question about IUSR_server account

Bart · Mar 22, 2007

Hi,

i have an asp.net webapplication using Anonymous Authentification
(IUSR_servername) in IIS.
Account ASPNET is used for the aspx files.
There are also old asp classic pages which run without problem.

When looking at the permissions, all pages (aspx and asp) have account
ASPNET set to Read and the database directory set to Read/Write.

Nowhere i can see the account IUSR_servername; I thought account
IUSR_servername acts as anonymous user (for the visitor of the site).
So my question: why is it not in the permission list of the asp(x) pages?
Where and when does it act?

Thanks for explanation
Bart

Will Platnick · Mar 23, 2007

Hi,

i have an asp.net webapplication using Anonymous Authentification
(IUSR_servername) in IIS.
Account ASPNET is used for the aspx files.
There are also old asp classic pages which run without problem.

When looking at the permissions, all pages (aspx and asp) have account
ASPNET set to Read and the database directory set to Read/Write.

Nowhere i can see the account IUSR_servername; I thought account
IUSR_servername acts as anonymous user (for the visitor of the site).
So my question: why is it not in the permission list of the asp(x) pages?
Where and when does it act?

Thanks for explanation
Bart

Bart,
What other users have permissions? If you post, we can make
recommendations on locking them down.

Bart · Mar 24, 2007

Nothing special:
All users: read
ASPNET: read
ADministrators: full

David Wang · Mar 24, 2007

Nothing special:
All users: read
ASPNET: read
ADministrators: full

"Will Platnick" <[email protected]> schreef in bericht

- Show quoted text -

http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Bart · Mar 24, 2007

Thanks, but to be honest, it's not easy to read.
Can you summarize and tell me:
which account (obvisiouly not IUSR_server) needs then the right permissions
for accessing aspx pages?

Dominick Baier · Mar 24, 2007

the account your application runs under.

IIS5 default: ASPNET
IIS6 default: NETWORK SERVICE

Bart · Mar 24, 2007

Thanks.
And, if you don't mind, for asp classic pages?

Will Platnick · Mar 24, 2007

Thanks.
And, if you don't mind, for asp classic pages?

Bart,
ASP pages run as the IUSR, but IUSR user is probably in "all users"
group (did you mean Everyone by any chance), which is why it is
executing. Definitely a security risk. When I setup sites, I copy
the existing permissions on the root, and then set Administrators and
System as full, then go assign iusr or .net user permissions
depending...

Bart · Mar 24, 2007

Thanks for explanation...

And last point...
if the Windows Integrated Authentification is used and not Anonymous, is
then the account of the user himelf used?

Dominick Baier · Mar 24, 2007

for ASP yes

for ASP.NET (by default) no

Bart · Mar 24, 2007

Thanks

Dominick Baier said:
for ASP yes

for ASP.NET (by default) no
-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

question about IUSR_server and security	4	Feb 13, 2007
Simple anonymous access question	1	Mar 31, 2006
authentication and impersonation question	2	Jul 19, 2006
Basic theory question about the ASP.NET Machine account	2	Dec 26, 2005
How do I set the default content page) on a Classic ASP file?	0	Aug 24, 2021
Account for form authentication to AD	9	Jun 4, 2005
anonymous user account name	2	Jan 12, 2006
Help! FileUploading, Windows 2000 permissions, and the ASP.NET account	1	Dec 17, 2003

question about IUSR_server account

Bart

Will Platnick

Bart

David Wang

Bart

Dominick Baier

Bart

Will Platnick

Bart

Dominick Baier

Bart

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads