Re: Working on a Web Server 2003

From: denis roy (denis.roy_at_ca.trader.com)
Date: 09/08/04 

Date: Wed, 8 Sep 2004 12:42:47 -0400

No, I'm not trying to install the web server on a DC. Basically, I have a
SANS document for 2000 Web server. And the procedure is to remove the
everyone group, replace it with Autheticated Group, IUSR_machinename and
IWAM_machines name. So, it makes sence and it did work.

Basically, I love to have the same doc, but for a 2003 WEb sever. I found an
actical for IIS 6. - 812614. I'm trying it now, if I remove the everyone
group, and the user group. Try to replace them with the Autheticated users,
IUSR_machinename and IWAM_machines name and the IIS_group. Like in the doc,
default right for IIS, will the rest of the server work?

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:OSy8waVlEHA.3392@TK2MSFTNGP15.phx.gbl...
> In news:uDyBeMOlEHA.1936@TK2MSFTNGP12.phx.gbl,
> denis roy <denis.roy@ca.trader.com> made a post then I commented below
>> I started looking at the new services found on a 2003 servers,
>> NetworkService, Local system, Local service and IIs_group. Don't
>> these have to be included in a GPO? Do use give "access through the
>> net work" also, start as a service?
>>
>> Also, the everyone group is on the root of C. In every documentation
>> I have seen ( that was for 2000 server, not for 2003) mentions to
>> change the everyone group to authenticated group. When I do that, the
>> service I mention don't have enough right to start their services.
>>
>
> Are you trying to setup and secure a webserver on a DC? If so, not
> recommended.
>
> Some of these accounts defined:
> 1. LocalSystem:
> A built in account that has a high level of access rights
> Avoid assigning LocalSystem as an application pool identity.
>
> 2. Network Service:
> A built-in IIS account with low privledges
> Interacts throughout the network with the computer account
> The default application pool identity.
>
> 3. Local Service:
> A built in IIS account with the lowest privlidges
> Connects anonymously over the network
> Use for local web applications only.
>
> So my take on this is if you stripped Everyone, which included
> unauthenticated (anonymous connections) is why it doesnt work, since the
> LocalSystem account requires that.
> This account is part of the Everyone group. The difference between the
> 'Everyone' group and 'Authenticated Users' is that Everyone includes the
> Guest account, IUSR_machinename and IWAM_machines name, and the groups you
> mentioned, hence why you are having problems with the services.
> http://biss.beckman.uiuc.edu/security/workshops/1999-06/sld034.htm
>
> I believe the documentation you are reading are for network services, but
> not including webservers. Anytime you put up a webserver, there is
> additional security concerns because of its accessibility to anyone out
> there, and let's face it, especially with unknown vulnerabilities that are
> being found almost weekly, probably as we speak, hence care is required in
> setting up and securing any webserver. But not on a DC.
>
> In addition, here's some info on the group differences:
> http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_differences.htm
>
> Lastly, the groups you mentioned are designed to be added to the
> webfolders
> needing access by the website. You can eliminate the Everyone group off
> the
> drive, but you need to add these users to the web root folders for access.
> The services you mentioned, NetworkService, Local system, Local service,
> as
> I mentoined above, can all be started with alternate credentials if you
> want
> to lock down the box as you are attempting.
>
> I would also look at that Google link that Brad provided on how to lock
> down
> webservers.
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>

Relevant Pages

  • Re: Working on a Web Server 2003
    ... I'm not trying to install the web server on a DC. ... > Are you trying to setup and secure a webserver on a DC? ... > A built in account that has a high level of access rights ... Network Service: ...
    (microsoft.public.inetserver.iis)
  • Re: Working on a Web Server 2003
    ... Are you trying to setup and secure a webserver on a DC? ... A built in account that has a high level of access rights ... Interacts throughout the network with the computer account ... The services you mentioned, NetworkService, Local system, Local service, as ...
    (microsoft.public.windows.server.active_directory)
  • Re: Working on a Web Server 2003
    ... Are you trying to setup and secure a webserver on a DC? ... A built in account that has a high level of access rights ... Interacts throughout the network with the computer account ... The services you mentioned, NetworkService, Local system, Local service, as ...
    (microsoft.public.inetserver.iis)
  • RE: Network troubleshooting, any experts?
    ... >> Now the problem is that all computers on the network can browse the ... >> telnet and ssh with no problem, except for the web server. ... >> the webserver. ...
    (Fedora)
  • RE: website inside or outside the domain?
    ... it is better not to have domain authentication traffic ... publicly accessible web server in a DMZ, with a DC also in the DMZ ... > webserver is ... network) its not the best model to use. ...
    (Focus-Microsoft)