RE: SBS 2003/member Web Server and ISUR access

Hi,

Thank you for posting here.

Based on my experience, the IIS Permissions Wizard changes both Web and
NTFS permissions for the directories and files


By default, the IIS content directories have the following permissions.
Changes will be made to these permissions as Application Center, Frontpage
Server Extensions, ASPNET, SQL Server and other software is installed.

Inetpub\wwwroot

Administrators Full control
System Full controll
Users Read, execute
IIS_WPG Read, execute
IUSR_MachineName Read, execute

The IUSR_MachineName account has the following permissions.

Windows User Rights:
Bypass traverse checking (through the Everyone or Users group)
Access this computer from the network
Allow log on locally
Log on as a batch job

The local IUSR_MachineName account has a unique SID that can only be
resolved on the local system.

By default, Application Center replicates the Access Control List (ACL) to
member servers.

The local IUSR account cannot be used for allowing access to content. The
local IUSR account has a unique SID that is specific to a single server.


If the local account is assigned to an ACL on a directory, and the
directory
permissions are replicated to member servers., the member servers will not
be able
to resolve the SID value.



The Anonymous IUSR account is changed to a Domain User account.

============================================================================
========
Reference Articles:

The Permissions Maze
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ii
s/deploy/confeat/permmaze.mspx

- The IUSR_computername account is created automatically by IIS for
anonymous access. It must have Log On Locally rights and belong to the
Guests group in order to "impersonate" the users and give them anonymous
access.
- If you wish to change the IUSR_computername account, such as changing its
password, create another account, like ANON_computername, and use this
account. Changing the IUSR_ computername account can lead to unforeseen
trouble.

Anonymous Authentication in IIS 6.0 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f
594e137-e2da-4b22-ab58-f8edba938802.mspx
In IIS 6.0, anonymous authentication no longer requires the Allow log on
locally user right

During setup, the IUSR_computername account is added to the Guests group on
the computer running IIS. Guests have the same access as members of the
Users group by default, except for the Guest account, which is further
restricted.

KB 812614 - Default permissions and user rights for IIS 6.0
http://support.microsoft.com/?id=812614


KB 318932 - PRB: Cannot Use the Local IUSR Account for Content Permissions
http://support.microsoft.com/?id=318932



Hope this helps, if you have any other concerns or need more help, please
do not hesitate to let me know.

Have a nice day!





Best Regards,

Chace Zhang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: rminnis82@xxxxxxxxxxx
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: SBS 2003/member Web Server and ISUR access
| Date: 16 Jul 2006 03:38:31 -0700
| Organization: http://groups.google.com
| Lines: 60
| Message-ID: <1153046311.617743.297690@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 212.18.228.142
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1153046317 15362 127.0.0.1 (16 Jul 2006
10:38:37 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Sun, 16 Jul 2006 10:38:37 +0000 (UTC)
| User-Agent: G2/0.2
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Tablet PC 1.7; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727;
InfoPath.1),gzip(gfe),gzip(gfe)
| X-HTTP-Via: 1.0 SERVER01
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: m73g2000cwd.googlegroups.com; posting-host=212.18.228.142;
| posting-account=MJj1DQwAAADL5SqCPWSeA5ePw4JAe0HD
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed.c
w.net!cw.net!news-FFM2.ecrc.de!newscon06.news.prodigy.com!prodigy.net!border
1.nntp.dca.giganews.com!nntp.giganews.com!postnews.google.com!m73g2000cwd.go
oglegroups.com!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:281696
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi,
|
| II have an SBS 2003 prem setup with 2 NICs - works fine, comp name is
| e.g. SBS01
|
| Joined to the domain is a Windows 2003 with 2 NICS also, comp name is
| e.g. WEB01
|
| The set up of the two servers is almost identical, with 1 NIC each
| connecting to the router and one NIC each connected to a switch. The
| member server is part of the SBS domain on a static IP - this all works
| fine without error.
|
| I am using the member server as a web server. I am trying to work out
| how to set up NTFS permissions to ensure the network is safe.
|
| Currently, the web hosting is on a second disk frorm the member server
| OS install, e.g. E:\Websites\{WEBSITE}\index.htm
|
| The E: disk is shared with Everyone set to Full Control. Security is
| set to Everyone with Full Control for all folders, sub folders and
| files.
|
| The Websites folder is shared with Everyone set to Full Control.
| Security is set to Domain Admins with Full Control of all Folders, sub
| folders, and files. Everyone is added with Read & Execute on all
| Folders, sub folders and files.
|
| This is the only setup i can seem to do to get the websites to host
| live on the internet. All websites are set up as virtual directories,
| with Anonymous Access enabled.
|
| In AD in SBS, there is user called ISUR_SBS01 - for anonymous logging
| to the SBS IIS. If i change this to say IUSR_WEB01, then it means OWA
| and RWW wont work.
|
| The sites wont show up on the internet unless I go to each virtual
| directory and set Anonymous Access username to IUSR_WEB01...which makes
| sense to me as external users are connecting with the anonymous user
| account of that machine.
|
| The problem is i cant seem to add IUSR_WEB01 to the NTFS permissions in
| order to tighten up the permissions for all the websites - I am
| following the same procedure I used on SBS NT4.5, where I had
| E:\Websites having IUSR_WEB01 set to list, and then full control on the
| E:\Websites\{WEBSITE} folder. I dont think this is wrong, or am i not
| ticking enough boxes?
|
| Do i have to create this IUSR_WEB01 account in AD on the SBS for it to
| become registered and properly usable in the NTFS permissions? I havent
| done it yet as I have got 2 clean installs on the servers and dont want
| to mess them up!
|
| Thanks for any help!
|
| Anyone with any ideas?
|
| But if I open IIS in teh member server and change the Anonymous Access
| account to
|
|

.

Relevant Pages

  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I created a share on a remote server. ... reviewing it's sharing permissions and security tab permissions "everyone" ... "directory security" tab on the vdir and selecting, edit, edit and manually ...
    (microsoft.public.inetserver.iis)
  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Digest Authentication
    ... It sounds like IIS is having problems impersonating the IUSR account, ... In IIS, you do not need Script Source or Write permissions unless you ... But the Digest authentication for windows domain is ...
    (microsoft.public.inetserver.iis)
  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Permission Problems SBS2003 R1
    ... website on the SBS server? ... Default permissions and user rights for IIS 6.0 ... Step 3: Please check the permissions in IIS manager: ... Step 4: Re-running CEICW on SBS server: ...
    (microsoft.public.windows.server.sbs)