Best Practice user setup for external / internal Anonymous IIS user

Posted on 2012-09-05
Last Modified: 2012-09-07
Hello Experts,
I have several external web sites located on a web server running IIS 6.0, Windows Server 2003.  I recently changed our domain and upgraded everything to Windows 2008 server/domain except the external IIS server.

When reviewing the old AD setup it has an anonymous user account, supposedly built in, that as listed as a member of domain users.

When I changed the domain anyone trying to access the web site was prompted for a user id  and password.  I created a local user on the IIS server and did not make it a member of domain users.  I then update the user and password in IIS 6.0 and no more prompting.

I want to control all users via AD and was wondering what is the best practice for this anonymous user?  It doesn't seem correct to make the anonymous user as a member of domain users.... I want to get little access.

Recommendations please.
Question by:tucktech
    LVL 60

    Accepted Solution

    suggest explore iis7.5 since it supported in Windows 2008 and use of DefaultAppPool identity as way ahead and best practices

    In IIS6 and IIS7, the equivalent for ASP.NET to the ASPNET user is the application pool identity user. By default that's NETWORK SERVICE. You can likely grant that user permissions to disk and it will work.

    The 'better' way is to create custom users per app pool and assigning them permission to disk so that the sites are isolated from each other, and so that other applications on the server that use Network Service can't access the content of your sites. However that's a judgment call that you need to make in your situation.

    The other user that comes into play is the anonymous or authenticated user of your site. That's defined in the authentication -> anonymous section of your site. In IIS7 I recommend setting that to use the app pool identity, as long as you only have 1 site per pool, or as long as each site in the app pool highly trust each other. Then you only need to maintain 1 user on disk.
    LVL 17

    Assisted Solution


    Author Closing Comment

    Thanks.  I agree each pool should have it's own user id.  I will be able to use these other versions as I upgrade.  Thanks for including newer versions for answers.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now