Vulnerability Development mailing list archives
Re: IIS anonymous user - who?
From: andrej () KTU EDU (Andrejus Stavickis)
Date: Wed, 19 Jul 2000 11:02:27 +0200
Hi,
Recently we noticed something interessting about MS IIS 4.0, here is the scenario: Windows NT 4.0, SP 4. Default installation NT Option Pack. One way of not allowing anonymous access to a website is via the Internet Service Manager, but we were toying with another idea. What will happen if you delete the IUSR_Computername account completely? Surely anonymous access to the default website will be disallowed. No. To our surprise it wasn't. The account used for anonymous access was confirmed to be the IUSR_Compname. The service is running as System. Anonymous
have You tried to restart Web publishing service ?
access was only denied after removing the Everyone group from the default.asp page's permission list. Administrator and System still had access to the page.
Generally, if You read something from Microsoft press about Windows NT security, You should know that anyway it's a very bad idea to left everyone group in ACLs. If You like to everyone from Your domain have access to some resources, You should replace everyone with local users group. If it's occurred in real environment, i think it's not a vulnerability, it's only bad administrator's knowledge and experience. You know, the more system is secure, the more slower system performance. I have Winnt 4.0 srv with SP4 and security related postsp4 fixes. I've tried this scenario, but don't get this result. once i've deleted IUSR_Computername user, and try to connect to IIS, i get a username password prompt (also i removed everyone group from ACL's once installed server). I expect, that the web page is accessing by old IUSR_Computername You know, if You delete an account while user connected, the user's credentials are cached in memory until user logs off. The deletion of user account takes effect when user connects to resources he wasn't connected before account deleted, in the other words if You delete an account, this deletion will take effect when user authenticates next time. If user already authenticated, the deletion of his account remain transparent to him. Sincerely, --Andrejus Stavickis (MCP, MCP+I, MCSE, MCSD, MCDBA) KTU SC UESM Studentu 48a-203 Kaunas, 3028 LITHUANIA phone: +370 7 300633 Cellular phone: +370 87 15664 fax: +370 7 352995 ICQ: 2402709
Current thread:
- Re: IIS anonymous user - who? Todd Ransom (Jul 18)
- <Possible follow-ups>
- Re: IIS anonymous user - who? Andrejus Stavickis (Jul 19)
- Re: IIS anonymous user - who? Maxime Rousseau (Jul 19)
- Re: IIS anonymous user - who? Damiano Cpl Anthony B (Jul 20)