Vulnerability Development mailing list archives
Re: IIS anonymous user - who?
From: TRansom () EXTREMELOGIC COM (Todd Ransom)
Date: Tue, 18 Jul 2000 16:15:03 -0400
2 thoughts come to mind: 1. you may have the guest account enabled. 2. you may be dealing with a browser that automatically sends credentials. Check out who you are authenticating as by doing this on an asp page: <% = request.servervariables("AUTH_USER") %> TR -----Original Message----- From: Chris Erasmus [mailto:chris () SENSEPOST COM] Sent: Monday, July 17, 2000 2:34 PM To: VULN-DEV () SECURITYFOCUS COM Subject: IIS anonymous user - who? Recently we noticed something interessting about MS IIS 4.0, here is the scenario: Windows NT 4.0, SP 4. Default installation NT Option Pack. One way of not allowing anonymous access to a website is via the Internet Service Manager, but we were toying with another idea. What will happen if you delete the IUSR_Computername account completely? Surely anonymous access to the default website will be disallowed. No. To our surprise it wasn't. The account used for anonymous access was confirmed to be the IUSR_Compname. The service is running as System. Anonymous access was only denied after removing the Everyone group from the default.asp page's permission list. Administrator and System still had access to the page. Does anyone know why this happens or where we are making a mistake. Who's accessing the page? Thanks Chris Erasmus www.sensepost.com
Current thread:
- Re: IIS anonymous user - who? Todd Ransom (Jul 18)
- <Possible follow-ups>
- Re: IIS anonymous user - who? Andrejus Stavickis (Jul 19)
- Re: IIS anonymous user - who? Maxime Rousseau (Jul 19)
- Re: IIS anonymous user - who? Damiano Cpl Anthony B (Jul 20)