IUSER and IWAM Security Question

Posted on 2006-04-23
Last Modified: 2010-05-18
Hi all

I have been asked if the IUSER and IWAM accounts on IIS are necessary and/are they a security risk? If so how can we secure them.
ALso, do UDP high ports present a problem as a permit rule in Firewall access.

Question by:shp44
    LVL 51

    Assisted Solution

    For IUSER and IWAM accounts, you can secure them with IIS Lockdown - but read carefully about when NOT to use this tool.  It breaks some things.

    If you installed Server 2003 fresh, then there is no need to run this tool - security is at least as good in a fresh IIS6 install as this tool will make an upgraded IIS5 installation.

    As for your other question, you should only open the ports you absolutely need - and then only using ACLs (access control lists) so that the use of these ports is only by those whom have been specifically allowed in the ACL.

    LVL 70

    Accepted Solution


    > I have been asked if the IUSER and IWAM accounts on IIS are necessary and/are they a security risk?

    IUSR is the default Anonymous Access account. It's a member of the Guests group and has (or should have) very little permission on the server itself. If you don't need Anonymous Access to IIS then you don't need the IUSR account. By default it's assigned as the Access Account for Default Website (and the master web properties) - for that to work it will require NTFS permissions on whatever webpages (and resources) you want it to be able to see via IIS.

    IWAM is the Process account, it's a user with only a very small number of priviledges that's used to create any Server side (generally ASP) processing. It has a few priviledges in the Local System policy that allow it to create processes but little else - these are normally granted via membership of the IIS_WPG (Worker Process Group on IIS 6 / Windows 2003).

    Neither of the two are necessary as such, it depends what you need to do. it is possible to run ASP processing under the Network Service, Local Service and Local System accounts, but I would recommend using IWAM as it allows you to grant the least possible priviledges. If you are hosting multiple websites on the server it also allows you to create very clear boundaries between each site / application.

    There are many articles on (and about) securing IIS, to name but a few:

    As well as the IIS Lockdown tool Netman mentions above.



    Author Comment

    Hi Chris

    Are you saying inherently IUSER and IWAM are not security holes that need to be plugged as long as the correct perimissions are assigned?

    Thanks again and thank u Netmann66

    LVL 70

    Assisted Solution

    by:Chris Dent

    Yes, that's right in my opinion.

    They're there to help you run your Web Server and having accounts that you can explicity control the permissions for is much more secure (or at least much easier to secure) than running something under default accounts (such as the Network Service).

    In addition to the standard security settings you can always define your own accounts for both IUSR and IWAM to further isolate one bit of a webserver from another.

    When all is said and done running a Web Server is more of a risk than the two accounts it generally uses.


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now