Re: Working on a Web Server 2003

From: denis roy (denis.roy_at_ca.trader.com)
Date: 09/08/04 

Date: Wed, 8 Sep 2004 13:19:17 -0400

So, I tried the default permissions and user rights in the artical 812614.
I'm sure that to run IIS6, these right do work, removing everyone, etc leave
service with not enough rights to run. So, my question is, is the a doc for
min, default right for a 2003 server. Then I can add the rights for IIS6 on
top of that.

Maybe you can help me.
1. LocalSystem: I assume it needs full access thought the server
2. Network Service: where should it rights be applied?
3. Local Service: same as above.

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:OSy8waVlEHA.3392@TK2MSFTNGP15.phx.gbl...
> In news:uDyBeMOlEHA.1936@TK2MSFTNGP12.phx.gbl,
> denis roy <denis.roy@ca.trader.com> made a post then I commented below
>> I started looking at the new services found on a 2003 servers,
>> NetworkService, Local system, Local service and IIs_group. Don't
>> these have to be included in a GPO? Do use give "access through the
>> net work" also, start as a service?
>>
>> Also, the everyone group is on the root of C. In every documentation
>> I have seen ( that was for 2000 server, not for 2003) mentions to
>> change the everyone group to authenticated group. When I do that, the
>> service I mention don't have enough right to start their services.
>>
>
> Are you trying to setup and secure a webserver on a DC? If so, not
> recommended.
>
> Some of these accounts defined:
> 1. LocalSystem:
> A built in account that has a high level of access rights
> Avoid assigning LocalSystem as an application pool identity.
>
> 2. Network Service:
> A built-in IIS account with low privledges
> Interacts throughout the network with the computer account
> The default application pool identity.
>
> 3. Local Service:
> A built in IIS account with the lowest privlidges
> Connects anonymously over the network
> Use for local web applications only.
>
> So my take on this is if you stripped Everyone, which included
> unauthenticated (anonymous connections) is why it doesnt work, since the
> LocalSystem account requires that.
> This account is part of the Everyone group. The difference between the
> 'Everyone' group and 'Authenticated Users' is that Everyone includes the
> Guest account, IUSR_machinename and IWAM_machines name, and the groups you
> mentioned, hence why you are having problems with the services.
> http://biss.beckman.uiuc.edu/security/workshops/1999-06/sld034.htm
>
> I believe the documentation you are reading are for network services, but
> not including webservers. Anytime you put up a webserver, there is
> additional security concerns because of its accessibility to anyone out
> there, and let's face it, especially with unknown vulnerabilities that are
> being found almost weekly, probably as we speak, hence care is required in
> setting up and securing any webserver. But not on a DC.
>
> In addition, here's some info on the group differences:
> http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_differences.htm
>
> Lastly, the groups you mentioned are designed to be added to the
> webfolders
> needing access by the website. You can eliminate the Everyone group off
> the
> drive, but you need to add these users to the web root folders for access.
> The services you mentioned, NetworkService, Local system, Local service,
> as
> I mentoined above, can all be started with alternate credentials if you
> want
> to lock down the box as you are attempting.
>
> I would also look at that Google link that Brad provided on how to lock
> down
> webservers.
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>

Relevant Pages

  • Re: Working on a Web Server 2003
    ... I tried the default permissions and user rights in the artical 812614. ... Network Service: where should it rights be applied? ... > Are you trying to setup and secure a webserver on a DC? ... > A built in account that has a high level of access rights ...
    (microsoft.public.windows.server.active_directory)
  • Re: Database Connection ? (Newbie)
    ... > I create a Dbase connection, using a system DSN file on my ... > webserver pointing to a Dbase on a File Server. ... > exclusively or I don't have enough rights. ... The email account listed in my From ...
    (microsoft.public.inetserver.asp.general)
  • Re: Adding local accounts to domain user group
    ... It doesn't because the "Network Service" doesn't have enough rights. ... admin account but that is all, ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > Create a domain group who will be used for authenticating some computers> running ASP.NET applications to a SQLServer, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2003 Users vs Software
    ... You need to have both an admin and a limited account ... >> as a limited user, to effect, "the software has not been installed ... The users do not have rights to install programs. ...
    (microsoft.public.security)
Loading