. For others, including IIS 4, Windows NT Challenge/Response is used.
Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.
For a list of previous months questions and answers on IIS Insider columns, click here.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.