question about IUSR_server and security

Discussion in 'ASP .Net Security' started by Dan, Feb 13, 2007.

  1. Dan

    Dan Guest

    Hi,

    I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
    I have an asp.net application which is accessible for anonymous users.
    IIS-configuration is set on Anonymous allowed (IUSR_server). No other
    authentification.
    The windows account ASP.NET has READ permissions for the directory
    containing the application and R/W for the database directory.
    The account ASP.NET is only member of the USERS group.
    The account IUSR_server exists, is only member of the GUESTs group but has
    no permissions anywhere (so no permission for the directory with the
    application).

    Now, i access from another computer (in our LAN without any domain) the
    application by typing it's IP (10.0.0.60) and .. i have access to the whole
    application. And this without any authentification (normal because anonymous
    access).

    My question is: what is the purpose of account IUSR_server, because it's
    obviously not used here? Or did i configure something wrongly?

    Thanks
    Dan
    Dan, Feb 13, 2007
    #1
    1. Advertising

  2. Dan

    Ken Schaefer Guest

    The account IUSR_<machinename> is impersonated by IIS, and is used to access
    files off the hard disk (not ASP.NET related files though) and other tasks
    when requests come through. Effectively the thread in the dllhost.exe
    process that is handling your request impersonates the IUSR account.

    So, when you request default.htm (for example), IIS needs to make a request
    to Windows to get this file off the hard disk. It must do that under some
    security context. The security context is (by default) the
    IUSR_<machinename> (but can be configured via IIS Manager).

    On Windows XP, ASP.NET requests are handled a little bit differently. There
    is a separate aspnet_wp.exe process, and the process identity here is the
    ASPNET account that you noticed. This is used for ASP.NET related requests
    (e.g for ASPX files)

    Cheers
    Ken

    "Dan" <> wrote in message
    news:eYACh%...
    > Hi,
    >
    > I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
    > I have an asp.net application which is accessible for anonymous users.
    > IIS-configuration is set on Anonymous allowed (IUSR_server). No other
    > authentification.
    > The windows account ASP.NET has READ permissions for the directory
    > containing the application and R/W for the database directory.
    > The account ASP.NET is only member of the USERS group.
    > The account IUSR_server exists, is only member of the GUESTs group but has
    > no permissions anywhere (so no permission for the directory with the
    > application).
    >
    > Now, i access from another computer (in our LAN without any domain) the
    > application by typing it's IP (10.0.0.60) and .. i have access to the
    > whole application. And this without any authentification (normal because
    > anonymous access).
    >
    > My question is: what is the purpose of account IUSR_server, because it's
    > obviously not used here? Or did i configure something wrongly?
    >
    > Thanks
    > Dan
    >
    Ken Schaefer, Feb 13, 2007
    #2
    1. Advertising

  3. Dan

    Dan Guest

    Thanks.
    Suppose i run the same application on a windows 2003 with IIS 6, do i have
    to give READ (and Write?) permissions to the directory of the application to
    IUSR_server or onlt ASP.NET is necessary?




    "Ken Schaefer" <> schreef in bericht
    news:Oao7$...
    > The account IUSR_<machinename> is impersonated by IIS, and is used to
    > access files off the hard disk (not ASP.NET related files though) and
    > other tasks when requests come through. Effectively the thread in the
    > dllhost.exe process that is handling your request impersonates the IUSR
    > account.
    >
    > So, when you request default.htm (for example), IIS needs to make a
    > request to Windows to get this file off the hard disk. It must do that
    > under some security context. The security context is (by default) the
    > IUSR_<machinename> (but can be configured via IIS Manager).
    >
    > On Windows XP, ASP.NET requests are handled a little bit differently.
    > There is a separate aspnet_wp.exe process, and the process identity here
    > is the ASPNET account that you noticed. This is used for ASP.NET related
    > requests (e.g for ASPX files)
    >
    > Cheers
    > Ken
    >
    > "Dan" <> wrote in message
    > news:eYACh%...
    >> Hi,
    >>
    >> I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
    >> I have an asp.net application which is accessible for anonymous users.
    >> IIS-configuration is set on Anonymous allowed (IUSR_server). No other
    >> authentification.
    >> The windows account ASP.NET has READ permissions for the directory
    >> containing the application and R/W for the database directory.
    >> The account ASP.NET is only member of the USERS group.
    >> The account IUSR_server exists, is only member of the GUESTs group but
    >> has no permissions anywhere (so no permission for the directory with the
    >> application).
    >>
    >> Now, i access from another computer (in our LAN without any domain) the
    >> application by typing it's IP (10.0.0.60) and .. i have access to the
    >> whole application. And this without any authentification (normal because
    >> anonymous access).
    >>
    >> My question is: what is the purpose of account IUSR_server, because it's
    >> obviously not used here? Or did i configure something wrongly?
    >>
    >> Thanks
    >> Dan
    >>

    >
    Dan, Feb 13, 2007
    #3
  4. Dan

    Ken Schaefer Guest

    Hi,

    When using IIS 6.0 in Worker Process Isolation mode (i.e. native IIS 6 mode,
    and not the IIS 5 compatibility mode) then:
    a) IUSR_<machinename> is still the default identity that is impersonated for
    non-ASP.NET requests (HTML pages, images, CSS files etc)
    b) The worker process identity (default is Network Service) is used for
    ASP.NET related requests

    Cheers
    Ken

    "Dan" <> wrote in message news:...
    > Thanks.
    > Suppose i run the same application on a windows 2003 with IIS 6, do i have
    > to give READ (and Write?) permissions to the directory of the application
    > to IUSR_server or onlt ASP.NET is necessary?
    >
    >
    >
    >
    > "Ken Schaefer" <> schreef in bericht
    > news:Oao7$...
    >> The account IUSR_<machinename> is impersonated by IIS, and is used to
    >> access files off the hard disk (not ASP.NET related files though) and
    >> other tasks when requests come through. Effectively the thread in the
    >> dllhost.exe process that is handling your request impersonates the IUSR
    >> account.
    >>
    >> So, when you request default.htm (for example), IIS needs to make a
    >> request to Windows to get this file off the hard disk. It must do that
    >> under some security context. The security context is (by default) the
    >> IUSR_<machinename> (but can be configured via IIS Manager).
    >>
    >> On Windows XP, ASP.NET requests are handled a little bit differently.
    >> There is a separate aspnet_wp.exe process, and the process identity here
    >> is the ASPNET account that you noticed. This is used for ASP.NET related
    >> requests (e.g for ASPX files)
    >>
    >> Cheers
    >> Ken
    >>
    >> "Dan" <> wrote in message
    >> news:eYACh%...
    >>> Hi,
    >>>
    >>> I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
    >>> I have an asp.net application which is accessible for anonymous users.
    >>> IIS-configuration is set on Anonymous allowed (IUSR_server). No other
    >>> authentification.
    >>> The windows account ASP.NET has READ permissions for the directory
    >>> containing the application and R/W for the database directory.
    >>> The account ASP.NET is only member of the USERS group.
    >>> The account IUSR_server exists, is only member of the GUESTs group but
    >>> has no permissions anywhere (so no permission for the directory with the
    >>> application).
    >>>
    >>> Now, i access from another computer (in our LAN without any domain) the
    >>> application by typing it's IP (10.0.0.60) and .. i have access to the
    >>> whole application. And this without any authentification (normal because
    >>> anonymous access).
    >>>
    >>> My question is: what is the purpose of account IUSR_server, because
    >>> it's obviously not used here? Or did i configure something wrongly?
    >>>
    >>> Thanks
    >>> Dan
    >>>

    >>

    >
    >
    Ken Schaefer, Feb 14, 2007
    #4
  5. Dan

    Dan Guest

    Thanks

    "Ken Schaefer" <> schreef in bericht
    news:...
    > Hi,
    >
    > When using IIS 6.0 in Worker Process Isolation mode (i.e. native IIS 6
    > mode, and not the IIS 5 compatibility mode) then:
    > a) IUSR_<machinename> is still the default identity that is impersonated
    > for non-ASP.NET requests (HTML pages, images, CSS files etc)
    > b) The worker process identity (default is Network Service) is used for
    > ASP.NET related requests
    >
    > Cheers
    > Ken
    >
    > "Dan" <> wrote in message
    > news:...
    >> Thanks.
    >> Suppose i run the same application on a windows 2003 with IIS 6, do i
    >> have to give READ (and Write?) permissions to the directory of the
    >> application to IUSR_server or onlt ASP.NET is necessary?
    >>
    >>
    >>
    >>
    >> "Ken Schaefer" <> schreef in bericht
    >> news:Oao7$...
    >>> The account IUSR_<machinename> is impersonated by IIS, and is used to
    >>> access files off the hard disk (not ASP.NET related files though) and
    >>> other tasks when requests come through. Effectively the thread in the
    >>> dllhost.exe process that is handling your request impersonates the IUSR
    >>> account.
    >>>
    >>> So, when you request default.htm (for example), IIS needs to make a
    >>> request to Windows to get this file off the hard disk. It must do that
    >>> under some security context. The security context is (by default) the
    >>> IUSR_<machinename> (but can be configured via IIS Manager).
    >>>
    >>> On Windows XP, ASP.NET requests are handled a little bit differently.
    >>> There is a separate aspnet_wp.exe process, and the process identity here
    >>> is the ASPNET account that you noticed. This is used for ASP.NET related
    >>> requests (e.g for ASPX files)
    >>>
    >>> Cheers
    >>> Ken
    >>>
    >>> "Dan" <> wrote in message
    >>> news:eYACh%...
    >>>> Hi,
    >>>>
    >>>> I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
    >>>> I have an asp.net application which is accessible for anonymous users.
    >>>> IIS-configuration is set on Anonymous allowed (IUSR_server). No other
    >>>> authentification.
    >>>> The windows account ASP.NET has READ permissions for the directory
    >>>> containing the application and R/W for the database directory.
    >>>> The account ASP.NET is only member of the USERS group.
    >>>> The account IUSR_server exists, is only member of the GUESTs group but
    >>>> has no permissions anywhere (so no permission for the directory with
    >>>> the application).
    >>>>
    >>>> Now, i access from another computer (in our LAN without any domain) the
    >>>> application by typing it's IP (10.0.0.60) and .. i have access to the
    >>>> whole application. And this without any authentification (normal
    >>>> because anonymous access).
    >>>>
    >>>> My question is: what is the purpose of account IUSR_server, because
    >>>> it's obviously not used here? Or did i configure something wrongly?
    >>>>
    >>>> Thanks
    >>>> Dan
    >>>>
    >>>

    >>
    >>

    >
    Dan, Feb 14, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    346
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,410
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    326
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    135
    Dinis Cruz
    Oct 11, 2003
  5. Bart

    question about IUSR_server account

    Bart, Mar 22, 2007, in forum: ASP .Net Security
    Replies:
    10
    Views:
    784
Loading...

Share This Page