• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

Grant IIS server account network access

I have a server running IIS6 that we need to be able to access network resources on our network.  The server that it is on right now is not a domain controller.  Our domain controller does not have IIS installed on it.  How can I get the IUSR_SERVER1 account to be able to access other servers?
0
sharkbot221984
Asked:
sharkbot221984
  • 3
  • 3
1 Solution
 
cj_1969Commented:
Try granting the AD\<MachineName>$ account access to the resource and see if this grants it access.
Or try granting <MachineName>\IUSR_<MachineName> access.
0
 
sharkbot221984Author Commented:
The user that needs this went in and put his information DOMAIN\username in place of the IUSR_machinename and claims that is letting him do what he needs for now.  If this is true, I guess I could just create a domain account just for this purpose, but wouldn't that pose a security issue?
0
 
cj_1969Commented:
yes ... it means that if anyone hacks the website they can execute code or access any resources that those credentials can.

That said ... this is also a legitimate way to deal with the problem.  It is a question of risk versus being able to do what you want to do.

A service account is definitely recommended over a user account as you are starting from scratch with permissions and you have some semblance of control over what it can access, there by limiting your risk and exposure if the site is compromised.  Same idea as changing the application pool logon ID to get code to do what you want.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
sharkbot221984Author Commented:
Okay that confirms what I was thinking, it's a catch 22.  I create a service account that makes it easy to have the websites gain access to resources needed that are stored on other servers, but that also creates a security issue.

I noticed in our AD, someone created a user account called IUSR_SERVER, but I've not seen this setup as the IUSR account on any other server.  Any thoughts as to why this is done?  Was/is this an attempt at a service account that's more secure than a general user account?
0
 
cj_1969Commented:
I t could be ... I don't think an IUSR_<> account is created in AD by anything as a default.  

I just found this page, take a look at it, it might have some other options that you can use ... http://imar.spaanjaars.com/QuickDocId.aspx?quickdoc=276

0
 
sharkbot221984Author Commented:
I agree, I think the IUSR_<> account in AD wasn't made by default.  Looks like that link is a good guide for all the options.  I think the service acount in AD is the best choice, just give it access to only that which you need it to, and give it a very strong password.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now