IIS Accounts
These IIS accounts are created automatically when you install IIS and must be present for SMS to function properly.
Launch IIS Process Account (IWAM_<computername>)
The Launch IIS Process account is used by management points.
Table C.14 Launch IIS Process ccount Functions
Function |
Required rights and permissions |
Notes |
|---|---|---|
This account is used by IIS to run out-of-process applications |
If installed on a domain controller, this account is added to the Domain Users and IIS_WPG groups. When IIS is installed on a member server, it is only a member of the IIS_WPG group. |
If this account is locked-out or disabled, out-of-process applications cannot be started. Because all applications and sites configured in IIS 6 are technically out-of-process, IIS might not work properly if this account is not available. If this account is not a member of the IIS_WPG group or if it is removed or disabled, the management point will not function properly. |
Account and password creation
The Launch IIS Process account is automatically created by IIS. The account is a local account if IIS is installed on member servers and a domain account if IIS is installed on a domain controller. It is also stored in the IIS metabase.
Account location
If the IIS server is a member server, the Launch IIS Process account is created as a local user account. If the IIS server is a domain controller, this account is created as a local domain account.
Account maintenance
The password for the WAM account is randomly recreated on a weekly basis and synchronized where needed. The IIS service will reset the IWAM password in the metabase on startup to match the IWAM password in the local SAM or Active Directory (for domain accounts). If this password has been changed in the SAM or Active Directory, and has not been changed in the DCOM component configuration, then the application will fail to start. The SyncIWAM.vbs script can reset the identity and password for these applications and allow them to start. The script is also located in the path \InetPub\AdminScripts\ and should be run under the CScript context.
Security best practices
When removing the management point site system role on a domain controller, the IIS_WPG group might be deleted. If this happens you need to recreate the domain local group and add the IWAM_computername accounts into this group from all management points on domain controllers in the domain.
Internet Guest Account (IUSR_<computername>)
The Internet Guest account is used for anonymous access to management points.
Table C.14 Launch IIS Process ccount Functions
Function |
Required rights and permissions |
Notes |
|---|---|---|
This account is used to permit users to connect anonymously to Internet sites hosted on the server. |
This account has log on locally and logon as a batch job rights. When IIS is installed on a domain controller, this account is added to both the Domain Users and (Local) Guests groups. On a member server, this account is only a member of the Guests group |
If the account is disabled or locked out, anonymous access will no longer function and management points will not work. |
Account and password creation
The account is created automatically. The password is created by the server and is set to never expire.
Account location
The account is created on any server with IIS installed.
Account maintenance
If the IUSR account becomes out of sync because of an attempted manual removal of IIS or a failed attempt to reset the password, it is possible to perform a manual reset. The password is stored in the IIS metabase and in the accounts database (Active Direcotry if IIS is on a domain controller or the local account database on a member server).If you change the password in the user interface, you should use Metabase Explorer to reset the IUSR Password in the metabase.xml or metabase.bin file.
Security notes
The management point is the source of command and control data (policy) for SMS Advanced Clients. When Advanced Clients communicate with the management point, they always use the anonymous security context. A decision was made to rely exclusively on the anonymous security context to support the scenarios like spanning forests, spanning forests and domains, roaming, and workgroups. However, by not requiring clients to authenticate to the management point, the following vulnerabilities are present:
An attacker could impersonate a valid client and submit invalid status messages or software metering data.
An attacker could impersonate an imaginary client and submit invalid status messages or software metering data.
An attacker could submit large quantities of status messages or software metering data, slowing the management point, slowing the site server, and filling the database.
With SMS 2003 (with no service pack), an attacker could also submit invalid inventory on behalf of a valid or imaginary client. With SMS 2003 SP1, you can require clients to sign their inventory data. Management points will reject any unsigned inventory. These vulnerabilities do not allow any one of the following to occur:
Elevation of privilege on either the SMS server or client.
Loss of confidential or personal information.
Unauthorized software installation.
SMS deployments are only supported in an intranet environment, therefore the risks of a Denial of Service (DoS), attack or of a pollution attack on status messages, software metering data, (and inventory in SMS 2003 (with no service pack) are extremely unlikely. SMS also reduces the probability of attacks against inventory because new inventory is collected on a schedule. An attacker would have to continuously supply invalid inventory data.
While there are risks in allowing anonymous access to management points, the benefit of providing flexibility in SMS configuration was judged to be very important to the current customer base.