AD domain users for IIS Annon Users

I'm setting up a windows 2003 R2 box with iis 6 that pulls from a share. The box will host multiple sites and from reading it is advisable to use a unique IUSR for each. Not a problem. I'd like to make them domain users so that they can be managed in AD.

My question is what are the security concerns when using Domain users as anon users and as user accounts for Application pools. I've noticed that the default domain user has alot of a access to the rest of the domain and I want to make sure that I don't provide people with a nice pool of users with which to go roaming about my network.

Also on the share that is being used should I give all read and write and then use NTFS permissions on the folders themselves to limit read and right.

Have searched on this and have a feeling my search terms are my biggest problem.
Who is Participating?
pubdynConnect With a Mentor Author Commented:
From the webcasts I've been watching the recommend that you us individual users for IUSR for each site. It makes good sense. If one site is compromised the the others are still safe because the NTFS permissions will not be  there for that one IUSR to use other files. The webcast I was watching said that you could use domain users for this purpose. This would be ideal as managment of the users would be cake. Being able to split them out into seperate OUs and by client and site. Right now we've got a IIS 5.1 box with ftp users being local accounts and administartion is a pain. Also the new IIS 6 box will be part of a NLB cluster with DFS files shares on the back end. Trying to maintain local users accross multiple boxes feels like it would be a night mare. Even taking scripting into accont it seems using domain users on AD is a much more elegant solution if I can get my head around how the security concerns.
Add the shares as virtual directories in IIS:

Right click on the web site:
New > Virtual Directory
Select an alias
In the path, enter the UNC (\\<server>\share)
Deselect 'Always use the authenticated user's credentials ...'
Enter the user name and password instead.
If you are using domain users, the format is <domain>\<user> for the user name.
Make sure that the password of these users do not expire.
Make them only members of the domain users group.

If you want the shares to be read-only, apply only read as share and ntfs permissions.
If you want them to be writeable, use change permission for both share and ntfs.

Don't worry about the user accounts being abused: only the web server will use them to access the share and present it to the clients.
External access is made with the IUSR account when you enable anonymous access in the web site's security.

Hope it makes sense.
pubdynAuthor Commented:
I'm using asp and Wouldn't the server be executing these scripts as the domain IUSR account? In that case the permissions that are available to the default domain user account come into play if someone up loads an asp or page. What I'm worried about is what, by default, does domain users have access to.

IUSR_<servername> is a user local to the web server.
It's not a domain account unless your web server is also a DC (not advisable)
IUSR_<servername> is used for anonymous access.
Where did you read that it had to be unique for each website ?
Web pages are run under the application pool's identity which is 'network service' by default.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.