Re: IUSR account account logging on about every two hours
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/20/05
- Next message: David Wang [Msft]: "Re: Can not access web directory in Win2k3 with anonymous access disab"
- Previous message: Pascal #: "My IISstate log..."
- In reply to: joey: "IUSR account account logging on about every two hours"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 20 Mar 2005 01:58:46 -0800
1. Web Servers are meant to handle HTTP requests. The requests do not have
to come from anyone in the office, nor do the request have to access the ASP
application, nor does a live person actually have to make the request. It
could be the load balancer sending a hourly PING (or something else doing
the same sort of tracking), it could be Nimda/CodeRed/random worm/app in
your network making a random heartbeat request against the server, etc. You
should be able to figure this out by looking at the web server's log files
to see if requests were made to the web server at unexpected times.
Since user tokens are tied to a given w3wp process, and IIS6 will
proactively recycle such w3wp.exe processes that are not actively doing
work, it is possible that IIS would repeatedly log in the IUSR if you have a
very low request rate such that IIS is recycling processes. If this is the
case, then you should consider tuning your Application Pool Healt Monitoring
configuration to better suite your usage style and optimize for your desire
to not see the IUSR login. For example, the default settings will recycle
the w3wp.exe every 29 hours -- so you may want to time it such that it
recycle daily at the beginning or end of the work day such that you still
get the daily recycle, but it does not trip the intrusion detection system.
2. If you want to prevent the IUSR account from automatically logging in and
you also wish to enable authentication which uses that account (such as
anonymous, by default configuration [configurable]), you have fundamentally
conflicting desires that you need to resolve. Either IUSR can be logged in
by IIS, or you do not use authentication that try to use that account.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "joey" <joey@discussions.microsoft.com> wrote in message news:17AFC3B1-C614-4C71-839F-A83FA227F9AC@microsoft.com... Hello, A few days ago I had to enable IIS 6 on a Win 2003 server in order to run an internal ASP application. Since then, I have noticed that about every one or two hours the event log will record that the IUSR account used to access the application has loged itself in (ID 540 and 680) even when no one is accessing the application or is even in the office. I have two questions regarding this: 1. Is this normal behavior? 2. Is there a way to prevent the account from automatically logging itself in? (My intrusion detection system is flagging these off-hours logons, so I need to know whether I can prevent this behavior or will I have to adjust the intrusion system. I would much prefer to do the former if possible). Thanks
- Next message: David Wang [Msft]: "Re: Can not access web directory in Win2k3 with anonymous access disab"
- Previous message: Pascal #: "My IISstate log..."
- In reply to: joey: "IUSR account account logging on about every two hours"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
