Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS anonymous user - who?

From: DamianoAB () I-MEF USMC MIL (Damiano Cpl Anthony B)
Date: Thu, 20 Jul 2000 13:06:43 -0700

That account that is created is for the server to use when WWW users who
connect via Anonymous Access as their authentication method. Its a member of
the Guests local group and shouldn't be anywhere else. If you have your
server to only allow authenticated users to connect to it, you don't need
it, removing it without replacing it with the Everyone group will cause any
users outside your domain not to be able to view your server. Hope this
helps.

Cpl Anthony B. Damiano
Network Security Officer
9th Communication Battalion

-----Original Message-----
From: Bill Pennington [mailto:billp () ROCKETCASH COM]
Sent: Tuesday, July 18, 2000 9:37 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: IIS anonymous user - who?

If I remember correctly the Everyone group under NT is exactly that,
everyone. Authenticated users, unauthenticated users, my mother, my
grandmother etc.

Now I am a little fuzzy about the IUSR_compname account is used so I
won't attempt to tell you what it does. Just remember everyone is
everyone.

Chris Erasmus wrote:


Recently we noticed something interessting about MS IIS 4.0, here is the
scenario:

Windows NT 4.0, SP 4.
Default installation NT Option Pack.

One way of not allowing anonymous access to a website is via the Internet
Service Manager, but we were toying with another idea. What will happen if
you delete the IUSR_Computername account completely? Surely anonymous
access to the default website will be disallowed. No. To our surprise it
wasn't. The account used for anonymous access was confirmed to be the
IUSR_Compname. The service is running as System. Anonymous access was only
denied after removing the Everyone group from the default.asp page's
permission list. Administrator and System still had access to the page.

Does anyone know why this happens or where we are making a mistake. Who's
accessing the page?

Thanks
Chris Erasmus

www.sensepost.com


--

Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com
Previous By Date Next
Previous By Thread Next

Current thread: