?
Solved

IUSER and IWAM Security Question

Posted on 2006-04-23
4
Medium Priority
?
1,139 Views
Last Modified: 2010-05-18
Hi all

I have been asked if the IUSER and IWAM accounts on IIS are necessary and/are they a security risk? If so how can we secure them.
ALso, do UDP high ports present a problem as a permit rule in Firewall access.
Thanks

Steve
0
Comment
Question by:shp44
  • 2
4 Comments
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 600 total points
ID: 16521439
For IUSER and IWAM accounts, you can secure them with IIS Lockdown - but read carefully about when NOT to use this tool.  It breaks some things.

http://www.microsoft.com/technet/security/tools/locktool.mspx

If you installed Server 2003 fresh, then there is no need to run this tool - security is at least as good in a fresh IIS6 install as this tool will make an upgraded IIS5 installation.


As for your other question, you should only open the ports you absolutely need - and then only using ACLs (access control lists) so that the use of these ports is only by those whom have been specifically allowed in the ACL.

0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1400 total points
ID: 16523087

> I have been asked if the IUSER and IWAM accounts on IIS are necessary and/are they a security risk?

IUSR is the default Anonymous Access account. It's a member of the Guests group and has (or should have) very little permission on the server itself. If you don't need Anonymous Access to IIS then you don't need the IUSR account. By default it's assigned as the Access Account for Default Website (and the master web properties) - for that to work it will require NTFS permissions on whatever webpages (and resources) you want it to be able to see via IIS.

IWAM is the Process account, it's a user with only a very small number of priviledges that's used to create any Server side (generally ASP) processing. It has a few priviledges in the Local System policy that allow it to create processes but little else - these are normally granted via membership of the IIS_WPG (Worker Process Group on IIS 6 / Windows 2003).

Neither of the two are necessary as such, it depends what you need to do. it is possible to run ASP processing under the Network Service, Local Service and Local System accounts, but I would recommend using IWAM as it allows you to grant the least possible priviledges. If you are hosting multiple websites on the server it also allows you to create very clear boundaries between each site / application.

There are many articles on (and about) securing IIS, to name but a few:

http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html
http://www.securityfocus.com/infocus/1765
https://itso.iu.edu/Protecting_IIS

As well as the IIS Lockdown tool Netman mentions above.

HTH

Chris
0
 

Author Comment

by:shp44
ID: 16526876
Hi Chris

Are you saying inherently IUSER and IWAM are not security holes that need to be plugged as long as the correct perimissions are assigned?

Thanks again and thank u Netmann66

Steve
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1400 total points
ID: 16527233

Yes, that's right in my opinion.

They're there to help you run your Web Server and having accounts that you can explicity control the permissions for is much more secure (or at least much easier to secure) than running something under default accounts (such as the Network Service).

In addition to the standard security settings you can always define your own accounts for both IUSR and IWAM to further isolate one bit of a webserver from another.

When all is said and done running a Web Server is more of a risk than the two accounts it generally uses.

Chris
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question