Microsoft KB Archive/323640

= How to secure the IUSER_ account =

Article ID: 323640

Article Last Modified on 9/14/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q323640





We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
By default, the IUSR_ account is a member of the Guests group, and it is used for anonymous requests. You can secure the IUSR_account by using the IIS Lockdown tool, which applies NTFS file system permissions for the Guests group. This article describes how to determine the current security context of the IUSR_ account and how to secure this account.

How to determine the current security context of the IUSR_ account
For information about how to use the IUSR account and how to determine the groups to which the IUSR account belongs, use the W3Who.dll program that is provided in the Windows 2000 Resource Kit. W3Who reports the user name, the rights, and the group membership of the user who calls this tool.

Description of the Browser Client Context tool (W3Who.dll)
The Browser Client Context tool (W3Who.dll) is an Internet Server Application Programming Interface (ISAPI) program dynamic-link library (DLL) that works in a Web page to display information about the calling context of the client browser and the configuration of the host server. The following information is displayed when you use this tool:
 * The access token (the security context associated with the current request), which includes the following data:
 * A list of security identifiers granted in this access token.
 * A list of permissions.
 * A list of environment variables that are transmitted by Microsoft Internet Information Services (IIS) 5.0 to the ISAPI program. These variables include:
 * Browser characteristics
 * Client connection (remote Internet Protocol [IP] address, remote user, keep-alive)
 * Client request (method, URL, software)
 * Server characteristics (version, server name, server IP address, and server port)

You can use W3Who in a testing environment to check security and environment contexts.

How to install and configure W3Who
Note The W3Who tool is included in the Windows 2000 Server Resource Kit only.

The Windows 2000 Resource Kit Setup program places W3Who.dll in the Resource Kit installation root folder (by default, C:\Program Files\Resource Kit). To install and configure the W3Who tool, follow these steps:
 * 1) Copy W3Who.dll from the Resource Kit installation root folder to a virtual directory on your IIS Web server.
 * 2) Start the IIS snap-in.
 * 3) Right-click the virtual directory where you copied W3Who.dll, and then click Properties.
 * 4) Click the Virtual Directory tab.
 * 5) Under Execute Permissions, click Scripts and Executables, and then click OK.

How to use W3Who
To run the W3Who program, reference W3Who in a Web page. The following procedure is an example of how to use W3Who.

Note The example that is described in this section is for installing and testing the tool only. This example does not address security concerns. To use this tool properly while you maintain a secure Web site, see the information about security concerns in the IIS 5.0 documentation.  Create a folder in a Web site. Confirm that the folder has anonymous access enabled and that the NTFS permissions are configured to allow the IUSR account the NTFS execute permission. Mark the folder for Scripts and Executables in the IIS snap-in, and then locate the file by using Microsoft Internet Explorer (http:// / /w3who.dll).  Use the following sample HTML text on a page that resides in the same virtual directory as W3Who.dll: Who Are You Alternatively, you can create a button that posts an HTML form:  <div align=&quot;center&quot;> <input type=&quot;submit&quot; value=&quot;Who Are You&quot;> The resulting page contains information about the IUSR account. The following data is an example of the information that is displayed: <pre class="fixed_text">  Access Token - IISANSWERS\IUSR_IISANSWERS' S-1-5-21-790525478-1993962763-xxxxxxxxxxxxxxx

- IISANSWERS\None' S-1-5-21-790525478-1993962763-xxxxxxxxxxxxxx

- \Everyone' S-1-1-0

- BUILTIN\Guests' S-1-5-32-546

- BUILTIN\Users' S-1-5-32-545

- \LOCAL' S-1-2-0

- NT AUTHORITY\NETWORK' S-1-5-2

- NT AUTHORITY\Authenticated Users' S-1-5-11

- SeUndockPrivilege - Remove computer from docking station In this example, the IUSR account is a member of Guests, Users, Authenticated Users, the network group, and Everyone. Resources that are available to these groups may also be available to anonymous users. </li></ol>

How to secure the IUSER_ account by using the IIS Lockdown tool
To secure access for the IUSR account, you can use the IIS Lockdown tool. Microsoft has released an updated version of the IIS Lockdown tool version 2.1, which provides templates for the major IIS-dependant Microsoft products. URLscan, which has customized templates for each supported server role, has also been integrated into the IIS Lockdown tool to provide defense in depth and to provide multiple layers of protection against attackers.

To download the IIS Lockdown tool, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/locktool.mspx

When you use the IIS Lockdown tool to secure your server, the IUSR account is made a member of the Web Anonymous Users group, which is assigned the Deny Write or the Deny Execute permission as appropriate. As a result, the resource is secured from inappropriate access from the IUSR account, regardless of other group membership. When you use this tool, you can limit other users and groups to the permissions that are assigned to the Web Anonymous Users group by making these users or groups members of the group.

If you run the IIS Lockdown tool and use the Express Lockdown setting, you can configure your Web server to serve only static content, such as HTML files. This configuration is the most secure configuration, and it is appropriate for most basic Web servers. If you must configure advanced features, use the Advanced Lockdown setting to select the features that you want to use.

After you use the tool, you must thoroughly test the server before you put the server into production. If you find that the settings are not appropriate for your server, run the tool again, and then select the option that allows you to undo the changes that were made the previous time the tool was run. The IIS Lockdown tool locks down the IIS service, but it does not make any changes to other Internet-related services such as File Transfer Protocol (FTP), Telnet, Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), and other services. If these services are running on the server, either take steps to secure these services or consider disabling them.

<div class="references_section">