AD domain users for IIS Annon Users

Posted on 2007-07-19
Last Modified: 2012-05-05
I'm setting up a windows 2003 R2 box with iis 6 that pulls from a share. The box will host multiple sites and from reading it is advisable to use a unique IUSR for each. Not a problem. I'd like to make them domain users so that they can be managed in AD.

My question is what are the security concerns when using Domain users as anon users and as user accounts for Application pools. I've noticed that the default domain user has alot of a access to the rest of the domain and I want to make sure that I don't provide people with a nice pool of users with which to go roaming about my network.

Also on the share that is being used should I give all read and write and then use NTFS permissions on the folders themselves to limit read and right.

Have searched on this and have a feeling my search terms are my biggest problem.
Question by:pubdyn
    LVL 9

    Expert Comment

    Add the shares as virtual directories in IIS:

    Right click on the web site:
    New > Virtual Directory
    Select an alias
    In the path, enter the UNC (\\<server>\share)
    Deselect 'Always use the authenticated user's credentials ...'
    Enter the user name and password instead.
    If you are using domain users, the format is <domain>\<user> for the user name.
    Make sure that the password of these users do not expire.
    Make them only members of the domain users group.

    If you want the shares to be read-only, apply only read as share and ntfs permissions.
    If you want them to be writeable, use change permission for both share and ntfs.

    Don't worry about the user accounts being abused: only the web server will use them to access the share and present it to the clients.
    External access is made with the IUSR account when you enable anonymous access in the web site's security.

    Hope it makes sense.

    Author Comment

    I'm using asp and Wouldn't the server be executing these scripts as the domain IUSR account? In that case the permissions that are available to the default domain user account come into play if someone up loads an asp or page. What I'm worried about is what, by default, does domain users have access to.

    LVL 9

    Expert Comment

    IUSR_<servername> is a user local to the web server.
    It's not a domain account unless your web server is also a DC (not advisable)
    IUSR_<servername> is used for anonymous access.
    Where did you read that it had to be unique for each website ?
    Web pages are run under the application pool's identity which is 'network service' by default.

    Accepted Solution

    From the webcasts I've been watching the recommend that you us individual users for IUSR for each site. It makes good sense. If one site is compromised the the others are still safe because the NTFS permissions will not be  there for that one IUSR to use other files. The webcast I was watching said that you could use domain users for this purpose. This would be ideal as managment of the users would be cake. Being able to split them out into seperate OUs and by client and site. Right now we've got a IIS 5.1 box with ftp users being local accounts and administartion is a pain. Also the new IIS 6 box will be part of a NLB cluster with DFS files shares on the back end. Trying to maintain local users accross multiple boxes feels like it would be a night mare. Even taking scripting into accont it seems using domain users on AD is a much more elegant solution if I can get my head around how the security concerns.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now