Re: IIS anonymous user - who?

[billp () ROCKETCASH COM (Bill Pennington)]

If I remember correctly the Everyone group under NT is exactly that,
everyone. Authenticated users, unauthenticated users, my mother, my
grandmother etc.

Now I am a little fuzzy about the IUSR_compname account is used so I
won't attempt to tell you what it does. Just remember everyone is
everyone.

Chris Erasmus wrote:
> Recently we noticed something interessting about MS IIS 4.0, here is the
> scenario:
>
> Windows NT 4.0, SP 4.
> Default installation NT Option Pack.
>
> One way of not allowing anonymous access to a website is via the Internet
> Service Manager, but we were toying with another idea. What will happen if
> you delete the IUSR_Computername account completely? Surely anonymous
> access to the default website will be disallowed. No. To our surprise it
> wasn't. The account used for anonymous access was confirmed to be the
> IUSR_Compname. The service is running as System. Anonymous access was only
> denied after removing the Everyone group from the default.asp page's
> permission list. Administrator and System still had access to the page.
>
> Does anyone know why this happens or where we are making a mistake. Who's
> accessing the page?
>
> Thanks
> Chris Erasmus
>
> www.sensepost.com

--

Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com