question about IUSR_server and security

[Dan]

Hi,

I run a webserver on windows xp prof sp2 and IIS 5.1. (no domain).
I have an asp.net application which is accessible for anonymous users.
IIS-configuration is set on Anonymous allowed (IUSR_server). No other
authentification.
The windows account ASP.NET has READ permissions for the directory
containing the application and R/W for the database directory.
The account ASP.NET is only member of the USERS group.
The account IUSR_server exists, is only member of the GUESTs group but has
no permissions anywhere (so no permission for the directory with the
application).

Now, i access from another computer (in our LAN without any domain) the
application by typing it's IP (10.0.0.60) and .. i have access to the whole
application. And this without any authentification (normal because anonymous
access).

My question is: what is the purpose of account IUSR_server, because it's
obviously not used here? Or did i configure something wrongly?

Thanks
Dan

 

[Ken Schaefer]

The account IUSR_<machinename> is impersonated by IIS, and is used to access
files off the hard disk (not ASP.NET related files though) and other tasks
when requests come through. Effectively the thread in the dllhost.exe
process that is handling your request impersonates the IUSR account.

So, when you request default.htm (for example), IIS needs to make a request
to Windows to get this file off the hard disk. It must do that under some
security context. The security context is (by default) the
IUSR_<machinename> (but can be configured via IIS Manager).

On Windows XP, ASP.NET requests are handled a little bit differently. There
is a separate aspnet_wp.exe process, and the process identity here is the
ASPNET account that you noticed. This is used for ASP.NET related requests
(e.g for ASPX files)

Cheers
Ken

 

[Dan]

Thanks.
Suppose i run the same application on a windows 2003 with IIS 6, do i have
to give READ (and Write?) permissions to the directory of the application to
IUSR_server or onlt ASP.NET is necessary?

 

[Ken Schaefer]

Hi,

When using IIS 6.0 in Worker Process Isolation mode (i.e. native IIS 6 mode,
and not the IIS 5 compatibility mode) then:
a) IUSR_<machinename> is still the default identity that is impersonated for
non-ASP.NET requests (HTML pages, images, CSS files etc)
b) The worker process identity (default is Network Service) is used for
ASP.NET related requests

Cheers
Ken

 

[Dan]

Thanks

Hi,

When using IIS 6.0 in Worker Process Isolation mode (i.e. native IIS 6
mode, and not the IIS 5 compatibility mode) then:
a) IUSR_<machinename> is still the default identity that is impersonated
for non-ASP.NET requests (HTML pages, images, CSS files etc)
b) The worker process identity (default is Network Service) is used for
ASP.NET related requests

Cheers
Ken