Re: Identify which users are running which asp pages

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 06/27/04 

Date: Sun, 27 Jun 2004 15:36:52 -0700

This can be figured out if you recursively search through the IIS metabase
on that machine looking for hard-coded user accounts for UNC-access,
Anonymous-Access, or AppPool Identity (any other form of hard-coded accounts
used on a request is outside of IIS, so it's your own custom stuff that you
need to figure out). In other words, if you see that a metabase node has
"AuthAnonymous" enabled, and AnonymousUserName is not a domain name, you
know that all anonymous requests to URLs underneath this node (unless
overridden at a lower node) use this user account for anonymous access.
Same thing goes for UNCUserName and WamUserName.

You cannot figure this stuff out through runtime inspection (i.e. it's not
possible for you to make a request and then have some programmatic way to
determine all the identities used for that specific request) -- there is no
such runtime API from IIS. This is why I recommend the static approach of
just searching through the IIS metabase, which is configuration data that
determines how IIS behaves. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"jammer" <jolt_soda@hotmail.com> wrote in message
news:d3f6b2a2.0406250612.cdb22db@posting.google.com...
I need to programmatically identify which user account is being used
to run which site and where within that site a user is running a
specific portion of the asp code.  I would like to avoid scanning the
asp code if possible.  This includes sites of varying security levels;
therefore they may be running among an application pool.  I have
looked into what WMI and .Net provides for all types of user
identification but I don't know where/how to look for users with iis
5.  What is the best direction that I can head in: WMI/.Net Where:
metatbase ?  Any ideas or direction would valuable.
Overall goal: Remove hard coded user accounts from a diverse network
environment.
Thanks a lot
N8

Relevant Pages

  • Re: Change computername with MS Server 2003 Web Edition
    ... > I am absolutely glad that IIS does not do it the way you want. ... > You have just changed the IUSR/IWAM user accounts to the new computer name ... How the customer wants to do it is highly debatable. ... >> then you can rename the server to something else so that you can put it on ...
    (microsoft.public.inetserver.misc)
  • Re: Windows authentication query
    ... install IIS, only the NetBIOS name of the IIS server is registered with the ... FQDN) with the KDC. ... Delegation is succeeding only for users accounts residing in the same ... :> HOW TO: Configure Computer Accounts and User Accounts So That They Are ...
    (microsoft.public.inetserver.iis.security)
  • Re: iis6.0 on a dc - does anyone see any security holes?
    ... Running IIS on a DC is generally discouraged because it opens up too many ... all they have access to are local resources and the local user accounts on ... If the same attack happens and your IIS box is a DC? ... This way the local domain users can use the resources in> the ...
    (microsoft.public.windows.server.general)
  • Re: Windows authentication query
    ... IIS server in the list of sites that would be available in the intranet. ... > You need to configure both the computer and user accounts for delegation. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 6 - UNC - 401.1 - Access is denied due to invalid credentials
    ... The IE patch disallowed the http://user:pass@server notation, ... were using it on an anonymous-access web page to auto-login to other IIS ... If you want anonymous access to your websites, ...
    (microsoft.public.inetserver.iis.security)