About Windows 2003 Server security guide ans Rights Management
- From: "David Burghgraeve" <DavidBurghgraeve@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 28 Jul 2005 10:05:06 -0700
Hi,
first read
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx chapter 3 and 8 ;o) (The Windows2003 Server Security guide)
My question is about the rights and privilege assignments. As GPO's allow us
to control all the rights on member servers, I mentioned that the baseline
security, specially the high security (why not implement the "high
security"?), doesn't mention in any way the IIS 6.0 special user accounst
(ASP.net).
Even in chapter 8 "they" mention that there are not really specified right-
and privilige options needed for IIS, that the baseline security will do just
fine.
I don't agree !!!
I've made a full inventory of all rights and privileges on all our servers
(using scripting and reskit tools showpriv.exe) and got this snapshot of IIS:
3 users: IUSR_computername, IWAM_computername, ASPNET
1 group: IIS_WPG
Memberships: IUSR_computername is member of the "BUILTIN\guests"
IWAM_computername is member of the "IIS_WPG"
ASPNET is a member of the "BUILTIN\Users"
Making a full inventory of the rights and priviliges:
IUSR_computername:
- Logon locally
- logon as batch job
- Access this computer from the network
IWAM_computername:
- logon as batch job
- Access this computer from the network
- Replace a process level Token
- Adjust Memory Quotas
- Impersonate a client after logon (because of the membership of the IIS_WPG)
ASPNET:
- logon as batch job
- Access this computer from the network
- Impersonate a client after logon
- Deny Interactive logon
- Deny logon from the network
- Logon as a service
In the Windows2003 security guideline, "they" suggest:
- Adjust memory Quotas for a process to Administrators, NETWORK and LOCAL
service. => Doing that we'll have a conflict for the IWAM user.
- Allow logon locally only for administrators, power users and backup
operators
=> So we have a conflict for the IUSR user
- Replace A process Level token only for the LOCAL and NETWORK service
=> so we have a conflict for the IWAM user
- Deny access from network: GUESTS group.
=> so we have a conflict for the IUSR user (because of the membership in the
guests group)
- Deny logon as batch job for guests
=> so we have a conflict fot the IUSR user.
And so on and so on ...
MY QUESTION: I can continue starting with test as configured from the guide,
but I'm intreged by the contradictions in the guide!
Two possibilities:
- the guide has it all wrong about the IIS part (and I have a lot of work
"skipping" al the IIS related rights and priviliges on our IIS servers,
grrrrrrr because IIS is running on almost every server because of SMS2003,
....)
- I should not "care" that much, close my eyes and everything will work fine
(and the rights are not really needed by IIS ;o)
I'm hoping it's the first part, otherwise hoping someone can explain the
contradictions!
Greetings!
PS: if you get this far you're interested or integed ;o)
.
- Prev by Date: RE: Security templates
- Next by Date: IE GPO - Preference Mode
- Previous by thread: RE: Security templates
- Next by thread: IE GPO - Preference Mode
- Index(es):
Relevant Pages
|
