What is the Exact Role of IUSER?

djinn_uid0 used Ask the Experts™
If i set a directory as writable by IUSER, is it vulnerable to being comprimised by anonymous users? if so how could this be done? I want to understand this better.
Who exactly are "IUSER"s? Whats the difference between IUSER and IWAM?

Any iformation on this is greatly appreciated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Here is some information on these two accounts:

This information taken from : http://www.skybuilders.com/users/jesse/docs/securityPolicy.html

IUSR_[host machine]: In order to allow the world to browse into your web site pages published on the internet your Windows 2000 web server needs to allow the IUSR user to have at least Read privileges on the physical folder where the web site serves from. If you want the IUSR to enter text into electronic forms or other modifiable information gathering interfaces then the IUSR must also have Write privileges. If you want to allow your internet visitor to browse down the site subdirectory structure the IUSR will also need to have List Folder Contents privileges or Traverse Folder/Execute File privileges.

IWAM_[host machine]: This user, IWAM (Internet Web Administration Manager), is not well explained in much documentation I have encountered. IWAM_[host machine] is often mentioned in the same breath as the IUSR_[host machine] user. In the absence of information I cannot make any recommendations conerning it. Please examine the following web page excerpts on the subject.

From Deja: When IIS is installed, it creates two user accounts, assigns them specific user rights, and places them in specific user groups. These two accounts are IUSR_computername and IWAM_computername. The IUSR_computername account is used by IIS to grant anonymous access to Web resources. IWAM_computername is the account used by Microsoft Transaction Server (MTS) and various IIS entities to provide programmatic and transactional functions.

From Microsoft - Updating IIS after the Computer Name Is Changed (search on ../Q234/1/42.ASP): This may or may not be pertinant. The article claims that potential IWAM "sync" problems do not apply to MS 2000.

From Microsoft - Server Reliability through Process Isolation (search on ../server112299): The IWAM_machine (IWAM for short) account, seen in Figure 5, can be a common source of problems if you don't know a few tricks. The IWAM account is an important account; it's the default account that's used when you set your Web applications to run out of process from IIS.

A problem occurs when you change the IWAM account's password through NT USERMGR without informing IIS of the changes. You need to update IIS manually because the IWAM account does not have the same password synchronization option that the IUSR account does. IUSR's password synchronization option automatically synchronizes any changes in USRMGR with the IUSR's password stored in the metabase. If you change the password to the IWAM account in USERMGR, you will also need to make the same change to the MTS packages for out-of-process applications that you have already created for IIS. You also need to make the change to the WAMUserPass property in the metabase, which is where IIS stores the IWAM account information that it will use when it is creating new out-of-process applications in the future.

From Microsoft - Web Hosting with IIS 5.0 (URL not available): The IUSER computer name account is the anonymous access user account, the IWAM computer name account is the account that allows you to run ASPs, CGIs, and so on. IUSER handles anonymous connectivity, and IWAM is used to launch ASP and CGI applications

Hope this helps.
IUSER, is used as a backdoor by microsoft to spy on you,
this alows the programmers to hack your PC and get inside to steel your idenity, you credit information, even listen to what your saying by revers engineering you speakers and making them microphones.
Just kidding Or Am I?!?!?!?
here is some info




I guess I should have asked what are the vulerablilties of IUSER. From what i can tell it does allow access to the directory or file by means that can be exploited easily if set to writable. Would this be correct? if so, what can i do to allow directories to be written to by scripts without risk of being compromised.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial