[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Best Practice user setup for external / internal Anonymous IIS user

Posted on 2012-09-05
Medium Priority
Last Modified: 2012-09-07
Hello Experts,
I have several external web sites located on a web server running IIS 6.0, Windows Server 2003.  I recently changed our domain and upgraded everything to Windows 2008 server/domain except the external IIS server.

When reviewing the old AD setup it has an anonymous user account, supposedly built in, that as listed as a member of domain users.

When I changed the domain anyone trying to access the web site was prompted for a user id  and password.  I created a local user on the IIS server and did not make it a member of domain users.  I then update the user and password in IIS 6.0 and no more prompting.

I want to control all users via AD and was wondering what is the best practice for this anonymous user?  It doesn't seem correct to make the anonymous user as a member of domain users.... I want to get little access.

Recommendations please.
Question by:tucktech
LVL 65

Accepted Solution

btan earned 1100 total points
ID: 38372428
suggest explore iis7.5 since it supported in Windows 2008 and use of DefaultAppPool identity as way ahead and best practices


In IIS6 and IIS7, the equivalent for ASP.NET to the ASPNET user is the application pool identity user. By default that's NETWORK SERVICE. You can likely grant that user permissions to disk and it will work.

The 'better' way is to create custom users per app pool and assigning them permission to disk so that the sites are isolated from each other, and so that other applications on the server that use Network Service can't access the content of your sites. However that's a judgment call that you need to make in your situation.

The other user that comes into play is the anonymous or authenticated user of your site. That's defined in the authentication -> anonymous section of your site. In IIS7 I recommend setting that to use the app pool identity, as long as you only have 1 site per pool, or as long as each site in the app pool highly trust each other. Then you only need to maintain 1 user on disk.
LVL 17

Assisted Solution

kadadi_v earned 100 total points
ID: 38375762

Author Closing Comment

ID: 38377619
Thanks.  I agree each pool should have it's own user id.  I will be able to use these other versions as I upgrade.  Thanks for including newer versions for answers.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question