Re: IIS anonymous user - who?

[TRansom () EXTREMELOGIC COM (Todd Ransom)]

2 thoughts come to mind:

1.  you may have the guest account enabled.

2.  you may be dealing with a browser that automatically sends credentials.

Check out who you are authenticating as by doing this on an asp page:

<% = request.servervariables("AUTH_USER") %>

TR

-----Original Message-----
From: Chris Erasmus [mailto:chris () SENSEPOST COM]
Sent: Monday, July 17, 2000 2:34 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: IIS anonymous user - who?

Recently we noticed something interessting about MS IIS 4.0, here is the
scenario:

Windows NT 4.0, SP 4.
Default installation NT Option Pack.

One way of not allowing anonymous access to a website is via the Internet
Service Manager, but we were toying with another idea. What will happen if
you delete the IUSR_Computername account completely? Surely anonymous
access to the default website will be disallowed. No. To our surprise it
wasn't. The account used for anonymous access was confirmed to be the
IUSR_Compname. The service is running as System. Anonymous access was only
denied after removing the Everyone group from the default.asp page's
permission list. Administrator and System still had access to the page.

Does anyone know why this happens or where we are making a mistake. Who's
accessing the page?

Thanks
Chris Erasmus

www.sensepost.com