Vulnerability Development mailing list archives

Re: IIS anonymous user - who?

From: andrej () KTU EDU (Andrejus Stavickis)
Date: Wed, 19 Jul 2000 11:02:27 +0200

Hi,

Recently we noticed something interessting about MS IIS 4.0,
here is the
scenario:

Windows NT 4.0, SP 4.
Default installation NT Option Pack.

One way of not allowing anonymous access to a website is via
the Internet
Service Manager, but we were toying with another idea. What
will happen if
you delete the IUSR_Computername account completely? Surely anonymous
access to the default website will be disallowed. No. To our
surprise it
wasn't. The account used for anonymous access was confirmed to be the
IUSR_Compname. The service is running as System. Anonymous


   have You tried to restart Web publishing service ?

access was only
denied after removing the Everyone group from the default.asp page's
permission list. Administrator and System still had access to
the page.


   Generally, if You read something from Microsoft press about Windows
NT security, You should know that anyway it's a very bad idea to left
everyone group in ACLs. If You like to everyone from Your domain have
access to some resources, You should replace everyone with local users
group. If it's occurred in real environment, i think it's not a
vulnerability, it's only bad administrator's knowledge and experience.
You know, the more system is secure, the more slower system performance.

I have Winnt 4.0 srv with SP4 and security related postsp4 fixes. I've
tried this scenario, but don't get this result. once i've deleted
IUSR_Computername user, and try to connect to IIS, i get a username
password prompt (also i removed everyone group from ACL's once installed
server).

I expect, that the web page is accessing by old IUSR_Computername
You know, if You delete an account while user connected, the user's
credentials are cached in memory until user logs off. The deletion
of user account takes effect when user connects to resources he wasn't
connected before account deleted, in the other words if You delete
an account, this deletion will take effect when user authenticates
next time. If user already authenticated, the deletion of his account
remain transparent to him.

   Sincerely,

--Andrejus Stavickis (MCP, MCP+I, MCSE, MCSD, MCDBA)
KTU SC UESM
Studentu 48a-203
Kaunas, 3028
LITHUANIA
phone: +370 7 300633
Cellular phone: +370 87 15664
fax: +370 7 352995
ICQ: 2402709

Current thread:

Re: IIS anonymous user - who? Todd Ransom (Jul 18)
- <Possible follow-ups>
- Re: IIS anonymous user - who? Andrejus Stavickis (Jul 19)
- Re: IIS anonymous user - who? Maxime Rousseau (Jul 19)
- Re: IIS anonymous user - who? Damiano Cpl Anthony B (Jul 20)