Microsoft KB Archive/147691

= Anonymous Users Have Same Access as Domain Users in IIS =

Article ID: 147691

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 1.0

-



This article was previously published under Q147691



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
In Internet Information Server (IIS), you can allow only domain users to access most of the web pages and anonymous users to access specific public web pages using NTFS security permissions. However, you cannot do this if the Internet Information Server is installed on a primary domain controller (PDC).



CAUSE
In IIS, you can allow both anonymous and domain users to access the web pages if you select "allow Anonymous" and "Windows NT Challenge/Response" in WWW Service Properties. You can then use the NTFS security permissions to specify access to the Web server contents. IIS creates a special account called IUSR_ for anonymous logons. However, if you install IIS on a PDC, the IUSR_ account becomes a member of Domain Users. As a result, anonymous users have the same access as the Domain Users.



RESOLUTION
To correct this problem, remove IUSR_ from Domain User global group and add it to the Guest group using User Manager for Domains.

NOTE: Any user account that you create on a PDC automatically becomes a member of the Domain Users group.

Additional query words: prodiis

Keywords: kbnetwork KB147691

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.