Solved

IIS won't allow anonymous access

Posted on 2004-04-27
9
746 Views
Last Modified: 2012-08-14
Hi all experts,

I am having a problem in IIS 5.0 running on Windows 2000 SP4 where it won't allow anonymous access. Users accessing the site will be shown "You are not authorized to view this page". The website is in a Site and the directory security has "Allowed anonymous access" checked. It uses the default IUSR_<SVR> user with IIS allowed to control the password where <SVR> is the server name. There are also no restrictions on IP address with all computers granted access by default.

I have also checked the permission for 'wwwroot' directory and Everyone is allowed access (propagated from the parent directory). In User Rights, IUSR_<SVR> and IWAM_<SVR> are allowed to 'Access this computer from the network' and 'Logon as batch job' (if I'm not mistaken, this only applies to FTP). In Security Options, the value for 'Additional restrictions for anonymous connections' is set to 'No access without explicit anonymous permissions' although I have tried with all three values and it's the same.

Any other settings that might be causing this? Thanks.
0
Comment
Question by:js_cheng
9 Comments
 
LVL 7

Expert Comment

by:magus123
Comment Utility
http://www.iisfaq.com/   i found a site dedicated to setting up iss correcly and
also troubleshooting problems for iss. please look around .
0
 
LVL 8

Expert Comment

by:jodypeet
Comment Utility
Have you verified your default page is listed in the documents tab of your website?
if you have index.htm as your page but IIS is using default.htm, when the user connects the server doesn't give them the correct page.
Go to properties of the site and check documents tab, make sure your correct start page is listed at the top , or better, the only one listed.
0
 
LVL 5

Expert Comment

by:ralonso
Comment Utility
have you applied IIS lockdown tool?

it's a pain in the back, and the uninstallation is maybe even more damaging than the installation.

Is the page html or asp? if it contains some scripting maybe the password for iwam is not properly set.

You may also want to force a synchronization between the passwords stored in AD and the metabase for IUSR and IWAM:
Choose two strong passwords (nobody will have to remember them), something like 'ZxY5$!3q' or 'AyW*4+c' for these accounts
Method 1: Change the Passwords in User Manager or Users and Groups to Match the IIS Metabase Password
In the Command window, locate the folder that contains the Adsutil.vbs file. Use the Adsutil.vbs tool to obtain the passwords for the IWAM and IUSR accounts from the IIS metabase.
To change the IUSR and/or IWAM passwords in Windows NT, follow these steps:


From the Start menu, point to Programs point to Administrative Tools, and then click User Manager for Domains. In User Manager for Domains, you can change the account information for all Windows NT user accounts and groups.
Double-click the IUSR_ComputerName and/or IWAM_ComputerName users, and modify the passwords so that they reflect the IIS metabase password that you obtained in step 1.
To change the IUSR and/or IWAM passwords in Windows 2000, follow these steps:
From the Start menu, point to Programs, point to Administrative Tools, and then click Computer Management.
Under the System Tools node, click to expand the Local Users and Groups and Users nodes. In the User node, you can change the account information for all Windows 2000 user accounts and groups.
Right-click the IUSR_ComputerName and/or IWAM_ComputerName accounts, and then click Set Password.
Modify the passwords so that they reflect the IIS metabase password that you obtained in step 1.
Browse to the ASP page that returned the error message to check if the problem has been resolved.
Method 2: Change the IIS Metabase to Match the IUSR and/or IWAM Passwords
To change the IUSR and/or IWAM password in Windows NT, follow these steps:


From the Start menu, point to Programs, point to Administrative Tools, and then click User Manager for Domains. In User Manager for Domains, you can change the account information for all Windows NT user accounts and groups.
Double-click the IUSR_ComputerName and/or IWAM_ComputerName accounts, and type new passwords.
To change the IUSR and/or IWAM password in Windows 2000, follow these steps:
From the Start menu, point to Programs, point to Administrative Tools, and then click Computer Management.
Under the System Tools node, click to expand the Local Users and Groups and Users nodes. In the User node, you can change the account information for all Windows 2000 user accounts and groups.
Right-click the IUSR_ComputerName and/or IWAM_ComputerName accounts, and then click Set Password. Type new passwords.
In the Command window, locate the folder that contains the Adsutil.vbs file. Use the Adsutil.vbs utility to set the passwords for the IWAM and IUSR accounts in the IIS metabase.
Browse to the ASP page that returned the error message to check if the problem has been resolved.

http://support.microsoft.com/?kbid=297989
0
 
LVL 7

Expert Comment

by:jatcan
Comment Utility
MS software update system disable's all anonymous access to IIS on install by default and design. You need the IIS lockdown tool to fix this problem. If you have recently installed MS SUS then you know what the problem is now.

Cheers,

jatcan
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:js_cheng
Comment Utility
Ralonso,

I need some time to try out those things you suggested. I have tried to set the IUSR password manually before and enter it into the Directory Security but the same error occurs.

Anyway, the pages are static pages (HTML, Javascripts, some JSPs). Pretty standard stuff. I suspect, besides IIS settings, it might also be caused by settings on the server itself but I can't pinpoint which one. The server has also undergone some hardening procedures before including securing registry, registry permissions and Local Security Policies. Any pointers on which setting might be causing the problem or what user rights are required by IIS to function properly?

Thank you.
0
 

Author Comment

by:js_cheng
Comment Utility
Jatcan,

Thanks for the suggestion. I have tried applying the lockdown tool but it's still the same.
0
 
LVL 5

Accepted Solution

by:
ralonso earned 100 total points
Comment Utility
Be extremely careful with lockdown tool, SUS installs it and while it enforces security, it disallows plenty of things.

If you uninstall it, it reverts IIS to the state it was before installing the lockdown tool. That means that it [seems to] restores a backup of the metabase, wiping all changes you may have done to IIS. As I said it's a pain.

I not it's not much relief, but every time I've used some of the things you say (like local security templates) my systems have become unusable. There's loads of crappy software still (even from MS itself) that need write permissions in the "wrong" part of the registry, or that require administrator access for the users.

If you believe that you may have a problem to do with permissions, one of the easier (if you can call that easy) ways of tracking it will be using tools like regmon and filemon (you can get them from www.sysinternals.com). Once you run them, keep looking for lines like "access denied". That way you will spot the registry key or file that was accessed, and by which process (you can remove processes unrelated to filter information)

Cheers.
0
 
LVL 3

Expert Comment

by:JonIU17
Comment Utility
Try something as simple as recalculating the website and reapplying your front page extentions.  This may clear it up as well.  As far as NTFS permissions on the home folder of the web, give administrators and system full access, and the IUSR read access.  Reapply all permissions to files and folders below the home folder.  Should be all set.

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.html) because one time I did this and I essentially had a bricked …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now