IUSER and IWAM Security Question

Hi all

I have been asked if the IUSER and IWAM accounts on IIS are necessary and/are they a security risk? If so how can we secure them.
ALso, do UDP high ports present a problem as a permit rule in Firewall access.
Thanks

Steve
shp44Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Netman66Commented:
For IUSER and IWAM accounts, you can secure them with IIS Lockdown - but read carefully about when NOT to use this tool.  It breaks some things.

http://www.microsoft.com/technet/security/tools/locktool.mspx

If you installed Server 2003 fresh, then there is no need to run this tool - security is at least as good in a fresh IIS6 install as this tool will make an upgraded IIS5 installation.


As for your other question, you should only open the ports you absolutely need - and then only using ACLs (access control lists) so that the use of these ports is only by those whom have been specifically allowed in the ACL.

0
Chris DentPowerShell DeveloperCommented:

> I have been asked if the IUSER and IWAM accounts on IIS are necessary and/are they a security risk?

IUSR is the default Anonymous Access account. It's a member of the Guests group and has (or should have) very little permission on the server itself. If you don't need Anonymous Access to IIS then you don't need the IUSR account. By default it's assigned as the Access Account for Default Website (and the master web properties) - for that to work it will require NTFS permissions on whatever webpages (and resources) you want it to be able to see via IIS.

IWAM is the Process account, it's a user with only a very small number of priviledges that's used to create any Server side (generally ASP) processing. It has a few priviledges in the Local System policy that allow it to create processes but little else - these are normally granted via membership of the IIS_WPG (Worker Process Group on IIS 6 / Windows 2003).

Neither of the two are necessary as such, it depends what you need to do. it is possible to run ASP processing under the Network Service, Local Service and Local System accounts, but I would recommend using IWAM as it allows you to grant the least possible priviledges. If you are hosting multiple websites on the server it also allows you to create very clear boundaries between each site / application.

There are many articles on (and about) securing IIS, to name but a few:

http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html
http://www.securityfocus.com/infocus/1765
https://itso.iu.edu/Protecting_IIS

As well as the IIS Lockdown tool Netman mentions above.

HTH

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shp44Author Commented:
Hi Chris

Are you saying inherently IUSER and IWAM are not security holes that need to be plugged as long as the correct perimissions are assigned?

Thanks again and thank u Netmann66

Steve
0
Chris DentPowerShell DeveloperCommented:

Yes, that's right in my opinion.

They're there to help you run your Web Server and having accounts that you can explicity control the permissions for is much more secure (or at least much easier to secure) than running something under default accounts (such as the Network Service).

In addition to the standard security settings you can always define your own accounts for both IUSR and IWAM to further isolate one bit of a webserver from another.

When all is said and done running a Web Server is more of a risk than the two accounts it generally uses.

Chris
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.